"We want to get a debate started"
At the start of June, ICANN's Security and Stability Advisory Committee (SSAC) published a report on the relationship between the DNS and the Internet of Things (IoT). The interaction of two 'ecosystems', which creates both opportunities for and threats to the DNS and the IoT. Cristian Hesselman, Director of SIDN Labs, led the international working group responsible for this special report.
Why is this topic important?
Hesselman: "With the rise of the Internet of Things, the internet and the physical world are increasingly intertwined. In the past, the internet was mainly about surfing the web and exchanging e-mail. Even then, faults and irregularities could cause significant disruption to everyday life, but with the IoT there are direct implications for our physical surroundings. Because the IoT embraces devices such as heart monitors, drones and sensors on railway tracks. The security and stability of the DNS are consequently more important than ever, because many IoT devices use the DNS in the background to get the IP addresses of the servers they need to communicate with."
What makes this report so special?
Hesselman: "The SSAC usually produces advisory reports, with recommendations for the ICANN community and Board. This report doesn't. The aim was to inform the ICANN community and get a debate going. The report may be followed up with a workshop or a presentation at a future ICANN meeting. I also envisage a lot of interaction with other studies and initiatives."
What kind of interactions do you have in mind?
Hesselman: "Let me give you an example. You can sometimes tell from the network traffic associated with an IoT device what kind of device it is. By way of illustration, the report cites a sleep tracker that sends more data when the user is awake. That represents a potential privacy risk. Now, a University of Twente student whom I'm supervising with the help of SURF is going to do a study of network obfuscation. That's a way of disguising distinctive network traffic patterns in order to make such IoT devices more privacy-friendly. But network obfuscation will only be possible if we have a software security library for IoT devices. And that is one of the challenges we highlight in our SSAC report."
How was the report produced?
Hesselman: "The idea was conceived about two years ago. The most time-consuming aspect was defining the scope, because 'IoT' is a very broad concept. Once we had a framework for identifying opportunities, threats and challenges, things went more quickly. I led the writing of the report, which we refined as a group in several iterations. After that, there was a thorough redraft on the basis of feedback from all SSAC members. The final version of the report had the unanimous support of the SSAC membership."
For more information about the report, see the SSAC blog.
What is the SSAC's role?
Hesselman: "The Security and Stability Advisory Committee is an advisory body within ICANN. It's made up of thirty-nine technical experts specialising in a variety of fields. From DNSSEC, though domain names with special characters, to internet routing. We advise the ICANN Board and the ICANN community, on a solicited and unsolicited basis. The Board takes our advice into account in its decision-making."
How do you become a member of the SSAC?
Hesselman: "You simply apply for it. The SSAC is always on the lookout for new members. I put myself forward a few years ago, because I wanted to make a practical contribution to the stability and security of the internet infrastructure. Of course, that's something I do in my job as Director of SIDN Labs as well. Our team develops open-source software to protect the internet and its users against insecure IoT devices, for example. I also contribute through my position on the Board of NLnet Labs, and my role as associate professor at the University of Twente: IoT security is what I lecture on. Being a member of the SSAC enables me to widen my impact. But it's also a tremendous learning opportunity, because I get to talk to specialists from all over the world, working in all sorts of disciplines. I bring back new ideas from every meeting."
Does SIDN benefit from you being on the SSAC?
Hesselman: "Absolutely. Because we're contributing to internet security and stability. I believe it's generally in SIDN's interest for staff to be active in international bodies such as the SSAC, the IETF and RIPE. It demonstrates that the organisation has valuable expertise, which is useful to .nl, the DNS and the internet.