 We're going to get started today with Bill Woodcock talking about the Internet's role in sanctions enforcement and Russia, Ukraine, and the future. So let's give him a warm welcome up here on the DEF CON stage. Howdy. I'm not the world's most organized speaker, and this is going to be my first time running through these slides. Oh. Okay. Can you guys hear me? All right. I was just saying I'm not the world's most organized speaker, and this is my first time running through these slides. So I may not balance out the amount of talking per slide terribly well, but we'll try and get through this and leave enough time for a little bit of Q&A at the end. So what I'm here to talk about is the question of what the Internet's role is in sanctions enforcement. So you're probably all at least a little bit familiar with what sanctions are. Governments impose sanctions on some party, and then banks, for instance, in the country of the government that's imposed the sanctions, have to not do business with that party. Sanctions more generally apply to things not just banks, and the Internet is a thing, and they're Internet service providers. So there's this question of what Internet service providers should do with sanctions when they're imposed. That was kind of brought to a head in March of this year, because when Russia invaded Ukraine, Ukraine asked ICANN and RIPE, which is the IP and Autonomous System Number Allocation Authority for Europe, essentially to cut Russia off the Internet. To deactivate root name servers in Russia, to revoke Russia's use of IP addresses and domain names. Both RIPE and ICANN refused that request, which was the right thing to do, but these are Internet governance organizations, and they refused to request summarily. They did not engage their Internet governance process. They didn't talk with their constituency about this. They just said no as a sort of executive and legal matter rather than an Internet governance matter. So as a result of that request, the Internet community never got engaged to discuss this. Obviously, from ICANN's point of view and from RIPE's point of view, this is a pain in the ass, and they'd rather not be asked something like that. And having been asked, they don't really want to have a discussion about it. They just want the whole thing to go away. So each of them very quickly said no. But their responses were pretty brief and to the point, and didn't really help Ukraine as a country figure out what they could have asked instead, like, okay, so the answer to that question is no, but you are a beleaguered country under attack, and it's perfectly reasonable for you to be looking at your options and trying to figure out what you can do. So Vince Cerf and Steve Crocker and I and about 70 other people who are routinely involved with Internet governance got together, and we spent 10 days hammering out a letter that provided a more in-depth response. So the answer was still no, but it pointed out why, and it said what other options there were, what things they could have asked for that might have been easier for somebody to say yes to, or specifically easier for the Internet governance community to say yes to. So that in turn led to an engagement of the Internet governance community with this issue of sanctions and, you know, what would that look like? So let me run through a little bit of kind of the basics of what sanctions are. So sanctions are things that governments do. If you decide that you don't want to do business with somebody, that's a boycott. So if it's private, it's boycott. If it's public, it's a sanction. Sanctions don't actually require any Internet governance engagement because they're just a matter of law, and you decide whether you're going to follow the law or not follow the law. It's not really a matter for third parties to sort of have policy discussions about, and the parties that need to decide whether they're going to follow the law are Internet service providers, people who are carrying Internet traffic that may be either bound for a sanctioned entity or coming from a sanctioned entity. Internet service providers are incorporated and do business in specific countries. Those countries have governments. Those governments may be doing sanctions. Not every government defines sanctions. A lot of them just default to the United Nations and say, well, whatever the United Nations sanctions will go along with. You will enforce that, but we're not going to define new ones of our own. But the U.S., Canada, U.K., Australia, New Zealand, all of the European Union, the African Union, Switzerland, Sweden, these are all countries and intergovernmental organizations that do sanctions over and above what happened in the United Nations. It's a little bit hard to get consensus in the U.N. on sanctioning anybody because the U.N. is big and there are a lot of folks who can say no. So where there are problems for Internet service providers with sanctions are not if you're in a country and you need to follow a law. That's pretty simple. It's when you've got operations in multiple countries and you need to follow multiple laws that are not in agreement with each other. Now if you're working in the U.S. and the U.K., and the U.S. says sanction party A, and the U.K. says sanction party B, you can sanction both parties A and B, and that's not in conflict. But sometimes there are laws that say that you can't mess with something. So that's when you get a conflict. Russia, for instance, has passed domestic laws in Russia saying that you can't sanction Russian or that internationally imposed sanctions cannot be enforced inside Russia by a party that's doing business inside Russia. And those are recently passed laws and you can guess why. So sanctions are a punitive measure, it's