The Internet Is Fraying, But Maybe Security Can Hold It Together

Hello everybody. If you can't tell, we're having marvelous technical difficulties. >> Because if you plug in the the thing Yeah. It doesn't do anything. >> Oh, that's not supposed to happen. >> That's not supposed to happen. And yet here we are. Um, while we're waiting for all of this to get sorted, um, I will jump ahead just a little bit. How many of you are from like large enterprises with a relatively mature cyber security program? All right, this talk is gonna be boring for you. Not sure how much you'll love it. You're welcome to be here because maybe it will give you something to to tell others, but I'm not sure I'm going to tell you stuff that

you don't already know, which is fine. Um, I will tell you a little bit about who I am because I can do that without you actually having to look at anything, per se. My name's Heather Flanigan. Um, I have been living in the world of digital identity and standards development for about 16 years for my sins. Um, I am an avid blogger. Uh, and I travel to all sorts of conferences and events and meetings and whatnot. It's usually about 40% of the year I'm somewhere that isn't here. Um, that does give me some really interesting viewpoints. Well, interesting to me, possibly interesting to you because you're here of what's happening broadly in the world. Um, not just like in the

US, not necessarily just in the EU or Australia, really, just globally from, you know, starting from the standards and working their way up. What's going on? What am I observing? How are things starting to fall apart just a touch? I I have um as I said I'm an avid blogger and uh you can find that at spherical cow consulting and one of the blogs that I wrote earlier uh late last year was the end of the global internet which was actually a whole series that inspired me uh submitting something to bsides and I adapted that for this talk focusing much more on the cyber security aspects of things. I'm not going to get into interpretive

dance. I swear

>> and we don't want to try the USBC.

You said there was what? We did the weird adapter thing. So, we could try that. We could try this.

Yes. Starting.

>> Look at that. >> Isn't it per? Yeah. See, you had to actually come into the room and then computers are scared of us. >> Always happens. Okay. So, now that the computers are terrified of us, that's fantastic. Um, that's what it looks like to start. That's great. We're going to just jump ahead. >> By God, I will make this technology work. >> Really close. >> Really? Yeah. Well, actually, no, you have to turn it on. >> Oh, hey, that works, too. >> Okay. So um my my premise here is that the internet is uh fragmenting a little bit and that's in part because um we've built a lot of stuff on some common assumptions some shared assumptions that

we've had for the last 30 40 years. Um and those assumptions right they include which includes the web that's layered on top of that the they're based on common protocols widely deployed cryptography root programs that for the most part uh work as the um CAB forum gods intended and others uh security teams build on that reality right they they have to assume a certain level of baseline protocol work is going to function maybe assume is a is a bit much um because if you if you are working in a mature enterprise then probably you're like well yeah we know the network isn't always available you do plan for that but largely speaking you're still looking at common DNS you're still

looking at those common certificates you're still looking at so much of that common baseline so that baseline matters uh for the sake of this talk because I'm not I'm not looking at a sudden breakage of the internet has gone boom um what I'm seeing is something a lot more subtle than that. Uh, and I'm seeing that even the highly segmented environments that that know good and well that you want to separate your networks out and whatnot still depend on these kinds of protocols to function. Okay, so what kind of shared assumptions are we talking about? Um, under the hood, um, you're looking at global DNS resolution. I mean, how many how many times have you said, "Oh, it's

not working. It must be the DNS." I argue sometimes that it must be BGP, but there you go. Um, you've got the broadly trusted root certificates. You've got the ability when legally permitted to export telemetry data because security teams may need to know what's going on, how's it going on, but that data, you rely on it to make those decisions. And h, I wonder how well that's working for everybody. The continued reachability of these key infrastructure and threat intelligence sources is also part of an assumption that these things are going to be available to you. Experienced practitioners do often put that into their planning of well if it's not available but that's sort of like an

