Regional Preparatory Meeting of the IGF

Transcription

Panel 2: Promoting Cybersecurity and Trust

Rodrigo de la Parra: I would like to ask Ariel Graizer to begin his presentation.

Ariel Graizer: Good morning. Before I begin, I would like to make a couple of comments. First, I want to thank LACNIC for the invitation to participate in this event. However, I think that two days is not enough. In fact, the previous panel proved this: I still feel like discussing the issues dealt with by this panel. I think that, because of the diversity among our countries, there is a lot to share. I also believe that we must have these meetings more often. CABASE, Argentina, will always support these initiatives.

This panel is about cybersecurity. Let me tell you what happened to me earlier: I spent the entire morning battling with a Trojan on my notebook. Part of what we must do involves education. I let somebody borrow my flash drive and they returned it with a virus. This is in part what I mean when I say that it involves education. I consider myself to be a specialist on some of these aspects, yet here I fell into my own trap.

Anyway, I represent CABASE. CABASE is the Argentine Chamber of Database and Online Services − today also known as the Internet Chamber. Created during the early 80s, one of our major milestones − and an important part of what has kept us alive all these years − was the creation of the Argentine NAP. This NAP is the meeting point for all national networks, and from this position we have developed an active policy promoting interconnection, equal opportunities, and a corporate environment for Internet development in Argentina. We participated in the foundation of eCOM-LAC and LACNIC, and we participate at every international event that provides us with an opportunity for development.

We at CABASE noticed that in Argentina − and perhaps this is also the situation in other Latin American countries − we did not have a CSIRT. The only CSIRT that existed belonged to the government and was only authorized to work within the governmental environment. For this reason, instead of approaching the matter from the point of view of a single company, we thought it would be better to do it from within the Chamber, based on the same concept as the NAP: a meeting point that belongs to everyone and is yet the property of no one in particular and where everyone can participate. We decided to create a CSIRT − a Computer Security Incident Response Team.

Basically, we understand that these are needed in every location, in every country, in every region in order to be able to coordinate tasks, stay up-to-date, and be forewarned of potential problems, − always within the framework of regulations, proper procedures and best practices to increase security levels, to share better practices and respond to security incidents at private level (at least in Argentina, where there is already a CSIRT operating at public level). The goals we have set for ourselves are to provide consultancy services, to centralize reports, to maintain an information repository, to promote interaction and, most important, to build awareness within our entire community, among all our users, so that we can understand that the Internet is a tool at our disposal but that we must use best practices that allow us to access information in a secure manner.

Among the reasons why we believed a CSIRT was needed in Argentina is the international trend that exists at global level. There was also the need to identify and protect critical infrastructure (our NAP is currently considered critical infrastructure in Argentina). In Argentina most Internet networks (all but two) are interconnected at our NAP, and therefore it is very important to protect it. In addition, determining risks and generating controls are part of a CSIRT’s typical functions. This is what we are working on.

But why CABASE? Basically because of the reasons you can see in my presentation. We understand that the CSIRT cannot belong to a single company, and in view of how things are divided in Argentina, there needs to be a public CSIRT and a private CSIRT. We understand that, for the Argentine environment, CABASE represents the logical place to establish a CSIRT − next to the NAP.

What mission have we set for ourselves? Our mission is strictly technical. The CSIRT does not investigate the origin of the attacks, we provide absolute confidentiality in relation to the information and identity of the actors that are working with us, we respond to incidents. In a way, we provide three types of services.

First, we provide reactive services − services that are provided in response to an incident. Second, we provide proactive services: assistance, awareness building, providing information, education... Finally, we provide information quality management services.

For this we have established certain goals: to develop incident management strategies; reliable communication channels with our members and with the rest of the community; to generate early alerts for affected users; to work together with our members in order to reduce incidents, helping them reduce the impact that these incidents generate on their own networks; to notify and be notified by other CSIRTs of things that are detected on the network; to share information and solutions, which I believe is one of the strategic aspects we are working on; and monitoring global trends. In a way, being connected to others allows us to understand what is going on in other parts of the world.

The truth is that in terms of attacks there are no distinctions among different regions: we are all part of the developed world, we are all subject to the same attacks. Attacks happen all over the world, without discriminations, and this is something of which most of us are not aware.

Advantages and benefits that will perhaps serve as a model to generate debate or opinions as to how CSIRTs may be developed in other countries: protection of critical infrastructure, as I mentioned earlier; cooperation between the public and the private sectors, in the understanding that in Argentina the public sector has another incident response center, and incident management within the private environment.

This image shows other CSITSs that are already in operation. Some of them are public, others private, some of them are operated by non-profit organizations such as CABASE, but the important thing is to understand that the image still shows many empty spaces, spaces that need to be filled. There are many places where there are no CSIRTs and, as we mentioned earlier, attacks may happen in many places at the same time.