a punishment, but they're de-escalatory relative to launching a missile. In theory of armed conflict, this idea of de-escalatory measures is an important one. If you're trying to get out of a conflict, the notion is that you should respond in kind but in a de-escalatory manner, so respond but not as much as the other person did and that signals that you want the conflict to go away. So sanctions are a de-escalatory measure, you can show that you still care about something but you're not trying to make the fight a bigger fight. There are these two different terms that are important to distinguish between cyber sanctions and internet sanctions. This is a completely artificial contrived distinction, it's two labels that are being used to denote two different concepts. Cyber sanctions denotes a sanction of any kind that is imposed because you didn't like something somebody did in cyberspace. Somebody does a cyber attack against you, steals your intellectual property and publishes it online and you block their bank accounts, that's a cyber sanction. Internet sanctions are sanctions imposed via internet means in response to whatever, anything, doesn't necessarily have anything to do with the internet. So somebody invades a city and blows up a school and you want to sanction them but you want to sanction them by cutting them off the internet, by blocking the routing of their IP addresses, by revoking their domain names, that's an internet sanction and that's what I'm talking about today, not cyber sanctions. The other big distinction that is worth understanding is between comprehensive sanctions and targeted sanctions. Comprehensive sanctions are we're sanctioning Russia, we're sanctioning Iran, we're sanctioning Cuba. Targeted sanctions are we're sanctioning this specific military unit, we're sanctioning this particular business, we're sanctioning this aircraft. Targeted sanctions are what everybody does now. Comprehensive sanctions, 50 years ago, yeah that was a thing, it's just not anymore. Governments have by and large really gotten past doing that but in the public perception of sanctions, that's what a lot of people imagine, they imagine Russia invaded Ukraine therefore Russia is going to get sanctioned, therefore I can't do business with anybody in Russia but that's really not how it works. In fact, you could go and you could download a list of all the sanctioned entities in Russia and it would be, depending what country you're in, about a thousand entities but those entities are going to be like the St. Petersburg Troll Farm, Wagner, the mercenary company, a few ships, yachts belonging to oligarchs right, these are going to be the sanctioned entities and so blocking all of Russia is over blocking, that's over compliance with the sanction, that's doing more than what government actually wants you to do. So over blocking, over sanctioning is one of the primary problems that happens with sanctions. A government says, well we've got a problem, we're going to do this very targeted intervention to try to fix the problem and then somebody says, oh well I'll just block the whole country and that has a pretty bad effect right, we don't really want to block all of Russia and make it difficult for regular people to get access to international news, for instance. So real world targeted sanctions are what people need to comply with and so understanding what those sanctions are and who the entities that have been sanctioned are is kind of the most pressing problem if you're trying to be compliant. So if you talk with governmental folks who do sanctions, what they'll tell you is that there are three purposes to sanctions, signaling, constraint and coercion. Signaling is basically just saying to the whole world, we really don't like what these people are doing. So we're sanctioning them in order to tell the rest of you that we don't approve of this. That's easy to do and tends to be very successful in the sense that if you sanction somebody and you communicate what you're doing, the rest of the world will understand that you disapprove of something. Constraint is using the sanction to try to stop the sanction party from doing something, shutting down their bank accounts so that they can't use those bank accounts to continue to conduct business or conduct a war or whatever. Constraint is rarely an all or nothing thing. If we talk about internet sanctions and talk about blocking Russian domain names or blocking Iranian IP addresses or something, it's not going to kick them off the internet. It's not going to keep them from using the internet. It may make it more difficult and more expensive for them. Just like a financial sanction where you shut down their bank account isn't going to keep them from using money, it's just going to make it a lot more difficult for them. They're going to have to use more cash, they're going to have to set up other accounts under other names. They're going to have to use their grandmother's bank account instead of their own, whatever. The constraint thing is, again, it's not an absolute. It's more about creating friction that makes things more expensive. One is where you're trying to get the person to stop doing the thing that you don't like. This is enough that they actually will change their behavior. It's not just a constraint to keep them from doing something involuntarily but actually changing their mind. That's a tough one. If you talk with governmental policy people who do sanctions, what they'll tell you is that going down from the top, a really good success rate on constraint or coercion is like 10% or 20% success. Since sanctions cost governments very little to implement, it's worth doing. It's not a big deal. It may not have a huge effect but it's also not expensive and