if if if um how far how far down do you plan for failure and in this case maybe you didn't plan quite that far. So what's changing I think is not that these dependencies exist. We knew that and we know that they can break but the surrounding constraints are becoming a lot more policy driven uh and much more dynamic and that's creating a different kind of um operational pressure. That pressure it's not coming from just one place. That would almost make life easier if it was. We're seeing things like sanctions, export controls, data sovereignty rules, you know, the platform forces like national cryptography requirements, evolving trust expectations, economic forces are a big part of this

where you've got trade barriers, you've got regional infrastructure strategies. None of these individually break your glo global connectivity, but together they're pushing parts of the ecosystem towards a much more conditional set of interoperable behaviors. So everything that we're doing becomes much more of a, hey, is that going to work? Well, it depends. Those answers aren't aren't ones that work really well across the board, right? We we've been depending on some consistency that I think is falling apart. So, I wanted to make this important discussion uh distinction and I did this while we were trying to get things set up, right? Most large enterprises do already operate with segmented networks with some some level of jurisdictional awareness and uh some

increasingly zero trust architectures. That's great. So the teams are assuming that the network is unreliable, that perimeters are porous, that data movement may be constrained, and zero trust in particular is built on the idea that the network location alone should never confer trust. Yes, I get that. Um, that's not quite the shift I'm talking about. But I'm talking about the legal and policy constraints that are becoming so much more deeply embedded in the infrastructure environment itself in ways that technical controls that we might have aren't fully encompassing. So another thing I wanted to mention here just in terms of okay so on the one hand you've got mature enterprises that don't necessar you know they're already

doing some level of planning. Another thing that I think is going to change how how we look at things and how things how dynamic things can possibly get is actually the supply chain. And I say that because the supply chain builds in some interdependence that we'll never ever get around and we won't get around that. Um because the world is not equally distributed. Lithium is not everywhere. uh people who can do the lithography for chips aren't everywhere, right? So these kinds of things where you might want to say, "Hey, we'll just build something local, you might not be able to like physically not be able to." So I look at that and say this is one reason that a clean hard

fragmentation probably isn't going to happen anytime soon. So what we're much more likely to see is increased negotiation. We're coming back to the whole it depends and for um cyber security practitioners I think that means planning less for sudden isolation and planning more for uneven policyshaped constraints that show up in like specific workflows. So okay that's that's an interesting premise. Where are we seeing these cracks kind of form? All right this is not an AI talk. There are so many stinking AI talks. I can't even with these people. But I did want to just go ahead and acknowledge that AI does one thing super super well and it speeds things up. It speeds up bad

policy. It speeds up mediocrity. It speed if you want stuff to break, it will make it break faster. Great. Um so all right, if you've got a messy policy environment, if all these things, you know, are possibly true, right? AI isn't going to create your fragmentation um issues. It's not going to make those cracks happen. It's going to make the cracks happen faster. That's literally all I really want to talk about with regards to AI. And we're done. Okay, moving on. Um so I had a fun uh chat on Massadon with someone who's like, "You're not talking about fragmentation really. You're talking about things like um um not not allowing people to talk about stuff. You're talking about um the word

that has suddenly escaped me where you restrict books so people can't read them. >> Censorship. That's the word. Thank you. This is what happens when you wake up at 11:50 p.m. and then don't go back to sleep. >> Um so yeah, when people are talking about internet fragmentation from a purely technical level, they're talking about the as isolation. They're talking about partitioned networks. They're talking about largecale reachability failures. And those events do occur. The Internet Society has a really interesting website where you can track where has the internet been shut off at any given time. Um, okay. That aside, that kind of absoluteness aside, um the filtering regimes, the data transfer restrictions, the trust store differences, these are

all now starting to percolate even more than your your hardcore network splits. So yes, both these things do happen, but the the second type of thing, the access and policy divergence is what's happening more and faster. So what does this look like for cyber security practitioners? Well, one of the things it looks like is um a lot of security decisions rely on bulk telemetry data. And so when we're talking about data in this context, I'm not generally looking at what's happening with a single customer record or the routine transactions. Um what policy makers are looking at is that large those large-scale data sets that can be aggregated that can be analyzed to reveal patterns about