Part of what we are working on is the legal framework, which is extremely important and which not only affects us from an internal point of view but also in how we interact with the telecommunications act that exists in Argentina, with the new law on computer crime, with the personal data protection act. For example, at CABASE we are constantly working to help the senate and the house of representatives understand and promote laws that are enforceable, that will contribute to the coherent development of the industry. In fact, for example, we have prepared some seminars to try to educate senators or ministers so that they will promote laws that will generate local development and infrastructure, instead or promoting laws that will cause services or servers to flee the country because of restrictions that these laws could impose on commercial ventures. But all of this must be understood from within a legal framework that provides security, that determines a reaction when a crime is committed, and the existence of an organization working to combat crime, both from the point of view of those within the country as well as those abroad. As I said, the creation of a CSRIT and the development of proactive policies is what will allow us to get to that point.

Perhaps I’ve already told you about this before, but at some point we had a small incompatibility. In 2004 the Argentine government passed a law that required service providers to retain traffic data for ten years and submit them immediately to any officer of the court that required them. But “any officer of the court” also included security agency officials, which in Argentina are for the most part anonymous. At the same time, we had a law ­− the personal data protection act − which prevented us from delivering this data.

So, in this case the legal environment within which we were working, the legal framework within which we were carrying out our activities, was generating an incompatibility: we could not comply with the personal data protection act, neither could we supply the tools required by law enforcement agencies. This was solved by working together in order to develop a more reliable legal framework. Thank you very much.

Rodrigo de la Parra: Thank you very much, Ariel. Let me now welcome Carlos Gregorio, of the Institute of Research for Justice.

Carlos Gregorio: Thank you very much. I understand that we are here today to focus on the upcoming Internet Governance Forum and to establish Latin America’s position on cybersecurity.

I would like to begin by analyzing the existing situation. I’ve studied the cybersecurity contents discussed at the Rio forum and those that being considered at the forum that will meet in India, and I have noticed some issues that are concentrating much attention. If you take a look, six workshops have already been scheduled to deal with sexual exploitation, child pornography, child security on the Internet... This means that one major security concern has already been identified: that of safeguarding vulnerable groups. Although the issue of safeguarding vulnerable groups currently focuses on children and adolescents, I believe certain other additional vulnerable groups should be added to this list, such as for example workers.

Another concern that I’ve noticed has to do with expanding Interpol to a global cyberpolice. I think this is an interesting idea, although I will not go into details about it at this moment. I’ve also notice that since the Rio forum the issue of privacy has practically disappeared from center stage, that there are practically no privacy contents in the agenda for the forum in India.

I would like to focus on the issue of security from two different points of view: from the point of view of safeguarding vulnerable groups and from the point of view of privacy rights, privacy rights meaning honor, intimacy and image. Here there are two complementary aspects of security: the safeguarding of children, which has historically been regulated and recent Latin American legislations are extraordinary in terms of the protection they provide against the sexual exploitation of children, and child pornography. However, I was told during the Rio forum last year that a large number of child pornography sites were migrating to Panama. Panama has excellent legislation for the criminal prosecution of child pornography and the sexual exploitation of children; however, the existence of an excellent legislation is not always enough.

On the other hand, existing privacy legislations are absolutely deficient, except maybe that which regulates personal data, but personal data are barely one aspect to consider within intimacy, honor, image... and our legislation on this issue is extremely deficient.

We are also observing an increasing level vulnerability that has to do with two factors.

The first is related to the success of the social Internet, the web 2.0, which allows intimate matters or images to be shared without any type of restrictions. The second factor that is increasing vulnerability is commercial creativity: Internet provides a very interesting space and there are huge numbers of people applying their intelligence to the development of Internet or information products. Let me give you an example which is a bit old but which will serve to illustrate my point. In Brazil there is an ongoing discussion on what is called “passagem.” I don’t know if you have ever hear this term within the context of credit reports, but let me try to explain. Normally, when a credit report is requested, the report will simply state whether or not the person has been a good payer, if he/she has any outstanding debts. However, in Brazil they have invented a new type of report that also says “... well, this person has always paid his obligations, but this month there have been five queries regarding his credit status... perhaps everything is OK, but perhaps he may be overextending his credit.” There is great debate as to the legitimacy of reporting this information. Thanks to this creativity, new products are invented each day and therefore it is impossible to think that the credit reporting legislation could anticipate situations that escape the imagination of even the smartest legislator.

So, the question here is how should we approach these security issues from these two points of view − vulnerable groups and privacy rights − from a Latin American perspective, considering that in some countries there is legislation in force; that public institutions have very little penetration or very little power, and that risks continue to grow significantly. Here we have the classic division of powers. On the one hand, we need good legislation. Clearly Latin American legislations are not yet functioning very well, in some countries there aren’t even any laws on personal data protection (it would be great to have an international convention to orient things, but for the moment this type of orientation does not exist), government authorities have a huge conflict, as they are the ones exposing citizens the most with their e-government policies, and therefore it will be very difficult for any government authority to balance these elements.