the signaling part is important for a lot of folks so why not? So sanctions are a thing. Governments have been using sanctions for thousands of years at this point so there's plenty of buildup expertise inside government about what works, what doesn't work, so forth. We've got realistic expectations about what they should expect of the sanction in terms of success. They don't think that sanctioning something is just going to immediately stop the behavior that they don't want. They understand sanctions with respect to the movement of money fairly well. Governments have a lot of internal expertise around tracking the movement of money and so if a sanction is not being enforced, they can tell. They don't really have that kind of internal expertise around networking, around the internet, internet service providers, telecoms. So they don't really know what's going to work, they don't really know what's appropriate, they don't really know what degree of compliance they're getting. So this is an area where things could improve. Internet service providers, network operators could communicate more with government, educate them about what's possible and what's feasible, and also communicate more about what they're actually doing. Governments also don't really have any expertise at identifying what could be sanctioned associated with sanctioned entities. So if we look at the St. Petersburg troll farm and you ask a government person, okay, how do we sanction this? They're going to say, I don't know, cut them off the internet. Don't know what that means. But if you talk with an internet service provider, they're like, okay, well, we'll stop routing their IP addresses. How do we do that? Well, we're going to look in the RAR who is and see what IP addresses they have. We're going to see what autonomous system number they're using to originate that. We're going to see what other IP address blocks are being originated from the same AS. We're going to see who their upstream transit providers are. We're going to go have a chat with those folks. We'll see if they're multi-homed, and so forth. On the domain name side, look and see what the name servers are, what the contact information for the registration is, who the registrar is, all those things. We'll build up a little set of the domain names that we think this party is using. We'll look to see what email addresses they have used on things, who their email providers are. All of these are things that, from the internet perspective, we're very used to doing in association with abuse. So if somebody is spamming, if somebody is running a bot net, we've got a lot of experience with tracking these things down, doing the detective work, figuring out what the associated resources are, and shutting them down. This is no different. It's exactly the same problem set. It's just a different definition of badness. It's not our internet definition of badness. It's a general human rights and international law definition of badness. As we got into all of this, what we discovered is that the thing that governments are really bad at is publishing their list of sanctioned entities. You'd think that would be kind of basic, but the way governments handle this is like, hey you, take a memo, put it on top of the stack of other memos from other sanctions that we published before. Trying to get this electronically on the internet is really, really tough. The only government that publishes their sanctions list in a machine-readable format is the UK, and that's been down for the last four months. So normally it works, but just not recently. So they actually have JSON files at a known URL. Everybody else is like, oh well, we can fax those to you, or let us scan them and publish the PDF. So that needs to be fixed. Internet service providers want to be compliant with the law. They don't want to be in trouble with the governments of the countries that they do business in. But they're mostly unregulated. This is completely different than banks. Banks have to deal with a ton of regulation, and government regulators who understand their business, know what's going on, ISPs don't have that connection with government because they're not regulated in most places. They also don't have know-your-customer laws that apply to them. If you're an ISP, you don't have to sit your customer down, interview them, understand their business, take lots of records about them, and hold those records, and then check back in them with them once a year to see if they're still doing the same business they used to be, whereas in a lot of countries, know-your-customer applies to pretty much any financial service. So that doesn't really prepare ISPs for dealing with sanctions enforcement stuff. But at the same time, ISPs face all kinds of risks. So their fines and criminal prosecution possible for overcompliance, undercompliance, non-compliance, miscompliance, getting it wrong has liability. But then there are also the secondary effects. So if you have customers and the customer gets sanctioned and you don't sanction them, but their bank does, suddenly they're not going to be able to pay you for the service that they've used. So if you look at the Russia-Ukraine conflict, this is actually what wound up happening. A bunch of internet service providers cut off all their Russian customers because they were sort of looking out a few months. They were saying, well, it's March 3, and we bill monthly net 30. So at the end of March, we're going to send out a bill from March, and it's going to be due at the end of April. So 60 days from now, will some of my customers have been sanctioned and have their accounts frozen and unable to pay me? Don't know. Let's just get rid of that risk. 60 days from now, will Russia as a whole be having