 Hello and welcome to the Tealia Carrier and Internet Society September virtual roundtable, cyber attacks and how the right network can be your best defense. I'm your host, Laura Nolan, and joining me today are Matias Friedstrom, Chief evangelist at Tealia Carrier, and Andre Robachevsky, Senior Director of Technology Programs at the Internet Society. I'm going to welcome our panelists in just a moment, but first, a few housekeeping notes before we get started. We want to make sure this virtual roundtable is as interactive as possible. So please add any questions that you might have into the Q&A box. If you have any other comments, please feel free to add them into the chat box and we'll take a look for them. I'd also like to address to address all the questions at the end of the hour. Now, if you don't have time to get to your questions, our panelists will follow up with you directly. Also, I'd like to take a moment to now to ask the panelists to introduce themselves so if each of you could give a brief introduction and explain your role and the role your company plays in the industry as it relates to today's topic. So let's start with you Matias. Thank you Laura for having me. I'm Matias Friedstrom. I'm currently the Chief evangelist at Tealia Carrier. I used to be the CTO for many, many years but have the last couple of years spent my time as the Chief evangelist, really trying to understand what the market needs from carriers, service providers like us, and also what we need to do to please the market really. So security is dear to my heart and I'm really curious to be here and discuss with you. Wonderful. Andre, how about you? Yes, I'm Andre Rovachevsky, Senior Director for Technology Programs at the Internet Society. Internet Society is a mission driven organization, global organizations driving for the open globally connected secure network to transport the Internet for everyone. And I've been in the Internet industry for almost 30 years from building networks to dealing with techno policy issues, but I'm by nature a technologist. My main focus on Internet infrastructure security resilience, particularly working on issues that border with governance and policy. I'm just at the birth of the industry led initiative, supported by the Internet Society called mutually agreed norms for routing security manners, something that is very much relevant to the topic we're discussing today. Wonderful. Great to know both of you and we've got a lot to cover today. So let's jump right into our first question. Can you define cyber attacks and the different aspects of Internet security apps versus network security. So Andre I'd like to toss that one to you first. Thank you, Laura. Well, let me start that to saying the Internet is a very complex ecosystem. It's a network of network and there indeed numerous facets of security. Internet architecture is based on their layered model when underlying layers provide common functionality for upper layers. Think of like a network function responsible for moving packets from one point to another, while application layer is mostly concerned about exchanging structured data between two or more applications. This is of course a simplification to think of the Internet as a layer cake, but it gives an idea. What that means is that applications can be developed without much concern for the underlying network technology and networks can be deployed and operate across different media like DSL or fiber or satellite. But there is no security layer there. And that is for the reason because for each of those components for each of those layers, threat and risk assessment should be performed separately and security solutions should be developed. This is why for each of those technology building blocks that ITF is developing ITF stands for the Internet engineering task force one of the main standard development organizations for the core Internet standards. There is a special section in each of the specifications called security considerations. That is what in security jargon called security defense and death. Well case in point illustrating these complex dependencies and the need for security solutions for each of the component is an incident that happened a couple of years ago, which resulted in emptying Ethereum crypto wallets. The attack involved route hijacking to enable impersonation of the main name system resolution to enable reelection to fake version of the website might either wallet. And it demonstrated vulnerability at each layer was exploited, including social engineering when users were sort of tricked into fake website certificates accepting them and leading to the fake website. So if you ask me versus network I would say both are important. But because that the security gaps and cool infrastructure provide broader platform for launching attacks, and even second venting highly security solutions I would say probably that will be requires more focus, and it actually more challenging. Mattassi would you like to weigh in on this too. I think Andrew covered it really well I think you know there are many different ways of cyber attacks. I think we will discuss quite a few of them here as we as a carrier is obviously more focused on the network side of this. But of course any cyber attack can happen both on the application occasion layer and network layer they're both important in combination. So I have you on the hot seat let me start with this next question with you. How does cyber attacks happen and then what is the market saying our cyber attacks becoming more common. Yeah I think that's a good question really and of course there are many many different cyber attacks as Andre talked about you know you can attack the applications you can attack. And then phishing emails and there are many ways of it. I would much sort of focus on the network side because that's where we are strong and that's where we believe we can add some value here and on the network side I would