This brings me to the central point I wanted to introduce in my presentation, which is the role of the courts. Historically, judges have played a key role in the regulation of new technologies. In the past, because of the great variety of litigations, other major technological changes have been regulated by judges. In other words, no legislation can anticipate what will happen, so it is up to the judges to say what is right and what is wrong and to apply exemplifying penalties that will in the end regulate the industry.

Privacy is a jurisprudential creation. In fact, no legislation includes a concrete definition of what is private and what is public, or of what may be considered to belong to realm of intimacy. Let me give you an example. A very creative man in El Salvador sued the parliament for not having expanded Article 2 of the constitution, which speaks about intimacy. The supreme court replied to this very curious demand saying that no fault had been committed because, in fact, privacy and intimacy are protected: it was the courts’ mission to apply Article 2 of the constitution. So, we see that this is a very specific area in which the courts play a very important role but − I want to say this with the greatest respect − judges are somewhat clueless on the matter. I mean clueless from our point of view, not from the point of view of upholding the rule of law. In this sense they are not clueless at all but instead they are upholding judicial decisions that must harmonize many aspects. Let me mention three cases and with this I will conclude my presentation.

The first involves the case of the journalist José Luis Cabezas. A hacker attacked the website of the Supreme Court of Justice and uploaded a photograph of the murdered journalist. The police carried out an extraordinary investigation which concluded with the apprehension of the culprits and their being taken to trial. However, because the judge considered that an Internet webpage was not a “thing” and therefore nothing had been destroyed, they were acquitted by the judge, who concluded that no punishment could be applied.

Another very interesting example of how the courts are handling this in Argentina: in Argentina e-mail is considered so personal and so much within the realm of intimacy that a man decided to send spam using the e-mail address provided to him by the company he worked for. The judge that decided the case in the Labor Law courts ruled that the fact that this man had used the e-mail address that was provided to him by the company to send spam was not grounds for termination of employment. This is a position that is being upheld by judges in Argentina, as opposed opposition to what is happening in other parts of the world. And this is what I mean when I say that they are somewhat clueless.

The third example I want to mention is that of  jujuy.com. This is a pretty old case involving a website that had a visitors page where anybody could leave a message or attack the honor of any person. Obviously, the court sanctioned the hosting provider.

If we compare these cases with other situations in Latin America you will see that judges are quite clueless. Therefore, quite likely this situation will require a collaborative effort to orient them as to how to best handle this process − obviously respecting their independence. In the end, they will set the guidelines that will establish the foundations for self-regulation, company liability and, in the future, much more stable regulation processes.

Rodrigo de la Parra: I would now like to invite Cristine Hoepers, of CERT Brazil, to make her presentation.

/Although Cristine Hoepers’s presentation was made in English, all of her interventions are backtranslations./

Cristine Hoepers: Even in countries that have all the necessary infrastructure, in countries that have CSIRTs, people are not necessarily cooperating, although they mostly are. But what do we need in addition to everyone’s cooperation? We need to speak about security and vulnerabilities. I believe the first panel did a good job of highlighting how the Internet is now the infrastructure on which everything is built. So, although a large part of society is not yet connected to the Internet, those that are connected − government, media, business, education and financial sectors, among others − rely on it. For this reason we cannot simply say “OK, this is very insecure so we will shut it down.” On the contrary, we need to find ways in which to improve the situation.

One of the problems that we have is that there are new vulnerabilities every day. I will speak about some of the technical aspects having to do with this. Many problems are the result of software vulnerabilities; the complexity of the infrastructure is also a factor that creates vulnerabilities. Technology and security measures are too complex for the average user, so simply providing them with patches is not a solution. Typically, their reaction is the following: Why do I need a patch? Why do I have to keep updating my computer? Why can’t my computer be like my radio or my TV set? Why is the Internet so insecure? And technology is changing so quickly that most people are not even aware that things are happening inside their computers. This is part of the problem, and we need to continue to create awareness among users and professionals.

However, there is an even greater problem which is that organized crime is also using the Internet as infrastructure and a vehicle for crime. It is much easier to go on the Internet and steal some money than to go out on the street with a gun and risk being shot down by the police. Consequently, we need to be aware that the criminals will not abandon the Internet but will instead continue to find ways to use it.

How is the community reacting to the threats? In Latin America and the Caribbean there are several countries that do not have a CSIRT to work on the issue of security. Network administrators focus on patch management, dealing with vulnerabilities by means of firewalls, IDSs, antivirus, antispyware, antiphishing and the deployment of other reactive technologies... it is a very complex world out there. And I know that, for example, I cannot explain this to my father. It is very difficult for me to explain to him how to do all of these things, and so he is truly at risk.

A good thing is that more and more initiatives involving user awareness so that, even if we cannot completely protect users, we can at least help them learn to recognize when something has gone wrong and what risks they are taking. The idea is to help the community become aware of the problems and advantages of technology so that all users can say “OK, it’s better to take this risk than that other one.”