trouble paying bills because the rubble will collapse because of banking sanctions? Don't know. Okay, well, let's preemptively get rid of those customers. So we saw this kind of wave of over-compliance back at the beginning of March of internet service providers not knowing what they should do and doing too much. Some of them. Others didn't do anything at all. And one, notably, said that, well, nobody can tell them who to do business with. They were going to keep on selling services to Wagner and the troll farm, and then they lobbied the U.S. government to get the U.S. government to put in an exemption for them to sell internet services to sanctioned entities in Russia. I have no idea why the U.S. government went along with that and all the sanctions people in other countries like looking at the U.S. and wondering what the hell happened there. Anyway, so there's also a problem that we discovered with network operators. There's a kind of libertarian streak that comes from how the internet kind of got set up, switched from being a U.S. governmental project to a private sector thing, 1992.com bubble. A lot of people sort of in this, you know, this isn't a government project anymore mode. And there were also a lot of people who are very into privacy. And so you get some people running internet service providers who feel like they really need to defend their customers against their government. Like if we're going to choose sides here, we're always going to choose our customer side. Now, in principle, that's fine, but if out of your 100,000 customers, two of them are really awful human rights violators and they get sanctioned, maybe those aren't the two that you choose to go to bat for. So there's been a bit of a conflict there and also this sort of notion of the internet should be open and we shouldn't judge people based on their content. And fine, if your customer is a furry, don't judge them on their content, right? But if, you know, they're killing lots of civilians, maybe judging that is okay. Internet network operators are also really, really good at blocking stuff. Lots of practice at blocking things. So again, this is really just a question of matching up the sanctions with the already existing skills of blocking. So the German internet service providers went to their regulator and said, we'd like some guidance here. Please tell us more about what you want us to do. And the German regulator came back with a pretty clear statement that basically said, well, you do too much, you do too little, you're either going to get prosecuted or hauled into court, your choice. So maybe you want to just figure out what we want and do it. So the Germans, anyway, were pretty clear. But that's probably representative of the response that any other government would give. You go asking governments whether you need to follow the law or not and the answer is usually going to be yes. So we got this project going, you know, internet style, just a bunch of folks, volunteers doing their thing to try to work through this and figure out how to get internet service providers and governments into alignment on this because they both want to be, right? The internet service providers want to be in compliance with the law. They don't want to get prosecuted or sued. Governments want to be able to define a sanction and have it enacted by the private sector as intended, not overdone or underdone or whatever. So everybody wants to meet in the middle. There's a lot of goodwill. Now it's just kind of a question of, you know, since March, we've been working through the specifics and figuring out where the problems are. And like I said, the number one biggest problem is getting governments to publish the list of who has been sanctioned in a way that we can consume electronically. So this organization, we've got five working groups, policy, intelligence, oversight, operations and research. The policy group is sort of trying to figure out who's been sanctioned. The intelligence group then tries to figure out what internet resources are associated with sanctioned entities. The oversight board then looks at the result, does a last sanity check before handing it off to operations who publish the resources of the sanctioned entities as a real-time feed using RPZ and BGP. So RPZ for the domain names, BGP for the routes and autonomous systems, or the IP addresses and autonomous systems. And then the research group is there to sort of track how all this is going, collect statistics, you know, run the beacon, so forth. So where do things stand right now? The main thing that's going on right now is we've had a lot of talk in the European Union among a lot of governments about this. Everybody is happy with the idea. Now it's this question of working through the specifics. And the OECD seems like the good place to do that. And so there's been a work program going for three, four months now. Well, since the beginning of April in the OECD. So the OECD is like the civilian counterpart to NATO. After World War II, there was the Marshall Plan to rebuild Europe. The OECD, the Organization for Economic Cooperation and Development is the civilian side of that. NATO is the military side. So for dealing with economic stuff, the OECD is the place to get standards and best practices harmonized and published for the member countries, which is the 38 sort of largest free market democracies. And so the thing that we're trying to get standardized is how the list gets published because different countries have different lists. And right now it's a huge mess. I'll get into the details of that in a little. We also need governments to be really clear that if a network operator uses this mechanism to enact a sanction, that that is not over or under compliance, that that is