Who defends the Internet?

By Derek B. Johnson

By Derek B. Johnson

|

Much of the underlying architecture that powers the internet is under increasing threat -- and it's not clear who in government or industry can or should take the lead to protect it.

global network (NicoElNino/Shutterstock.com)
 

Much of the cybersecurity policy debate in Washington, D.C., tends to focus on the IT systems, networks and devices used by agencies, organizations and consumers. However, the underlying architecture that powers such tools is also increasingly under threat, as a number of high-profile attacks against internet infrastructure in recent years have demonstrated.

That architecture is sprawled across the globe in the form of underground and undersea cables, local and regional bandwidth networks and internet exchange points. No single entity owns or manages more than a fraction and in general, individuals, companies and governments all rely on the same foundation to access the Internet. Additionally, those foundations were largely built up over decades for speed and ease of communication, not security.

In a Sept. 10 hearing, House Armed Services Committee Chair Jim Langevin (D-R.I.) warned that even as government agencies like the Departments of Homeland Security, Defense, Commerce and others have moved to establish clearly defined roles in the cyber policy ecosystem, no one entity is responsible for overseeing the underlying infrastructure that powers the World Wide Web.

"I'm very worried that by carving out discrete lanes in the road, there are seams left unaddressed in the middle, and I'm concerned that internet architecture security is one of those seam issues," said Langevin.

For example, the Department of Defense manages security concerns for underground and undersea cables when they impact military systems or readiness, while DHS has typically taken point on threats to DNS and internet exchange points.

Jeanette Manfra, assistant director at the Cybersecurity and Infrastructure Security Agency at DHS, told lawmakers that there are no hard lines around ownership of these issues in government, and that most of the control consistently rests with private industry.

"It's not so much that here's a clear jurisdiction and it ends at this part of the internet architecture," Manfra said. "It's really private sector led in all cases and what we have are different tools to analyze and make assessments and take action if we have concerns."

Threats to that architecture from both state and non-state actors loom large and threaten the public and private sectors alike. Earlier this year, DHS issued an emergency directive to shore up federal protections in response to a global campaign to manipulate the Domain Name System and steal internet traffic data, while a group of teenagers managed to develop a botnet variant for their video game extortion scheme so powerful that it was later used to target the Internet's backbone with Denial of Service attacks, taking major websites and large chunks of the web offline.

But ultimately both sectors rely on the same underlying infrastructure to operate online. Ed Wilson, deputy assistant secretary of defense for cyber policy at DOD, alluded to the interconnected nature of the threat, noting that while the Pentagon previously viewed the issue through the narrow lens of direct attacks on military assets, key competitors in the global space "have demonstrated vulnerabilities that extend beyond our DOD systems and networks."

"The vulnerability of critical infrastructure to cyberattacks means that adversaries could disrupt military command and control, banking and financial operations, the transportation sector, the energy sector, various means of communications and a variety of other sectors," said Wilson.

Policy proposals to shore up security of the larger internet ecosystem have been scant, a product of both the technical wonkiness of the topic as well as the decentralized ownership of the issue by many stakeholders.

Commerce and DHS worked for years on a botnet report, but the final product wound up not recommending any major federal policies or legislation to tackle the problem, essentially leaving it up to the private sector to solve the issue through greater innovation and collaboration. Several members of Congress, most notably Sens. Sheldon Whitehouse (D-R.I.) and Lindsey Graham (R-S.C.), have spent years pushing legislation to treat bot networks, which power many attacks on internet infrastructure, as a form of fraud. However, even as the Department of Justice openly supported legislation last year, it was not passed into law.

Nine of the 55 national critical functions developed by DHS earlier this year focus on connectivity and Internet access, and officials have said they plan to use that list as a foundational springboard to refocus additional human and policy resources in the future. Manfra floated the possibility of new or existing standards bodies that could set broader guidelines or mandates for internet providers and other stakeholders, but she emphasized that private internet providers have both the means and motive to implement new protections.

"I will say when you're talking about the companies that provide that internet architecture…they have a lot of economic incentives to have a secure and reliable infrastructure," said Manfra.

NEXT STORY: 5G advocates look to spectrum sharing

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.