As to professionals and CSIRT administrators, we are now going beyond incident response. We want to focus on network monitoring, we are now searching for Botnets and Fast-Flux networks. If, for example, child pornography is found on a Fast-Flux network, how can this network be shut down? And how can we determine who is responsible for this crime? This is changing our entire way of looking at things. It is complex, it is not just thinking that because a person is on the website he/she is immediately guilty. So, we see a series of problems. Although PKIs are supposed to operate within a secure environment, there are other underlying problems.

What we are now doing is inviting countries to have CSIRTs and security professionals for incident handling activities, including: determining the impact, scope, and nature of the events; understanding the technical cause of the events; researching and recommending solutions and workarounds (sometimes what has worked in the past is no longer useful because risks are becoming more and more specific and in some countries, such as Brazil, things happen that do not happen anywhere else); coordinating and supporting the implementation of response strategies...  These groups must also disseminate information on current risks, threats, attacks, exploits, and corresponding mitigation strategies through alerts, advisories, web pages, and other technical publications; as well as coordinate and collaborate with external parties. It is truly impossible to react to threats if there is no cooperation.

In our opinion, it is clear that the deploy-and-patch cycle is not working and won't work in the future because, even if we have all the patches and they are updated, there may still be Trojans that can compromise the network. This is a major problem.

So, what is missing? Real improvement will only come with better software development practices. The software development industry has not matured and this represents a problem behind which there are economic reasons: the first developer to produce a product, the first developer to put the product on the market, will be the winner. In their way of thinking, the most important thing is speed, because in any case patches can be developed at a later date. But having to install patch after patch is a major problem.

And there is another issue, which is that even the best protocol design or security measure is worthless if poorly implemented. This is why we need to consider security at an earlier stage, beginning during the early phases of software development.

It’s important to mentioned that companies are governed by the market, but no one is demanding better products: people simply purchase whatever is available. But what if we were to make a stand and say “we will only buy your product if you can confirm that you are following best practices?”

It is also important to form professionals that take security issues into consideration during design, implementation, test and deployment phases. But at the moment the university is not teaching these things to future professionals, and this is another problem. Students are learning systems programming and design just as they were twenty years ago, when the Internet was still a novelty. The problems we are seeing today, current vulnerabilities, are the same we saw twenty years ago.

In my opinion, the next steps in the short and medium term are to continue with the current efforts of awareness, training, legal measures, among others, as well as forming CSIRTs and security professionals ready to deal with the threats and cooperate.

But in the long term, I believe that it is very important for the entire community − teachers, researchers, universities, governments − to think about how we can demand better software development practices and a more mature industry. We will have 3G, we will have IPv6, we are attempting to connect the entire planet... But we really need better software development practices, perhaps we should even demand that some actors invest in research for secure software development and design.

This was one of the subjects that was discussed last year by the security panel at the IGF meeting in Rio. At the IGF we will be discussing strategic issues. Therefore, perhaps it is the time to figure out what we’d like to see twenty years from now, whether we want to continue repeating the same errors over and over again instead of seeing what we can do to provide better training for security professionals.

These are simply some of the ideas that could be discussed in greater detail. That was my presentation, thank you.

Rodrigo de la Parra: Let’s welcome Katitza Rodríguez.

Katitza Rodríguez: I would like to thank LACNIC and particularly Raúl Echeberría for the invitation to speak to you about what our organization is doing. I represent EPIC, a center that was created 18 years ago. Since 1994 our goal has been to warn the population in general and legislators in particular on emerging issues having to do with privacy and freedom of speech. We have several publications, such as our newsletter, and we have also published a book with a comparative study on privacy and human rights. All our reports, including the book I just mentioned, are available on our website at www.epic.org.

As this is a regional meeting in preparation for the IGF, I have analyzed all the documents relating to privacy that were presented within the framework of the IGF. I found that the agenda published by the General Secretariat is quite worrying, particularly in terms of the privacy issue.

First of all, the issues of openness and diversity have been eliminated as separate items; the agenda now includes one item which combines privacy, security and openness. Second, the draft agenda for the India meeting includes a comment with which we disagree: it says that there must be a delicate balance between security, privacy and openness, and the moral, legal and political options available to society. This is an incorrect notion, as in a fair society the state must protect all three interests − privacy, security and openness.

Unfortunately, this matter of security and privacy is focused on specific issues that, in our opinion, ignore the international debate that has been taking place at global level in relation to the issues of privacy and the protection of personal data. Analyzing the issue of privacy as a whole, we cannot deny the progress that has been made since 1980, for example within the framework of the OECD, in terms of privacy guidelines, even before the creation of the IGF; or the meetings within the framework of the Asia-Pacific Cooperation Forum, the work carried out by the Ibero-American Data Protection Network in Latin America, the international task force on telecommunications data protection.

There are many aspects to consider within privacy and data protection. For example, the development of social networks, the web 2.0, the new business models having to do with what is now known as behavioral targeting advertisement... Most of us already use Facebook and perhaps several other social networks. These companies’ business models are closely related to the new models developed for using our personal data for Internet advertising. There is also the question of traffic data preservation.

