Protecting the Internet Infrastructure in Today’s Multi-Stakeholder Environment

Atlanta | Nov. 3, 2017

Former advisor to the Federal Communications Commission (FCC) and industry leaders, and designer of Comcast’s national backbone network, came to Georgia Tech to talk about Internet routing and give advice to today's students.

Tony Tauber, Distinguished Engineer at Comcast, delivered a lecture on Multi-Stakeholder Network Security Concerns to the Georgia Tech community on Friday, Oct. 27, as part of the Cybersecurity Lecture Series. Organized by the Institute for Information Security and Privacy (IISP), the free and open-to-public Cybersecurity Lecture Series invites thought leaders in the field of information security and privacy to give one-hour lectures about their research.

Tauber’s lecture discussed how different parties with different motivations and times of engagement are involved with the Internet infrastructure, making its protection highly challenging. He shared some of the Internet-infrastructure-related security issues he has seen at Comcast and during his decades of experience in the field, the proposed solutions, and why the solutions were implemented with varying degrees of success. The slides and video of his lecture are available online.  

 

In addition to giving the lecture, Tauber graciously agreed to sit down and talk about his advice for Georgia Tech students who are interested in pursuing a career in cybersecurity.

 
What do students need to understand about today’s Internet infrastructure?

“Managing [the Internet infrastructure] takes place over a long period of time,” he said.

Tauber emphasized how working in the cybersecurity industry is different from what people typically imagine. Instead of following a clear path of designing a system, deploying it, and enjoying the benefits, cybersecurity professionals need to perform continuous upgrades, additions, and modifications, retire old equipment and move to new equipment frequently.

“There’s always some current state you have to deal with, and then getting to the desired state is a progression of steps,” Tauber added. “Along the way, the direction may change before it’s done. Then something new comes along after that. It’s always a process of becoming what it theoretically would like to be.”

Tauber gave the example of updating the router software, a relatively simple task that turns out to be time-consuming under real-world constraints. In addition to testing the software, cybersecurity professionals have to schedule maintenance time for the upgrade, and validate that the system is still functioning correctly afterwards. It takes a long time to perform the upgrade over a network of hundreds and thousands of devices; furthermore, the process never ends, since another round of upgrades should soon be scheduled when the current round is done.

 
What are today’s info-sec practitioners overlooking when trying to protect the Internet infrastructure?

“Even something as seemingly simple as getting end-users to keep their systems patched and upgraded… represents an investment for [end-users] that they might not be motivated to make,” Tauber said.

To a security-minded person, it is essential to keep one’s system upgraded and patched to reduce vulnerability; however, most Internet users do not have a technical background, and thus are not willing to invest their time and energy in system upgrades.

For Tauber, it is important for information security practitioners to think from the users’ perspective and motivate them to be more aware of information security.

“One thing we do is to make anti-virus software available to our users, but I don’t know [how] many of them know that it’s available, or how many take advantage of it,” Tauber said. “We try and notify them if we detect apparently compromised systems and encourage them to remedy the situation, but they don’t always understand or appreciate that they should do that.”

 

What should the general public understand, but don’t?

Tauber thinks that people sometimes don’t understand how their actions affect the overall online eco-system.

“The Internet is a shared resource at the end of the day, and what you do affects other people,” Tauber said. “The environmental and eco-system analogy is somewhat helpful to use to think about it.”

“Sometimes the easiest or the most inexpensive or expedient solution isn’t the one that’s the best long-term choice,” he added.

As consumers, people tend to prefer solutions that are inexpensive and easy to use. However, they are not aware that inexpensive systems can sometimes be more prone to malware and other security problems. The solutions that seem to be the cheapest and easiest in the short term might lead to severe, long-term problems.

Tauber gave the example of how Mirai Botnet, a malware that was used in some of the largest and most disruptive distributed denial of service (DDoS) attacks last year, exploited the security weaknesses of Internet of Things (IoT) devices that were inexpensively designed and not automatically upgradable.

“The general public don’t think about [security issues]. [They’d like to] plug it in and get it to work quickly without a lot of confusion,” Tauber said.

 

How can you let people be more aware of these security issues when making their purchases?

“Some people [in the cybersecurity community] are starting to think about [providing] some sort of consumer advice or seal of approval that can be given to different things that you purchase,” Tauber said. In this way, it is easier for consumers to know which products have been tested by cybersecurity experts and have good security properties.  

 

What advice do you have for students who are preparing to enter this field?

“Realize that the solutions that you come up with have to be applicable in a variety of different situations,” Tauber said. “Be flexible, [and be prepared to] work over a whole lifecycle, a long period of time of adaptation, updates, continuous improvements…  The solution is never a point in time. It’s a long-term process.”

Tauber also emphasized the importance of finding information that represents real-life current practice instead of just technical specifications.

“Try and find out more about how people use security methods and systems… Look beyond the design [of the system] to find out what’s the context that they’re used in, what’s the motivation, [and] what are the counter-motivations and concerns [of the users].”