Reflections from five years @ APNIC

By on 12 Feb 2019

Categories: Community, Development

Tags: , , ,

7 Comments

Blog home

The past five years have taken me to a lot of places in the region to assist local network security people to scale their challenges. (Unsplash)

Time sure does fly when you’re having fun! Five years ago (this month) I began my role here at APNIC as its first Security Specialist. I still remember the warm welcome I was given by the HR team and other colleagues, including a brief lesson on how to make coffee.

Although I had past experience with security operations, having worked for national and enterprise security incident response teams, the Regional Internet Registry world and its community was still new to me at that time. Luckily APRICOT 2014, held in my home economy, Malaysia, was just around the corner. It provided me with a great opportunity to get first-hand experience with the community, learn about their concerns and see the APNIC Secretariat in action.

Since those early days, APNIC has increased its security engagement with key stakeholders — Members, Law Enforcement Agencies (LEAs) and judiciaries, security teams (CERTs/CSIRTs), and policy makers — year-on-year, to the point that we’ve had to employ additional security specialists to meet the growing demand. Engaging with such a broad community has been rewarding and insightful, primarily because the majority of discussions have involved sharing with and learning from others.

 More than just training

Over the years, APNIC has diversified its security-related engagement activities.

Training is a key deliverable but there are also several other initiatives, including our Ready to ROA campaign, which promotes routing security and encourages Members to create resource certificates.

Security events also provide a great opportunity to reach out to the community and learn about current challenges. Some of the exciting local security conferences in recent times have been the Sri Lanka CERT Annual Conference, Mongolia Security Conference, the Honeynet Project Annual Conference and Vietnam Security Bootcamp.

Security is not only being discussed by ‘geeks’, which is why we’ve been privileged to be invited  and contribute to forums such as APECTEL, APrIGF, and the IGF, where we have been able to engage with other stakeholders.

C for collaboration

The Asia Pacific region is expansive. For this reason, collaborating with partners is not optional, it’s critical.

We’ve had many successful outcomes from joint activities and events. One I always like to highlight is the FIRST Technical Colloquia (or the FIRST TCs).

The one-day security plenary has been a permanent feature at APRICOT and APNIC conferences since 2015. It’s not just a speaking event, rather it’s a platform to highlight issues, call for collaboration, and mentor emerging security contributors in our region. There are many contributing parties but the usual suspects are from the Forum of Incident Response and Security Teams and the Asia Pacific Computer Emergency Response Teams (APCERT).

Another positive collaboration we’ve had in the LEA space is with INTERPOL. We have contributed modules on Internet security and the DNS for workshops delivered in Singapore and Fiji. Since then we have been invited to give training for other LEAs around the region.

A popular item in our security engagement toolbox is a desktop exercise where participants get to experience a data breach incident. The original content of the exercise — scenario, gameplay and supporting tools — was jointly developed with friends from Access Now and the Asia Cloud Computing Association for RightsCon2015 in Manila. Since then we have replicated the session at different events and still find it useful for encouraging positive conversations between different stakeholders so they can improve security together.

In 2016, we supported training activities organized by JICA for CSIRTs from Cambodia, Laos, Viet Nam, Myanmar and Timor-Leste. From this series of engagements, we collaborated to develop the first course on the APNIC Academy: Introduction to Cyber Security.

Then there are the multiple CSIRT engagements we’ve recently conducted in the Pacific, which I summarized last year.

The next five years

There’s definitely a lot of interest and awareness among our stakeholders across the region (and globally) to improve and prioritize security. I can see a lot of initiatives being carried out in different areas, from developing national strategies to new laws and creating more security specialists to help defend organizations from security incidents.

At the same time, security remains fragile with different actors actively exploiting weaknesses in systems and people to achieve their goals — just read the full data breach incident report released by the Singapore government and you’ll understand security in theory versus in practice. I think it’s critical that we understand the context before giving solutions. Ultimately organizations would like to fulfil their security goals or their responsibilities but there is no ‘one size fits all’ kit to be used.

Thankfully reinforcements are available in the form of Jamie Gillespie, Klee Aiken, and sometimes the APNIC training team led by Tashi Phuntsho. This has allowed us to not only fulfil growing demand but also expand the outreach work for different stakeholders or focus on certain geographical areas. On that note, you should hear more about the APNIC community honeynet project this year.

In a nutshell, I am very grateful with the opportunity given to me by APNIC and the support I get from many colleagues from the different teams at the office, especially in experimenting and enabling new trusted relationships to be built for reaching a higher goal. On top of that, the work has been fun for the most part and helped me grow personally. I have made many new friends in different places and learned about their unique cultures (and captured a lot of photos along the way too)!

Yes, we’ve achieved a lot in the past five years but there’s still a lot more that we all can do to make sure the Internet remains stable and secure for everyone. We’re always open for suggestions and stay tuned for more highlights!

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

7 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please reload CAPTCHA.

Top