For these reasons we want to support the proposal sent by the Bill of Rights Coalition in the sense that fundamental rights should be considered a key issue within the framework of the Internet Governance Forum and that the discussions on privacy should be treated within the framework of privacy and the protection of personal data.

Another issue is the international transfer of personal data, which is being discussed in different fora with different protection models and which also warrants being discussed in our region. Why Latin America? Our countries are discussing these issues, even if they do not make the headlines. In Argentina we had the problem of a law that established that data traffic should be retained for ten years, an issue which a colleague has already explained. There are many instances of companies infringing security measures, such as for example the well known case of Choice Point, that sold Latin American user data to the intelligence services of the United States.

Among many other issues, the fact that more and more people − now not only teenagers − are publishing personal information on the Internet or on social networks without a clear idea of the potential consequences or the impact this may have on privacy. Privacy can be an intangible, invisible right. A victim may not know he/she is being discriminated against or that this was the result of information that was published on the Internet. This is why it is important to have clear rules, so that if they are broken those who made improper use of the information can be held responsible.

Within the framework of security, discussions have focused more on the fight against cyberterrorism and cybercrime. No attempts have been made to treat the issue of security perhaps as a broader issue like we’ve seen within the framework of the OECD where, among other things, guidelines for information systems security, was discussed, even establishing nine principles − one of which refers to openness and the protection of personal information as democratic values that must be taken into consideration when establishing security measures and requirements.

As to cybercrime, it is important to review the framework within which discussions are taking place − you can refer to the book that is published on our website. The issue of cybercrime is closely related to the issue of telecommunications monitoring and the issue of traffic data preservation. Although interception measures have always been considered extremely intrusive measures that must only be used in exceptional situations and subject to a public rendition of accounts, we are now discussing issues in which the traditional principles of criminal law − such as the presumption of innocence − are not considered. No debate reaches this level of granularity, but instead discussions are limited to general conversations. It is important to have a more in-depth discussion on how these measures may affect our rights as citizens.

Finally, I want mention a proposal that is an initiative by several organizations based in Europe. Several international organizations, including some in Latin America − Argentina, Peru, Mexico − are organizing a protest against the preservation of traffic data. This protest will take place on 11 October − we are organizing festivals, parties, barbeques, etc. − to explain to our citizens how data preservation may affect our rights. We do not want to live in a society in which our own words keep us from speaking publicly, or in which we are constrained by self-censorship − which is even more difficult to prove than censorship.

To conclude, that is our proposal within the framework of the Internet Governance Forum. We believe that many issues are being discussed at international fora and we believe that they should also be discussed at the Internet Governance Forum;  the issues of privacy and the protection of personal data − and a human rights approach such as the one proposed by the Bill of Rights Coalition. Thank you.

Rodrigo de la Parra: Thank you, Katitza. This concludes the presentations from our panelists. We will now begin our debate, so I would like to ask you to present your questions or comments.

Tony Harris, CABASE y eCOM-LAC: Thank you. My question is for Katitza Rodríguez and has to do with the crusade she so enthusiastically spoke about. The question I’ve been asking myself is what is more important to a user: that his/her information remains hidden or that, if a cybercrime is committed against him/her, for example if his/her bank accounts are emptied by cybercriminals, the person wouldn’t prefer that whoever is in charge of responding to this incident can quickly avail themselves of the necessary information. Unfortunately, the global concept of protecting personal data also protects the personal information of the criminals that make our lives difficult on the Internet. So, my comment has to do with this dilemma. Has the initiative you are promoting considered all of these aspects relating to cybercrime?

Katitza Rodríguez: First of all, we do not believe that our data should be hidden. In fact, I use social networking websites, which I find very useful. What we are saying is that we should be in control of our personal data. If I want to delete a certain piece of information from a social network, for example, I want this information to be completely deleted from the server. I not only want it to be invisible, I want it to cease to exist on the server.

Depending on each specific privacy policy, information is stored for much longer than we choose to. Another example: when I install an application on a social network all my personal data are transmitted to that application. I don’t think everyone is aware that we are distributing these data all over the place nor of what is being done with this information, how we can exercise our right to access, rectify and modify these data.

Identity theft and other crimes occur as a result of poor management of personal data: data should be managed considering certain rights and obligations that citizens have to access, modify and rectify these data.

Now, as to the presumption of innocence, I don’t believe that we should all be treated as criminals, at least I don’t see myself that way, and I don’t think that because of a few criminals the entire population should pay the price of surrendering their rights.

Obviously, we believe that crime is an important issue that needs to be analyzed on a case-by-case basis. This is why communications privacy has always been regulated by law. We are talking about a rendering of accounts, about how we can know that the law enforcement authorities are is using their powers appropriately and not for undue purposes. A clear example of this happened in Peru, when ex-president Alberto Fujimori used government intelligence services for purposes that were not related to cyberterrorism or major crime. Unfortunately, great power is being put into the hands of certain groups, but there is no way to monitor how it is being used.

Carlos Gregorio: I think that our colleague has brought up quite an important issue: the citizens’ personal data have the same level of protection as the criminals’ personal data.