sufficient compliance. Right now all the technical mechanisms of doing this are proven out and we're not putting anything into the feeds yet. And all of these working groups are up except the intelligence group. We didn't want to have a bunch of frustrated detectives trying to detect things if there wasn't yet sort of a clean feed of data coming in from governments. So I mentioned this earlier, I just wanted to have a slide about it. Do sanctions disconnect anybody from the Internet? If you tell Internet service providers cut off this party, are they going to be off the Internet? And the answer is no. Just like if you shut down their bank accounts it doesn't prevent them from using money, it just makes it more difficult. So then there's sort of this question, well, you know, not exactly by what right, but there are people on the sort of libertarian side on the one hand and people on the sort of extreme human right side on the other hand who think that because communication is a defined human right, that messing with people's communications is a really bad idea. So if it were the case that sanctioning somebody's Internet communications would cut them off the Internet, that would be a valid point. But since it's really just a matter of increasing friction for them, their human right to communicate has not been violated. So then there's this question about what does this friction mean? Like we're not opening up their bank account and taking money out. So what's happening there? Internet communications is all about collaboration, right? Internet service providers get together at Internet exchange points, they collaboratively operate them. The bandwidth is produced in the exchange points, the ISPs take it and deliver it to end users and all of that happens through cooperation. When we cooperate we get efficiencies. If we work together on something, that efficiency makes something more valuable to us or cheaper for us. If we choose not to cooperate with someone, their costs go up because their efficiencies get worse. So what's happening if we stop routing IP addresses on behalf of a sanctioned entity is not that we're cutting them off the Internet, but we're saying we're no longer going to cooperate with you to make things more efficient for you. So your costs are your costs, whatever those might be, not my problem. So that's the mechanism that's happening there. There are a few other problems that we ran into that there aren't necessarily good answers to. Let's say that the troll farm goes and finds the public school next door and gets on their Wi-Fi and routes all their traffic through a public school. We got two choices. One choice is okay now we block that public school also or we say well we were trying to sanction the troll farm but I guess we're not going to do this one. Neither of those is a great answer. If you decide to block the school the answer that sanctions people have come up with is well yes that harms them but we're not the ones causing the harm or the proximate cause but we're not the ultimate cause of that harm. It's the party that used them to try and circumvent the sanction that's causing that harm. That's not an answer that's going to satisfy everybody. We've got another problem specific to domain names which is if we block a domain name then somebody creates a subdomain of that. Should that also be blocked or are subdomains fair game? Again there's the risk of over compliance here if we block the domain and everything below it that may catch other parties who knows might take a little bit more detective work. We've also got conflicts with privacy and antitrust law. In a lot of countries the information needed to identify a sanctioned entity is going to be PII right it's going to be protected personal information and there are going to be a lot of rights that they have around that and so if government wants us to take that information and use it not for their not for the users benefit but for the government's benefit and public benefit then we need to carve out in law saying that that's okay. Likewise if we're going to work together with other internet operators to block somebody we need an exemption under law from antitrust that would allow us to talk about that. And now we're sort of getting into the trivia and I'm going to blow through a lot of this but I'm leaving it in the slides so if you guys are interested and want to look at the details of how all this works it's in the slide deck. The beacon is sort of an artificial set of domain names, networks and autonomous system numbers that are getting sanctioned artificially not by an actual government but as part of this process so that researchers can check and see how far the effects of this mechanism are propagating and it was important to get this up and running sort of on day zero so that you know the baseline would start at zero for the effectiveness. Number one problem we're having with the data is transliteration. All these governments decide that it's simpler for them to use their local character set than the character set used by the language of the place where the sanctioned entity is so you get Cyrillic and Arabic transliterated into Roman characters and everybody does that differently so here we've got two examples the first one Anatoli common enough name three different common transliterations of it into Roman characters and that problem is just rampant right like every single sanctioned entity sanctioned in three different countries they're going to spell it three different ways so Unicode is our friend right Unicode solves this problem take the official name of the entity as defined by their own government in their own documents use that in Unicode as our primary label and then sure have transliterations but mark them