argue that the DDoS attacks are by far the most important ones to stop and where most attacks are DDoS attacks for those people that don't really know are coming in two ways really. One of them is sort of the persistent low intensity attack where you by attacking one target with question after question could be very small questions but you're just sending a question a question and you never really answer and at sort of at the end of the day the server gives up because they've been asked and it's overloaded in terms of memory and so on. And the other one is really where you collect a lot of sites on the internet and you attack one site with large volumes, you just pour on data into one site causing that site to pretty much go down. So those are really the two ones in the DDoS and if you ask me what if these are common you know we did a survey right before the summer this year among 400 enterprises both in US and in Europe and 78% of the companies we surveyed said that they had been attacked more than 100 times already this year and 68% of them said that they've been under DDoS attacks so I would say yes these attacks are very common. We also asked them you know if they've seen an increase during the pandemic and actually half of them said they have seen an increase. Some of them said they hadn't seen an increase but more almost almost half of them said they've seen an increase. So, yeah, this is a big problem for the internet and something we all need to work about to get out. Wow, those are some shocking statistics I appreciate you sharing with us today. So we're going to start now to talk more about when those cyber attacks happen so what happens when they're successful and I do break through, and why are they successful Andre can you start with that. Well, Matthias already mentioned types of attack that happen and yes if we look at infrastructure denial of service attacks are most common and quite easy to mount in fact. So let me sort of reflect a little bit on why those attacks are successful. And I think success of those attacks is mostly linked to the challenge of addressing security gaps in the internet infrastructure. So while many of the vulnerabilities and even technology solutions are known for decades, little is done to close them down. And one of the main reasons are negative externalities so called when course of security gaps are not incurred by negligent entities, when the cost of the damages occurring from those attacks are not incurred by the tackle facility. Well, I take one example that very close to my heart is routing security, and in fact security of your own network depends on actions or in action, if you will buy other network operators they about 70,000 network operators in autonomous system in the global system. So there is a huge dependency and the huge externality where if I do nothing, I do not make my security of my network significantly bad worse but at the same time I'm not contributing to the global routing security. The same applies to open resolvers like those are the launch pads for many of denial of service attack volumetric attacks, and people operating those resolvers do not care they're negligent, but they do not suffer from those denial of service attacks. The same applies to other types of, you know, denial of service that amplifies networks allowing spoof traffic, one of the curse of the Internet is that routing or forwarding traffic doesn't depend on the source IP address. It's pretty much like in post office, when you send a mail, your return address only matters when mail cannot be delivered or you need someone to reply back to you. The same is here but that creates an opportunity to mount reflection and amplification denial of service attacks. Those who allow networks that allow spoof traffic, again do not suffer from those denial of service attack, but they are facilitating those. So let's disconnect I think it makes securing Internet infrastructure so challenging. We've heard already about just the impact and the large numbers of folks in the marketplace being victimized, you know, by cyber threats and cyber attacks and then the impact that it's causing businesses and companies. So is network security prioritized or overlooked by the market. Matthias, can you start with that. I think that's a good question. I don't think it's overlooked and obviously it's becoming more common in news on TV and other media where they talk about these attacks I think more and more people are aware of this happening. But I still think many enterprises out there are still believing that you know, really as Andre said you know if we if we don't do anything let's keep our fingers crossed that nothing will happen. In our survey when we asked them you know about 50% of them said that they are they are aware of what what service providers could do for them and where they could get help. But there is still half of them that didn't really have a good view of their protection so I think you know there are many many things enterprises can do much better here. I think some of them really get it. And I think the more they read about it the more they are aware of the problems that this has if they are not protected. So I would say it's absolutely not overlooked, but it's also an area where I think each and every one of them can improve because there is many more things you can do. Instead of just keeping your fingers crossed and hope that the attack will go to your neighbor and not to you. So, I don't think it's overlooked, but it can be much better. Andre, what do you think. I largely agree with what Matias said, and another thing that I would like to mention that some of the those attacks or some of the security measures they have not a very strong business case and that's exactly what I just mentioned about those externalities that the are caused of not doing something a note sort of buried by the by the negligent party. So the, there is also no, no one play alone can close