Right now, there is a very strong international tendency in the sense that access to criminal records is becoming more and more public. For example, in the United States, the information on sex offenders is publicly available on the Internet; in Chile there is also a law that allows this; there are two provinces in Argentina (Neuquén and Mendoza) that have created a publicly accessible record of sex offenders... But this goes even further. In Peru, for example, at the moment all criminal records are being opened so that, in practice, they may be queried by any citizen. This is a counterbalance that is undoubtedly adapted to the needs my colleague mentioned, that is to say, it is no longer possible to maintain criminal records as private as before because now there is a greater need to know which individuals have committed crimes and which haven’t.

These are challenges that we will need to face as we move forward. Legislation is also moving in this direction.

Mónica Abalo: Good morning. My name is Mónica Abalo and I represent the Argentine Chapter of ISOC. I have two brief questions for Mr. Carlos Gregorio. If I understood correctly, during your presentation you mentioned that there is no international convention to serve as a guideline. I wanted to ask your opinion on the Budapest Convention. Second, I understand that the examples you presented to illustrate different rulings of the courts correspond to cases that were solved before the computer crimes act was passed. In your opinion, what should the courts’ vision be now that this new legislation is in force?

Carlos Gregorio: Well, I said that international conventions cannot satisfy the current needs that exist in relation to this type of problems. By definition, international conventions must be general in nature, while most of the new conflicts that arise are particular situations which in most cases have not been anticipated by those who drafted the legislation or the conventions. So, obviously, international conventions do in fact exist, but they cannot solve all our problems. They do serve as general guidelines, but the application of these guidelines to particular situations must be done by those in charge of administering justice.

As to the judges, I want to be very precise: the rulings I mentioned were prior to the computer crimes act. But that was not the point I wanted to illustrate. My intention was to show how judges have their hands tied. On the one hand, they must harmonize the rule of law and, obviously, no judge can convict a criminal if no crime has been typified − this is reasonable. In other cases judges are, in my opinion, called upon to be creative and to apply constitutional principles. And I’ve seen two types of judges:  those who rule strictly according to the letter of the law, and those who rule based on constitutional principles and create law.

Obviously, Internet regulation needs this type of judges − those who, when faced with a concrete situation, are willing to interpret an international principle with much creativity, in great harmony with the universe. Of course these judges cannot be loose cannons. They must have a very clear knowledge of what is going on in the rest of the world and, when there is no law for a particular situation, they must apply the constitutional principle to create law. These are the so-called axiological voids − situations that could have never been anticipated by the legislators. This is what I meant when I spoke about the judges. I don’t want to be pejorative about judges because they are obviously the ones in charge of maintaining the rule of law, so their independence is of the highest importance.

Perhaps, from the point of view of the Internet, it may appear as if they have not taken the necessary precautions, but what we are doing is making a call to help the courts become interpreters of constitutional principles when faced with situations that have not been anticipated by legislators but which occur in practice and that, if they are not corrected by the justice system, will be consolidated.

XXX: In relation to the same issue and always referring to Tony’s question, first of all, I think that we are living in the information age, within a society for which paradigms have changed. And because paradigms have changed, new laws are needed, new regulations to deal with these changes that are occurring. Legislation always lags behind these changes, even more so in the case of the information society where changes are exponential, explosive and extremely fast.

Regardless of this, and until the law adapts to these new paradigms, to these changes that are occurring, criminals will continue to have rights as, in fact, rights are for everyone and while the law remains unmodified criminals will also benefit from these rights. In the particular case of Tony’s question, I believe that there are two types of judges: those that limit themselves to the cold letter of the law, to what is written in the articles of the codes, and those that create law. But in order to be able to create law, the judges must have the necessary knowledge because in absence of knowledge nothing can be created. This is another matter that is up to us, the academia: to transmit all the things that we learn during these seminars, for example, so that we can inform these people. Today legislators and judges need to know all of these things, because if not we will find ourselves in a state of legal defenselessness or insecurity in matters having to do with the Internet.

XXX: Because there was not much time during the previous panel, please allow me to present a brief reflection. I apologize if I stray somewhat from the issue this panel is dealing with.

We are preparing for the meeting that will be held in India later this year and, in addition to preparing a diagnosis − as we are doing − we also need to project ourselves with a view to that meeting. For this reason, I think it is essential that, based on this regional diagnosis, we generate some sort of Latin American proposal to take to the forum in India − and I hope we can do this during the afternoon. From this point of view, I want to highlight the work that CEPAL is carrying out very professionally, with many years of experience. I also want to make a call to review the conclusions of that work, to be able − as countries − to provide the elements, statistics, professional contributions and individual experiences so that in turn a regional presentation can be made in India.

I think that we find ourselves faced with an important opportunity; I believe that the impression of those of us who have been able to work during previous instances, at previous meetings, is that we are not working together as a region, and this is something that we definitely need to modify. I think that this is an opportunity for coordination that every representative from every country must take advantage of, those of us who have not met before should exchange e-mail addresses and get to know each other so that we do not repeat what has happened at other meetings.

