GFCE Triple-I workshop results in action towards increasing justified trust in the use of the Internet in India.
News Item | 22-11-2022
On Sunday 25 September 2022, inSIG hosted the GFCE Triple-I Day for the third time in India. The workshop is initiated by the Global Forum for Cyber Expertise (GFCE), and is supported by APNIC, ICANN, Internet Society (ISOC) and its Indian chapters, and the Indian Ministry of Electronics and IT.
Please find a detailed report of the GFCE Triple-I Hyderabad meeting here.
Recap of the GFCE Triple-I Meeting
This GFCE initiative is meant to “facilitate” awareness raising and capacity building events in different regions of the world in order to “enhance justified trust” in the using of Internet and/or email in those regions (specific priorities are to be determined by stakeholders in the region). Local and regional actors are stimulated and supported in setting up and running local/regional events between regional stakeholders, bringing in local expertise. The initiative builds on the experience of two years of events around the world (2018, 2019), and is firmly embedded in the mission of the GFCE. The meeting resulted in a commitment by a group of stakeholders to build an Action Plan to enhance justified trust in India, in support of its Digital India aspirations.
Official opening & welcome
The workshop was opened by Shri Alkesh Kumar Sharma, Secretary from the Indian Ministry of Electronics & Information Technology (MeitY). The Secretary expressed his gratitude that, despite the global pandemic, the group managed to stay connected. He also reminded that, while most of us are experiencing the transformative power of digital connectivity every day, there is disproportionate access that needs to be tackled to make sure digital connectivity brings benefit to all. Region-specific capacity building efforts are key in that – customizing support to matters of priority. The Secretary recognized that GFCE Triple-I Workshops offer “awareness raising” and “capacity building” initiatives with the aim of “enhancing justified trust in the use of internet”, and that today our world needs it more than ever before.
India is playing an important role in this – both with its national initiatives, be it the Indian Government’s flagship Digital India Program which is committed to digitally empower society and economy or the Digital Literacy initiative under PMGDISHA, which aims at training non-IT literate citizens to become IT literate, by its efforts to bridge the linguistic gap with the platform “Bhashini”, or through its contributions to global developments, such as GFCE and ICANN.
He emphasized that in order to benefit from the technological transformation, there cannot be a one-size-fits-all approach: it is crucial to learn from good practices and use the standards and tools that are available today in order to invest in the key infrastructure in a way that allows reaping the benefits. With that, he expressed his appreciation to the work done by GFCE Triple-I and thanked the group for engaging together.
Improving justified trust on the Internet
The Internet infrastructure is the ecosystem of protocols, standards, technology, practices and organizations that keep the internet running. An open, stable and secure internet infrastructure is key to sustaining the economic growth and social benefits that were boosted by the Internet. This appeal needs action, starting with selecting and adopting state-of-the-art Internet standards that make a difference.
Block I: Better Use of Today’s Open Internet Standards
During the first block the focus was on the use and usefulness of Open Internet Standards such as DNSSEC/TLS/DANE, RPKI/ROA, DMARC/DKIM/SPF and IPv6. These standards are globally accepted and represent state-of-the-art insights that, when applied, can already help reduce the risks of using the Internet and email, today. These are also reflected in the GFCE Global Good Practices Handbook. Please find below a diagram indicating how these standards interrelate:
Enhancing data integrity and data authenticity, including data origin authenticity, is supported by a combination of these standards. Next to adopting standards, also the practices to validate the certificates provided is essential to ensure integrity and authenticity. Uptake of these standards in India is “reasonable” compared to the region, but much more can be done. This promises to provide a solid basis for the work in India through the “Digital India” initiative to rely on adequate security.
An excellent tool to measure the use of these standards by websites and mail servers is the website www.internet.nl . On this website, it is possible to fill in any website or email address to check whether it is up to date in its use of these open Internet standards. In Australia, the code for the testing has been taken up in a specific website for Australian stakeholders. The process of adoption of the code demonstrated the need to rise the standards while considering regional needs and values. While adopting the code from Internet.nl was seen as an opportunity, attendees agreed that adopting it to the Indian context would highly leverage the value.
Block II: Inspiration from Good Practice Actions
The second block of the day covered presentations and discussion of a number of global and regional good practices that are deemed potentially relevant for capacity building and for inspiring action in the region.
The key is to think in terms of risk management, and cyber hygiene is a first step for this. Cyber hygiene is about “automating the boring” as security includes a lot of detailed actions where human error often causes issues. Stakes are high since the criminal community has increasingly sophisticated and automated tools to carry out attacks that have greater impact on the victims. For example, ransomware-as-a-service has created a viable business for criminals who use various types of malware designed to encrypt files on systems to render them unavailable until a ransom is paid.
Various key steps can be identified to be essential for organizations, starting with having an Incident Response Plan in place, making sure it includes guidance on “who to call” when under attack, and make sure the (off-line) backups can actually be reinstated swiftly when needed. There is no such thing as 100% security – it is all about risk management and the right balance needs to be found between convenience, security and privacy. Technologies and standards will continue evolving and it is important to review policies and procedures on an annual basis and review any risk decisions to see if the risk appetite has changed as a result of changing circumstances and business priorities.
For industry players, measures that can be taken on a voluntary basis include the Mutually Agreed Norms for Routing Security (MANRS), which is a campaign originating from ISOC aimed at best practices adoption for prevention of routing incidents.