those vulnerabilities in such a decentralized and distributed system at the internet. This is a situation that is called in no social science a collective action problem. Everyone is striving understands that they're better off with a more secure infrastructure, but due to conflicting priorities and this displacement of incentives, the organizations are very difficult to mobilize for the necessary that collective action and common goal is hard to achieve. I mean, look how some of the security technologies are not very easily deployed internet wide, how long it takes to security solutions to diffuse through the global internet. And that's partly because there is sort of not a very clear business case. It's not like in in sort of, you know, pre internet security paradigm where you can build walls and secure your little fortress. This is not possible anymore you're in open ocean, and you need to work together with other entities. Related to this, I'd like to mention an initial initiative called mutually agreed norms for routing security already mentioned my introduction, which is the acronym is manners. So we're looking for that was with good manners that is supported by the internet society. It aims to overcome this collective action problem right just outlined by developing common operational security practices into norms and building grown community that can demonstrate adherence to those norms. So that's one of the approaches that we're promoting at the internet society, and that's something that can stimulate or mobilize community for long term solutions. So deeper down we talked about is network security prioritized or overlooked, but are people even aware of the role of the network in preventing malicious attacks and then would that change that priority. Matias I'd like to start with you on this one. That's a really good question and I think you know sometimes. When we talk to enterprise it seems like they only think about their own premises and how to make sure that their own users have strong passwords and and they have a nice firewall at the sort of entrance of the building. That's it so I sometimes feel that many enterprises don't really understand that there's a way you can, you can work with your service provider and they can actually be your first line of defense and I'm pretty sure there's a lot of things we as a service provider can take away so that the enterprises never really see that type of traffic. Well, you're very right that many of them are are feeling you know as long as we have a nice firewall that's going to stop everything from entering our network and then we're safe. I actually think there is a lot of things the service providers can do here and really it's as Andrew said, the internet is something it's around 70,000 active networks out there. There are simply no rules on internet really because it's a trust based network, everyone has to trust trust each other, and of course 70,000 different people networks trusting each other. That's difficult, I think manners is a really good initiative. We're obviously part of that we want to make the public internet much, a much better place and much more safe. But I think you know many enterprises needs to start to think about the network as well. If we can stop at least half of the attacks before they even reach the enterprise, it's going to be much more easier for them to handle their security and sometimes I feel, as long as they believe they have a nice firewall they're safe. That's not the case. That's not going to help you. There are many ways for crooks and criminals to come around that so so combination of on premises or in the cloud security and network security is a must in the future. Well, the only thing I can add is that a few years ago we conducted a study together with analyst company 451 research, and we looked how sort of the attitude towards routing security in particular from enterprise level. And what we found is that one of the most challenging things in it security for enterprise is selection of their service providers and especially in connectivity providers. One of the challenges and security is the ability or rather lack of to signal your security posture. So when an enterprise selects a provider, it's like, well, how do we know that you provide this extra security things. So we were thinking that menace and still think that menace can add this signaling mechanism. One of the main concerns, and that was very surprising from this survey is that enterprise were very concerned next to denial of service attacks for traffic hijacking that their sensitive information can leak and take unusual routes on the internet and therefore being subject to surveillance for instance. And I think they did also discover that enterprise do not clearly realize the role of their service or connectivity provider can play in securing that particular part. So that was quite revealing and that's why we think that menace can help also service providers to signal their security posture to their potential customers. So now that we've talked about recognizing the role of the network in helping combat cyber attacks. What are the best ways to ensure maximum network security. And I know this could be just an open field try to narrow this down but from your perspective, Andre, what do you think. Well I have to start that security is not a state. It's a process right if you treat security as a state and you would go and patch your software and you think you're secure. You may be disillusioned a few moments after right so you need to have a process that continuous improvement continuous security. So, another thing to consider that the level of security we need to achieve and maintain should reduce the risk to a successful attack an acceptable level right. We, you know, maximum security may not be cost efficient that may not even be needed. But what we're striving for is that risk is at this acceptable level right that doesn't mean that