Basically, we met in Geneva and as we went along we began to speak of bilateral, trilateral or regional agreements. I think that we need to change this, as the forum is not the place to coordinate this issue. The information society has an unbelievably vast number of facets, of points of view. It is not restricted strictly to the Internet itself, but instead it has passed into other areas such as human rights and the environment, and we could mention twenty or thirty other areas in which the information society is intervening and affecting our lives.

I think that this is not a minor issue. If we are preparing for the meeting in India, then this is the chance to do so. As we know, information society issues are discussed within the Commission on Science and Technology for Development − a body that depends on the ECOSOC. We are fortunate in that this commission has honored Chile with its presence during this entire year. I would say that this is the opportunity for us, as a region, to prepare an interesting proposal that naturally considers the common interests of our regions. Thank you.

Carlos Viera, Ecuador: Good afternoon. The issue of privacy is always related to the issue of security. Citizens always demand security, and we are not sure how much privacy we are willing to sacrifice in the interest of security. We have cameras, we have spies all over the place, and this is what citizens demand. I have a question for Katitza, now that she is in Washington. There was an initiative that involved transferring the responsibility for network security to users. In other words, the industry and the government are saying that the user has a role if he/she does not take proper precautions with his/her computer... Senator Hillary Clinton said that, just as driver licenses are issued, computer user licenses should be issued. What do you know about this initiative? What is your opinion on citizens assuming part of this responsibility if their computers are used to attack or invade others, etc.?

Katitza Rodríguez: I am not familiar with this regulation, I’ve just recently moved to Washington. In addition, I work in Latin America and Europe, another member of the staff deals with United States issues. In any case, I do not know this legislation. I’ve heard about it on the news, but I am not familiar with its details. Perhaps Carlos Gregorio is? No, I see he isn’t...

Analia Lavin, APC: I have a question for Cristine. I noticed that you emphasized the issue of software, so I wanted to know how the difference between open-source software and proprietary software affects this type of debate, their possibilities and limitations.

Cristine Hoepers: In my opinion, there is no difference at all among these two types of software. In fact, the notion that, simply because it is free, open-source software is more secure is quite controversial. The problem is that the people who are developing both types of software come from universities that are not talking enough about security. So, the first thing we need to do is demand that these features be included. In Brazil we use free software, but we must be extremely careful with this software and design patches for it just as we do for commercial software. From the point of view of security, there is no difference between proprietary and free software. I believe that the community must demand more secure software and applications in general, and these initiatives are perhaps easier in the case of free, open-source software. But all software developers must know what they are doing and how to improve security. I think that this must be done at university level. And that’s why I think this can only be achieved in the long term, as it necessary to change teachers’ mindset. And this is difficult, it won’t be easy at all.

Raúl Echeberría: I have one comment and two questions.

The comment is that I really liked and it is an approach that I agree with, the  fact that privacy − and I would add freedom of expression as well − are not only related to the issue of security. This is an approach that has been insistently presented at the IGF. On several opportunities the IGF Advisory Group has tried to promote the discussion of privacy and freedom of speech as issues of great importance in and of themselves, not only as issues that serve to counterbalance security, which they also are. I think that privacy and freedom of speech are threatened by other factors which I will not detail at this moment because many have already been mentioned by the panelists. I believe that in fact the interesting aspect − and this is why I think we need to make proposals in this sense of giving more relevance to these issues − is that these are issues for which there is no governance structure within which to debate or where some sort of agreement or conclusion can be reached in the sense that agreements are not feasible. It is important to at least find a stage to debate these issues in search of achieving international agreements on best practices.

Now my two questions, the first of which is for Cristine. She mentioned that one of the things that needs to be done in the medium term is to have an influence on university curricula. I would like to know a bit more about your ideas. The second question is for Ariel. I would like to take greater advantage of Ariel’s presence on the panel, I would like to know what security challenges he sees from the point of view of a businessman that is also a leader within the industry. Hearing about the CERT that CABASE will create − an excellent initiative which I salute − was very interesting, but I think it would also be very interesting if he could share with us how he and his colleagues see the issue of security from the point of view of their daily business activities.

Cristine Hoepers: The question of universities is not an easy one. This is a problem that we see not only in Brazil but also in Europe and the United States. We speak a lot with colleagues in these countries that are trying to change their curricula and also trying to change the way that software development is being taught. One possibility would be to have certain specific subjects and that all professors teach that software security must be considered during the entire process, including software design, implementation and testing. The final objective is that security is considered at all times so that it can permeate the entire process. For example, the professors that teach introductory subjects do so considering an ideal environment. Today people are learning to program in an ideal environment. Teachers will say, for example, “assume that you have ideal inputs, unlimited capability, that there are no intruders, that nobody will attempt to attack the system...” this is how they teach their students to program. But the real world is entirely different. The importance of security is much easier to see in other areas of Engineering: for example, if a bridge were to collapse people would die. In software Engineering this is not so easy to see. Another thing we notice is that teachers are often of the opinion that security is something to be added later and that in general all it does is complicate things. Perhaps we could organize workshops with the universities, talk about secure software development. But this is very difficult because teachers are not thinking about this today. However, there are many researchers and great material available, so it wouldn’t be necessary to start from scratch.