MANRS recommends four simple but concrete actions that network operators must implement to improve Internet security and reliability. Security is a process, not a state. MANRS provides a structure and a consistent approach to solving security issues facing the Internet. Adopting MANRS improves the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for the Internet infrastructure. Adoption is spreading and its increasment will be of benefit to a more secure online experience, also in India.
Internet Service Providers also play a key role in preventing abuse of the Domain Name System (DNS). In order to take appropriate action, a good understanding of the issues and what to do about it is key. The DNS Abuse Institute is addressing DNS abuse challenges that are global in nature and therefore require collective solutions. It offers Netbeacon, a free service, easy to use site to report abuse which is aimed at helping improve the quality of reports and reduce barriers to action on abuse challenges. Netbeacon also measures prevalence of phishing and malware across the DNS ecosystem, pioneering ways to measure and help enhance transparency on how this works. ICANN has launched the DAAR system, and the KINDNS service. Domain Abuse Activity Reporting (DAAR) is based on all TLDs ICANN has data for (currently 1144 TLDs representing about 215M names). Daily scores are made available to the participating TLDs via the Monitoring System API (MoSAPI), which allows both a global comparison of monthly statistics as well as an individual comparison (for own TLDs, only). KINDNS focuses on sharing of good DNS practices. The acronym stands for Knowledge-sharing and Instantiating Norms for DNS (Domain Name System) and Naming Security. Activities like these help the industry get a feel for where things happen and facilitate capacity building and sharing good practice to address issues arising. They are also important for ensuring we can continue to rely on the DNS in the years to come – with new opportunities, there will always be new potential threats to address – physical world, and online world alike.
The last part of the “good practice” session focused on Universal Acceptance (UA) of Internationalized Domain Names (IDNs). The Indian government developed a roadmap to universal acceptance and a multilingual Internet. It recognizes that in order to bring in more users to the Internet, it is necessary to serve those that only speak in local language. The objective is to achieve Universal Acceptance, leading to acceptance of IDNs equally by all Internet-enabled applications, devices, and systems – irrespective of the script used.
Currently, India has 15 IDN ccTLDs (.bharat) available, covering 22 scheduled Indian languages representing 11 scripts. As per the reports of the Universal Acceptance Study Group (UASG), the global Email Address Internationalization (EAI) acceptance rate is currently close to 8%, and India’s EAI acceptance rate is around 11%. Though the national Internet Exchange of India offers domain names in 22 official Indian languages, very few people can access the Internet in their native languages. The Indian government agrees with ICANN that many of the next billion Internet users will require to be enabled to do so by being able to use their own language. The Committee developed plans that, ultimately, will result in a multilingual and inclusive Internet that will help bring the next billion users online, of which 500 million in India, and empower the use of local language identities– particularly those that are non-English. Also globally, India is leading the way by its contributions to the Universal Acceptance Study Group (UASG) and its work in the country, and more is to be done. A Global Universal Acceptance Day will be organized on 16 February 2023 – the GFCE is invited to coordinate this.
Block III: Planning for a More Trusted Internet: Marketplace for Action
During this block, conclusions were drawn, and possible actions were developed, all aimed at increasing trust in the use of the Internet and email in the region.
Conclusion 1 – Standards matter – incentives are needed to move the needle
Whereas the Internet was not originally built to be safe, and its use moved well beyond its initial purpose, a lot of progress has been made and a number of important measures are now available to ensure the use of the Internet is much safer. In this regard, a combination of the standards also proposed by GFCE Triple-I makes sense. However – it requires an investment of effort, time and money, to upgrade the systems and make use of state-of-the-art standards, in what partly is an industry built on low margins, high turn-over.
Conclusion 2 – Incentives are needed to move the needle, as the cost goes before the benefit
It is therefore important that incentives are created for service providers to step up their game and offer state-of-the-art services and do so in a safe and secure way. Helping to make implement new standards and reducing the difficulty of processes implementation (lower the threshold) is key, as well as providing incentives “to do the right thing” also by making users aware, and thus asking for such services.
Conclusion 3 – Awareness is key
In the end, the key is with the users, whether commercial or non-commercial organizations, or individuals. For users to benefit most from the Internet, it is important to know they are safe, and can trust on the connections to services offered on the Internet. By making users aware of these risks and measures, users will stand up and ask from their suppliers to provide services they can rely upon. Websites like internet.nl and auCheck in Australia help users better understand what the situation is.
These broadly supported conclusions led to a discussion of a possible follow-up. Proposed actions include the following:
- RPKI Deployment tracker: Anurag Bhatia has developed such a tracker, and this one is now available from his website https://rpki.anuragbhatia.com. Anurag calls for volunteers to help progress this further. Next to this, internet.nl is offering code to measure application of RPKI/ROA to specific websites.
- Standards Testing Tool: the interest for a local version gets reconfirmed. This does require a real effort, so a way forward will be sought, requiring funding.
- Action Plan for Raising Awareness of Security Standards for the purpose of enhancing justified trust in the use of the Internet in the region.
Concluding remarks
Following the meeting, a group of volunteers announced their willingness to step up and come with a proposed way forward for actioning these proposals: enhancing justified trust, as a key multistakeholder supported step to support the Indian government is one of the aspirations with regards to Digital India. With this, the workshop achieved its highest aspiration – support local stakeholders to define and commit to local action, making best use of global experience and resources.
For more information about GFCE Triple-I, including results of earlier events, please check out the GFCE website. Contact Maarten Botterman at maarten@gnkconsult.com if you have specific questions about GFCE Triple-I, or if you are interested in improving the trusted Internet experience in your region.