we take it easy and relax on the country it means our job of security professionals It also means that in such a system is the Internet, we need to continuously do this risk assessment understand new vulnerabilities and strive for collaboration. We shouldn't forget that such independent and hyper connected system as the Internet security is essentially a collaborative activity. Efforts, in my opinion should be focused on supporting this collaboration of facilitating it, such as improving information sharing transparency accountability, this sort of stuff. Matthias, I'd like to ask you that same question. You know, is there a way that you think that we could ensure maximum network security. Yeah, no, I really agree with Andre. It's not an end state. It's a process and something that everyone needs to work on we need to improve ourselves every day. But I think it's really, as Andre said, it's a combination of an ecosystem there and I think that's where people have struggled. I think people felt, you know, in the past you bought your security from a security company. And then you felt safe, you know, I have I have everything I need from this fantastic security company and I should be fine now. I think in the future when both security companies are moving their stuff into the cloud to be even more efficient. And people are using public Internet much more for connecting various remote sites and so on, instead of having secure MPLS routes in the network. I think that the future networking is is much more about a collaboration between. Yeah, your service provider connectivity provider that I represent security companies, then obviously Internet societies that Andre represents who knows this and can guide people and then of enterprise people themselves and I think the future is much more collaboration, sharing of information, looking at you know okay we've seen this type of attack right now what can we do to do to mitigate that type of attack. I think the days when you bought your entire security solution from a security companies over. Everyone needs to do much more these days and that's where a combination of a number of companies is a must for an enterprise you can't just buy it from from one, and we don't tell anyone that we are the complete security package either we are not. We are one part of it, and we can fix the network part, or at least do do as good as we can for the network part but it's a combination of of an ecosystem that's needed in the future really. I want to remind our viewers, if you have a question for our panelists or a comment, feel free to put your question in the Q amp a box, or just comment in the chat and we will get to that we're going to get to some audience questions in just a moment. We're going to continue our discussion but I just wanted to do a quick reminder for those who might have joined us late. So let me throw it back to you Matias. So we're talking about the future you mentioned what we're, what we may try to expect, I guess from some of these cyber attacks, and the collaboration aspect which is so key. Can we get this under control, or will it just continue to be so rampant. What are your thoughts on that for the future. I know I think that's the million dollar question, it's a good question and I would love to say yes we can get them all under control and I really believe so. But we really need to work together and I'm pretty sure crooks and criminals are not sitting back, they're probably inventing new ways of doing these type of attacks we've seen ransomware attacks have been increased and then obviously that's when a lot of money is involved. If you can shut down a competitor that's, that's also something where there's a lot of money involved so I really hope that the entire industry are coming together to fight these type of security threats. I'm pretty sure they will never go away. Hopefully over time we can control them so much, but in some way it's always down to this sort of. Yeah, very last point the weakest link is always the weakest link and if not everyone is stepping up and behaving well. There are ways of getting into networks I think you know, if we can really get everyone to understand that a combination of everything. We have multiple systems providers suppliers. I think that's what we need. I'm sure there will be cyber threats in the future as well, but hopefully we can keep them under control. I really believe so. I hope so. Andre, how about you. I'd like to share my tears hope and think that yes we need to continue our efforts. I think what we see also that this culture of security and collaboration is building up at least in our experience with the menace effort there is much more awareness of roles and responsibilities of individual players or network operators in this ecosystem. I think a known building is very important because that makes sort of undesired behavior or not not not meeting certain security standards not just a matter of certification or being subjected to government regulation, but it's a social acceptably to behave other way. And as you know, like a lot of things in the Internet are done on interconnection which is collaboration, essentially, right so this peer pressure and social acceptance plays probably even bigger role than any regulatory intervention or something like this so I really hope that we as an industry can come together or continue coming together discuss this and sort of, you know, police ourselves and make the Internet safer please. We also need to look at security in perspective right. We can just say well security is getting worse, we also need to look at the benefits right, we also need to normalize those attacks by the size of the Internet by the benefits it brings. So, I'm not saying that the pictures is is is bright, but I'm saying that that needs to be taken the perspective. Last thing is I that also depends on the changes in the Internet architecture, some of the trends which may not be necessarily