Ariel Graizer: In my opinion, from a businessman’s point of view there are two possible visions. The first is from the point of view of costs and profitability. We the operators are of the opinion that all these personal data protection methods generate operating costs that affect the direct profitability of the business and, for this reason, we will always try to find the most efficient and economical way to implement them. On the other hand, there is also the operational issue. The greatest harm that these situations can generate for a company is to put the network out of operation and, from this point of view, what the majority of operators at global level want to avoid is generating repositories which are like saying “come here, this is the information you need to steal, we are the ones who have it.” This is something that those on the other side of the counter do not realize: that by generating these repositories what we are saying is “come and steal here.” And we know that robbery is a business like any other, governed by costs and benefits. We need to understand that, the greater the benefit, more criminals will try to attack and invest more money in launching better and more frequent attacks. This vision is not being taken into consideration in many of the discussions that are taking place around the world, and we are worried about this situation, because we need to invest enormous CAPEX to protect all this, but at the same time we are generating targets for attacks. This is a problem that the industry is discussing internally: how to avoid this situation. We all want to be protected, we all want to be secure. Security involves a cost and needs to be implemented, but this must be done reasonably, allowing networks to continue to expand. In order to be able to grow, a company must cover the infrastructure costs which we spoke of during the previous panel. So, in a way, a certain duality is generated around this issue: a company may cease to be profitable while at the same time legislation is forcing us to create the very targets for the attacks. To conclude, one of the greatest problem we the operators are facing is the denial of service attacks that are the result of criminals attempting to access the information that the law currently requires us to store.

Eric Iriarte, LACTLD: Good morning. I am Eric Iriarte of LACTLD. I have two questions for the panel in general. The first is what is your position on IP address privacy, as they are involved both in the investigation of security issues as well as in the protection of personal data, and also the privacy of domain names for which there are special playing rules that also include self-regulation and regulation. The second question is what dialogue mechanisms have been planned for communication between CERTs, law enforcement agencies, among security entities and TLDs...
 
Ariel Graizer (CABASE): I can answer the question. Let me say that mechanisms have not been regulated everywhere for the dialogue between CERTs and TLDs. These mechanisms are currently under discussion. This is one of the issues I mentioned earlier, and it involves many aspects we need to deal with. From the point of view of IP address and domain name protection, my personal position − and I agree in part with what Tony said earlier − is that we need to protect them but we also need to be able to access them quickly in order to determine where an attack is coming from. I understand that from the point of view of a telecommunications network operator a single minute that the network is not operating represents a very high cost. We need to have clear mechanisms so that we can determine what location is under attack and also the source of the attack.

Cristine Hoepers: I just want to make a brief comment about CSIRT cooperation. There are some initiatives in the sense of CSIRT cooperation, but much more cooperation is needed. We participate in annual conferences, we meet with each other, but cooperation only begins after developing a relationship built on trust. There are no magical processes, we cannot simply say that CSIRTs must cooperate. This is because we manage sensitive information, we handle a lot of data relating to attack victims. For this reason, we cannot offer full, open cooperation involving every detail, but what we can do instead is to cooperate by providing more general information. For example, in Brazil, when we cooperate with the police we do not go straight to the police and notify that such-and-such a thing is happening, but instead most of the times we help the victim go to the police themselves and we provide technical assistance to the police. For instance, sometimes the police cannot understand an attack or what is happening. In this case we help them by providing them with the tools they need to be able to carry out their job.

Many things are being done in an informal manner, and a formal framework is not necessarily needed to be able to have good cooperation. The antiphishing group is also cooperating quite a lot. We have a specific task group in charge of improving communications with TLD managers, with ccTLDs, because at this level we need to know the actors on a face-to-face basis and share information in such a way that will allow building trust and dealing with problems. But most of the times we don’t share specific details, we don’t share the victims’ IP addresses. As to information on IP addresses, in the Netherlands IPs are considered to be identifiable information, and therefore anyone seeking to start a project in the Netherlands that needs to register IP addresses, needs to receive government approval. But to the best of my knowledge the Netherlands is the only country that has an organization in charge of how IP addresses and privacy-related information are managed.

Katitza Rodríguez: In reply to Eric’s question regarding our position on legislation or self-regulation... One hundred civil society organizations − among them ours − have signed a document within the framework of the OECD, which was also presented during the past APEC meeting, stating our position: that there must be laws with high privacy protection standards and mechanisms that will allow the implementation of these laws. The problem is that there are countries that have personal data protection legislation but do not enforce them or simply apply it to some but not to the entire population. On the other hand, in the case of those countries that do not yet have data protection legislation, we suggest that we work towards achieving effective legislation in all countries.