individuals about populations or about critical systems where you're trying to figure out what's going on. These things will include location data, biometric repositories, financial histories at scale, um and large volumes of behavioral and identity telemetry. I mentioned AI makes things go faster. All of this should sound familiar in terms of like the data sets that the AI tools that are helping us with our you know cyber security postures. What are they collecting? It's all this. Okay. So what makes these data sets really sensitive is not just the presence of personal information, right? It's just the sheer scale of it and the ability to correlate how much there is going on. So even at sufficient volume um the

operational or pseudonomous data we know can be pretty darn revealing. It's very very hard to have synonymous data that actually protects someone's identity. So bummer because modern socks they kind of actually legitimately centralize a lot of this data. that you've got your authentication logs, you've got your endpoint telemetry, you've got your network flows, um fraud signals. What's changing here again is the policy scrutiny on each of those individual things around who can receive it, who can process it, what can happen with those large scale data sets. It's not going to show up as you're trying to actually do your work as an immediate technical block. It's going to show up as you know people saying actually we

need some more review on that. We need uh we have we have additional questions. The lawyers want to know the following. And this really sucks when you're actually trying to do um an incident response, but you're also, I don't think, going to be able to avoid it. So, all right, incident response. Let's talk about that for just a minute. You know, global incident response doesn't suddenly fail. Um but there's the amount of friction that's coming in from the legal and reg regulatory evidentiary layers on top of the network that's pretty becoming pretty significant. I think cyber cyber incidents very rarely uh are local. They cross national boundaries constantly and that means the investigative authority suddenly needs

to cross these boundaries and suddenly it's no longer just a cyber security problem. It's it's literally like a legal problem. So the mismatching here as these policies start to diverge and who's allowed to see what and when and why and how you've got differences in admissibility when you've got this these evidence data that you can collect. You've got li limits on the sovereign reach of you know what you can do and what you can get out of any given country. And this isn't going to make things so you can't do it. whatever it is, it's just going to make things take a lot longer when you don't want them to. So, let me give you a couple examples um

that I've seen like over the past few years that I thought were interesting. Um Shrems, too. So, if you ever heard have any of you heard Max Shrem speak, he's hilarious. You really should. He he gets very excited about this stuff and he's pretty sure that um people are insane and it comes across in his talks. And so I I always thought that was great. Um but the Shrems 2 decision in 2020, which is still actually playing out today, I think it's a very practical illustration of the kind of patterns that I'm trying to talk about. Um that's when privacy shield uh the EU US data transfer guidance, that's when it was invalidated. And that didn't mean that

the data transfer stopped. There was no practical way to do that. But wow, did they become more more conditional. Organizations had to reassess their transfer mechanisms. They had to implement additional safeguards. And in some cases, they had to completely reconsider where the data was placed and what kind of processing strategies they were going to use around it. And security teams probably felt this in terms of just additional reviews, additional architectural questions, and sometimes pressure to say, "Actually, could you just make it local here? Bring it here because we we feel better here." Which is not always practical. So organizations did adapt. Of course they did. They had to. But the cost and complexity of staying compliant which

turns into a moving target definitely definitely increased. Um so crossber response let's look at that for just a second. This is where I think we've got some really interesting things that become operational. So historically crossber data questions lived primarily in like with your privacy and your contractual layers. Uh today in some environments we're seeing an additional national security layer l um applied on top of that which introduces new questions that the entire organization is going to have to answer. Usually when you don't have time to do it, you've got an active investigation going on and suddenly you're blocked. The questions come in, who ultimately controls the recipient? Does this trigger country of concern rules? Are we creating export exposure

by moving this across, you know, moving this data set to where we can more easily look at it? Um, if there's a lot of friction that happens with this and that friction is only increasing because of the regulations that are diverging around the world. So we see some similar things in um identity and trust which is actually where I I spend most of my time. Browser distrust of certificate authority is rarely I'm going to give this as an example. It's rarely a sudden thing you know and these decisions typically follow years of investigation and there's a phased roll out. Um and so you could argue reasonably that the whole web PKI is working exactly as