very positive, but they can contribute positively to security as well. For instance, you know that cloud and content comes closer to end users to customers to edge networks. So the link, what Mattias mentioned the link or number of links between your source and destination. It actually becomes short in the Internet Internet becomes a bit flatter, and that makes security slightly less challenging or slightly more easier, because you need to coordinate need to collaborate with less amount of parties than maybe before. But that also has side effects I mean the Internet is getting more centralized, less distributed, and that causes other problems, maybe not necessarily related to security. So that's my again, not having crystal ball. Some deliberations. Thank you Andre. Well, there is a lot to consider as you've been talking about from you know watching market trends and collaboration and you know and protecting protecting the enterprise so where does someone start and how do they learn more. You know, I think, if I start there, I think there is a lot to learn. You can always obviously call your service provider connectivity provider and ask them how do they take care of their network and how do we ensure that no one can enter our network and that any malicious traffic that we can see on the network is thrown away I think that's a good start. But then there is, there is a lot of written material out there there is a lot of guidance I think companies like the one Andre represents are a good source of information, you can just call them, ask them you know where should we start you know how do we start here. I think there are now many good examples of companies that's turned around this in their advantage and went from a very insecure company to a very secure company. I also think you know, everyone that graduates from university right now have practically only lived in the internet era. I think older people like myself, you know, I remember the old days when cyber threats didn't even exist. But I think everyone that comes from university right now are much more aware of this. Probably much, sometimes much more happy to click on things on the internet as well which is dangerous but I think you know the way and the more educated people that's going to come out the more educated everyone will be so. You know, for an enterprise I think they should really start by. There is a lot of material out there there's a lot of things you can read about there's a lot of good examples of what companies have done so don't be afraid of contacting your service provider or whoever and start your journey. Andre what do you think I know you're doing a lot of great work with the internet society so where can folks start their journey to learn more and really be involved in in protecting their data. Well, I mentioned this manners and apologies for repeating this sort of shameless plug, but our website of this initiative contains a lot of useful information so that would be a good place to start and manners applies not only to service providers but to companies that operate is like tell a carrier, but also to enterprises, and I would say enterprise of course they have to clean up their backyard they need to take security or elevate security importance in their own priority list. But also, we need to think how to engage how to make market forces work in our favor. So I think the impact sort of selection of your connectivity provider. It's a two way thing, right. If you put security requirements as one of the essential components, you make your choice not only price, not only maybe throughput, but also on how well your partner can be a security partner in this game. So realizing that I think can can help us to overcome this, you know, disconnect this externalities that I was mentioning before. Wonderful. Well, we do have a few questions from the audience that we're going to send to our panelists in just a moment we've received those in our Q&A box. And if you have any additional questions while we're answering these, please feel free to type them in the Q&A box. And we'll get to those with as much time as we have left and if we don't get to those we'll get to our panelists to follow up with you directly. And the first question we received from the audience is, could you speak about what steps Tilia Carrier and Internet Society are taking to do their part in keeping the Internet safe? Andre, I know that you talked a lot about manners and we're going to we'll probably circle back to you in a moment, but Matias, let's start with you first on this question. Yeah, yeah, right. No, we're actually, I think we're trying to step up and I know that this year we have sold more of our DDoS service than ever before and I think that's important. I think many more companies are realizing how important that is. And of course we need to improve that service as well. So practically a DDoS service that we are doing is looking for anomalies in the traffic pattern that we see in our network and the more traffic we have, the more we can learn from. But we also need to have many more scrubbing centers so we can take away the absolute largest DDoS attacks to protect our customers and so on. That's one thing we can do. Then there's of course a lot of other things we can do around our network making sure that no one else can enter our network and no one else can access the routers and the equipment we have and so on. So I would say this year we've put extra focus on security and that's just going to continue into next year. But as a network provider, we're absolutely mostly focused on the network itself and that's where the DDoS attacks is the ones we need to take away. If we can help the world by taking them away, we've done a big job for the internet to be much safer place. Andre, how about you? You want to address this question, the audience question about what the internet society and Tilia is doing to keep the internet safe. So at the