as not the canonical data likewise we've got all kinds of things that get abbreviated a zillion different ways so open joint stock company gets abbreviated a zillion different ways that is just a property it's a property of the other name that can be tokenized and then it can be represented that token can be represented in local language wherever a lot of these problems get solved by having the right database schema and defining the data types in the schema in a sensible way and I'm going to blow through slides explaining all the different things that we think we've learned about how to do that database schema but you go to the sanctions dot net website it's a wiki your contributions and thoughts are very very welcome okay so folks are questions about this stuff sir yeah thank you for that talk it seems to me the problem with transliteration that you're just talking about artificial intelligence natural language processing could go old standardizing that could go a long way in solving that problem so looking into that so all right I don't know if everybody was able to hear the question clearly question is around natural language processing and artificial intelligence and machine learning could those help in identifying I think the problem here is that machine learning if you've got millions and millions of things to train it on sure this is more like you know the no fly list where you know everybody named Muhammad is suddenly no longer allowed on an airplane it's pretty easy to get wrong if you get it wrong it has pretty bad consequences for somebody specific there aren't a lot of you know cases to train on and you know knowing when you've gotten it right when you've gotten it wrong is not necessarily easy and it's not like the answer is unknowable knowing what somebody's name is as spelled in Arabic it's their name it's on their passport it's on a zillion documents if we can identify the person at all probably we can't identify them in their native language is that name going to be unique not necessarily but put together with a bunch of other things like if it's a person you know their height their date of birth you know identifying characteristics right you put enough of those things together and you've got a unique identity defined this kind of thing yeah there is a lot of technology for I mean you know we've spent the last 20 years developing machine learning so that we can identify consumers uniquely and make absolutely sure that we can sell everything to the right person sure we know how to identify people there are ways in which machine learning can help but you know the name part is not that that big a deal and doesn't need giant firepower it just needs like government people to understand what Unicode is sir Bill can hear me first off I think you did a great job so this beginning thing about not doing necessarily good communication I thought you did an excellent job it's number one number two could you expand or give your opinion on the registrars the registrars the registrars of the who host these domains and then forward or you know integrate them into everything you were saying using using that as an example please okay so question regarding the integration into all this of the domain name registrars so with domain names we've got the registrant who is the ultimate end user of the domain name or the party that bought it we've got the registrar who is the party that sold it to them we've got the registry which is where the unique records of who controls what are the registry almost never has a direct relationship with the registrant the registrars always sit in the middle it's sort of like you buy a car you're not buying it from forward or GM you're buying it from a dealership and so your relationship is with dealership that analogy is going to seem really dated in about ten years probably but there you go so if we're going to engage parties that the issue is that once the car has been sold the dealership is not involved anymore so once a domain name has been registered the registrar isn't really involved unless there's some registrant initiated change so if the registrant says I want to change my domain name servers or I want to change my address or something then the registrar gets involved by sending those changes up to the registry but the there's a protocol called EPP extensible provisioning protocol that runs between registrar and registry that's all automated and so the registrar's job is basically just feed information into EPP that's a one directional thing it goes into the registry there's nothing comes back so there isn't really much to do with the registrar the registrant is the problematic party in the first place so we can't really deal with them directly the registry can remove a domain name at the registry level and that is exactly the right point to do that blocking most effectively but that's a hundred percent blocking of that domain name so there are going to be people who are going to say that that's overkill having looked through the list of who gets sanctioned I would disagree right the people who get sanctioned by and large are pretty bad folks and I am perfectly happy with having them not be on my internet but you know there's question of how much fight you want to get into with libertarian folks and internet freedoms folks and so forth so the other place that you can do that is at the DNS recursive resolver level so quad nine and cloud flare and Google between the three of them right there that's like half the world's DNS resolution so three organizations could pretty effectively do this all right I think that's it for our time thank you all very much and I'll be here for you know like over there somewhere if anybody has further follow-up questions. Thanks a lot.