We are in the midst of a volley of ‘tussles‘ on security control points and surveillance/privacy protections. If you are unfamiliar with the term tussle, it refers to a paper by David Clark and fellow researchers that describes the evolving dance between technology and policy. Tussles surrounding privacy and surveillance arise every so often, sometimes including a rebalance of the ownership or access to metadata.
The current set of tussles involves a push and pull from industry, standards, and policy with the debate remaining open as to how it will all settle. As encryption becomes stronger and more pervasive on the Internet to protect our sessions while in transit, the ability to use traditional tools to detect malicious traffic has and will continue to diminish.
At the same time, strong encryption that cannot be intercepted is promoted as part of a zero-trust architecture and is important to adopt to prevent lateral movement. Another argument in favour of strong encryption is that it prevents having points of aggregation where all traffic is visible (such as intrusion prevention systems holding a shared key to access and view all data).
In the recent volley, the dance includes:
- Standards: Inclusion of the Encrypted Client Hello (ECH) in Transport Layer Security (TLS) sessions between a browser and a Content Delivery Network (CDN) that enables this feature.
- Policy: Proposal in 2023 to amend the regulation on electronic identification and trust services (eIDAS Regulation) to allow EU governments to perform traffic interception on all Internet messages including encrypted sessions.
- ECH prevents interception between the browser and CDN at a technical level, and thus the volley included a push to intercept traffic after the point of decryption at an endpoint.
- Standards / technology: Prominent leaders in the Internet technical community have pushed back on this interception proposal with a letter explaining the harmful nuances that would create security problems that would be imposed with the current proposal, a normal part of the tussle process.
This tussle is a very interesting one, shaping significant changes on the Internet in terms of how we as an industry ensure the security of sessions, data, and endpoints. The distributed nature of the Internet along with the multistakeholder governance model allows for and encourages these debates.
The debates typically settle with slight differences when national laws are considered due to the slight differences in historical cultural norms between nations that we may consider similar in many regards.
In some cases, it is difficult to see through the trees when we are in the midst of change. How security is integrated into products, services, and the network itself is transforming at a rapid pace.
This means that security controls will settle differently in terms of placement and responsibility than they may have in the past. Ideally, we wind up with a more secure, resilient, and easier-to-manage infrastructure as we work through these tussles.
There are methods to provide security in these new models, and they may even provide improvements from the current state where security is not only built-in by design and by default but also managed on a scale, as I wrote in ‘Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain‘.
In terms of how the controls settle out, there is another important consideration — how does the responsibility balance shift with intrinsic changes to points in visibility?
Several considerations were raised in this blog on the changes specific to ECH, and summarized, those include:
- As controls managed by the organization are eliminated (for example, intrusion detection / prevention systems), does the responsibility to protect data and systems shift away from the enterprise? Is the browser then liable? Is the CDN liable?
- Are enterprises still responsible for security breaches when they have little ability to intercept and prevent them?
- Are regulatory requirements required to shift the responsibility when control points shift-left or change?
- Does this shift-left further motivate application providers, CDNs, and browser vendors to build secure code and ensure memory safety?
Additional questions should be considered as the tussle begins to take shape as it is too early to tell what will happen with the proposal to the eIDAS.
Suppose that dance settles as recommended in the referenced letter. In that case, a shift in balance will not occur at this time, as some technical adjustments will aid in the aims of the policy objectives, where parties work collectively.
Kathleen Moriarty is a Technology Strategist, CTO, Board Member, Keynote Speaker, Author, CISO, and former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy. Kathleen was CTO at the Center for Internet Security when writing this post.
Adapted from the original at the RSAConference blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.