beginning I mentioned our mission and our mission is for open global connected secure and trustworthy internet for everyone. And in the last two things secure and trustworthy, we have two main projects for many years running focusing on those areas. We're not a network operator. So we're mostly focusing on, you know, coordination and collaboration and, you know, mobilizing communities and solving this collective action problem. So one project that I've mentioned many times is MANS, Mutually Grid Gnomes for Outing Security. And the internet society is acting sort of as secretariat, although this is a really industry led initiative with telecarrier and other leading operators being part of it and guiding and driving this effort. Another effort is encryption. So we are promoting end to end encryption and we are trying to sort of criticize proposals that try to undermine end to end encryption. And that's back to your question whether application is more important than network. And I said all is important. And this is case in point where you need to secure your infrastructure, but also you need to secure your communication, sort of on application layer, right? What could have been done without encryption, for instance, whether end to end encryption. So those are two main pieces that internet society is contributing in the area of security. Okay, we do have another question from the audience. This one says, what types of cyber attacks do you think are going to be most common in the future? I know that, Andre, you don't have that crystal ball like you mentioned, but do you have any thoughts to weigh in on what would be the most common cyber attacks that, you know, is that they may develop and evolve over time and how we can prepare for them. So what do you think? I think, in my opinion, the cheapest ones are volumetric denial of service attacks and that sort of extortion and stuff like this, right? They can be very powerful and especially with, we know that Internet of Things and other connected devices they're exploding in numbers, right? And they're not always as secure as we wish. So they provide a huge launch path for those types of attacks. And I think the growth of more sophisticated attacks, we should expect, that's probably not something that we as sort of infrastructure providers can really do, but this, you know, advanced persistent threats, attacks on national binational states, which create very sophisticated things. And the danger of this, that those things may spill over, they may reach this sort of, you know, common market, if you will. And we saw this as well, that those sort of weapons can get into hands of just, you know, simple hackers and be used. So I would watch this trend very carefully as well. Matthias, what do you think? What types of cyber attacks do you think will be most common in the future? I think that's a good question and I'm almost afraid that we, if we would redo this webinar in three years' time, we would talk about things that we don't even know about today. Because it's really, as Andre said, the people are very creative out there and there are many interesting objects online that people will still find and still be sort of interested in attacking. I still think these phishing mails, you know, as long as people are stupid enough on clicking on mails, they shouldn't click on, and I think they still do a lot despite everyone warning everyone about opening things you're not knowing about. I think they will continue to be, to be big. Hopefully, someday people will be smart enough not to not to do that, but I'm just afraid that that's it's such a simple thing. You almost make an email look like another email and you get some, some people to click on them. I'm just afraid that that's just going to continue, but it's really, as Andre said, you know, if everything becomes online, then there's some really scary stuff like weapons that can be reached above all. And yeah, I hope that's not going to happen, but I'm afraid that might be the next target for these crazy people. So we have time for one more question and I think this will might go to you Andre, but also, Matthias, if you want to weigh in as well but I know Andre mentioned the 451 research that was provided and a survey, and a lot of research that went into at the research society regarding cyber attacks and someone who joined wanted to know where they could access that information. I know we talked about, you know, how to get in touch with you but more specifically that specific research or just information where can they find that. So the simplest way is to go to the menace website it's manners.org. And there is a tab resources and you can find different presentations and papers and this report I mentioned as well. And this reports that has two parts. It has a looked at the service providers the transit operators are what menace means for them, and also what menace could mean for enterprises. So yeah, please and if you have more questions you can always reach me. Can you guys go the telecarrier website or where would you like to point some of our viewers and in finding more. Yeah, no, obviously the telecarrier website have a lot of we have a knowledge hub there where you can the report I referred to earlier in this conversation is of course downloadable at that point and and hopefully you can get some other stuff there. You can get some guidance but you can of course always contact us and we can guide you as well in terms of that but that security report is very interesting in in terms of how enterprises see the the future of security. So please come. Okay, well thank you very much. Mattias and Andre for your time today a great conversation we appreciate you being here. Thank you very much. Thank you for having me thank you. Thank you viewers for joining us be sure to look out for our next virtual roundtable, and be sure to visit our YouTube channel to catch the recording of this and all of our past virtual events.