it was designed. Cool. But it works because of sustained coordination across root programs, certificate authorities and enterprises. And that coordination while historically has been strong, I think it's going to be an interesting question as to whether it can maintain that strength over time given the other pulls on on people's uh organizations requirements. So example entrust folks familiar with entrust okay so the entrust situation was in 2024 2025 after a series of compliance concerns both Chrome and Mozilla announced that they were going to do a uh staged distrust action I thought that was the greatest description a staged distrust action that affected uh newly issued entrust uh certificates again this wasn't fast right? Notices did go

out. It wasn't arbitrary. Uh it was very much within the expected root program process, but if you actually looked at the news for enterprises, it still triggered a whole lot of work of things they had to do as these changes were um being enforced. There was that they had to suddenly inventory all their certificates. Arguably, maybe they should have done that already, but most of them hadn't. migration planning, vendor coordination, um more PKI governance oversight. So the the web PKI worked as a as designed coordination burden was real and today you know I see the alignment holding but I think there's a strategic question of what happens if maintaining that alignment becomes too expensive if

it becomes too hard right I don't think we're that far away from such a future okay cool all very I I hope this has been interesting and informative uh it raises awareness that's Great. But maybe there's some actionable things that you might be able to take away from this to make this somewhat useful. So, one of the things I think that um we can collectively do is go ahead as you're designing your plans, just design for uh jurisdictional friction, the fact that it is in fact going to be there. Many network and cyber security teams already assume that networks can fail, right? We talked about that. What becomes less predictable is where legal or policy constraints may suddenly

shape how data can be moved and processed. Uh your architectures probably you're making some assumptions about what they can do that may no longer be true. And so TLDDR on this slide, talk to your lawyers. Talk to them a lot when you're actually doing your purple teaming. Make sure the lawyers are actually involved in that exercise so they can see exactly what they're going to have to expect as things happen and data moves around. Okay. Another thing that I think cyber security practitioners could do is um if you know this is going to be a pressure, go ahead and do what you can to preserve that interoperability where it's built in. And this is where I'm going to do a

shout out to standards like actual uh network standards, identity standards, o open stand principle standards. Uh I'm not a huge fan of ISO, but if you need to do that, that's fine. Um the global internet does still work even now as well as it does because there's a relatively small number of technical and trust frameworks that have remained broadly aligned. If you see someone or some country splintering off from that, push back as best you can. I think you have to in order to um not suddenly have instead of one or two protocol stacks, 14 waiting for the 15th to come along. Okay. Third, and possibly overlooked, I think in a way this comes back to not

just talking to your lawyers, but um you're going to have to build coordination. You're going to have to get used to talking outside your teams. I think the crossber incident response is, you know, always involved multiple stakeholders and it's only going to get more complicated. You're going to have your legal teams, right? But you're also going to have um compliance other technical teams, your business uh partners in what they're trying to actually do. the organizations that are only practicing the technical side of incident response are probably going to find themselves slowed down even more than you know than they expect because they're just not designing in um the time. They don't know how much time it's

going to take to coordinate across the board which is an unfortunate life choice on their part because then when they actually have to use this stuff nothing will go as quickly as perhaps they would have hoped. Okay. So, looking ahead, um, one of the arguments that I like to make is if you look at how the internet was designed over the last 40, 50 years, it really was designed, um, to be relatively efficient. Some of it was designed for resilience. I would say, you know, the decentralized nature of DNS and BGP are a bit more on the resilient side than the efficient side. But so much else isn't. So much else was designed for, okay, let this

one group will take care of this, this other group will take care of that. it doesn't really matter where they are in the world. And now suddenly it does. So rather than trying design to be as efficient as possible, ask yourself if that's actually the right choice or do you want to design to be as resilient as possible. You can't do both. Okay. Um I zipped through this. I got us in just on time. I would say the internet is not actually collapsing, which is the good news. I would say that security practitioners can actually do a lot to help hold things together. um just by building the kind of coordination uh across your across your

organizations that you will need to have. Um so yeah, that's that's where we are I think with the internet today. The end.