Skip to main content
  • Pre-IETF 110 technical update

    With the IETF 110 meeting beginning next week, this post provides an update on the steps that have been taken since IETF 109 to improve the technical services that support participation in IETF online meetings.

    • Jay DaleyIETF Executive Director
    2 Mar 2022
  • Applied Network Research Prize presentations at IETF 110

    A pair of presentations featured during the Internet Research Task Force (IRTF) Open session of the IETF 110 Online meeting (8-12 March 2021) will highlight the application of machine learning to video bit-rate adaptation and Domain Name System (DNS) caching and privacy.

    • Colin PerkinsIRTF Chair
    4 Mar 2021
  • Revised IETF sponsorship program

    After review, research, and consultation with existing meeting hosts and sponsors, the IETF Administration LLC is implementing a restructured sponsorship program in support of the Internet Engineering Task Force (IETF), Internet Research Task Force (IRTF), and Internet Architecture Board (IAB).

    • Jay DaleyIETF Executive Director
    2 Mar 2021
  • Handling IESG ballot positions

    This document is written to help authors and chairs (especially newer authors and chairs) understand what to do with IESG ballot positions. The most important bit of advice is “Don’t Panic.”

    • Warren KumariOperations and Management Area Director
    • Internet Engineering Steering Group
    26 Feb 2021
  • IETF LLC 2020 End Of Year Survey

    The IETF Administration LLC ran a survey over December 2020 - January 2021 to assess community satisfaction with the LLC’s performance in 2020 and community views on our proposed activities for 2021.

    • Jason LivingoodIETF Administration LLC Board Chair
    22 Feb 2021

Filter by topic and date

Filter by topic and date

Observations on the CIA Revelations

  • Jari ArkkoIETF Chair
  • Stephen FarrellSecurity Area Director

10 Mar 2017

Recent news stories, and some IETF list discussion, have related to the release of (claimed) CIA materials relating to surveillance, hacking and information warfare.

Aerial imagery of Hungary
Photo credits: Image of the toxic leak in a reservoir in Ajka, Hungary affecting the villages of Kolontar and Devecsar, photo by DigitalGlobe, sourced from Wikimedia (CC BY 3.0)

There has been quite a bit of discussion about the details of the various attacks contained in this leak, such as those relating to surveillance through smart TVs, or hacking vehicles. But are there more general conclusions that we can draw from release of this information?

First, we think the content of leaks is not particularly surprising, especially given knowledge of other leaks in recent years, such as those from Edward Snowden. Malware is another tool in the same toolbox that is already known to include many other efforts that attempt to compromise security, such as pervasive surveillance.

But the release of the current tranche of documents does seem to nicely support a number of things that we knew already and that are arguably more worthy of consideration:

  1. Security is not a single feature, rather the level of security one experiences needs to be thought of as an emergent property of the whole system. Communications security, for instance, is necessary but not sufficient. You also have to worry about the security of your devices, platforms, operating systems, and components. And the reliability of your communication partners.
  2. There is no such thing as privileged access for the good guys once there are more than a very small number of people involved. Sooner or later the privileged way to access information or hacks will either leak, be re-discovered independently by others, or be shared to parties that do not have your best interest in mind. In addition, systems built to take advantage of the privileged access will get broken and misused.
  3. All malware is just that, malicious software designed to disrupt or compromise other systems. And all will eventually leak. Secretly held knowledge of vulnerabilities makes us all less safe. The vulnerabilities will be exploited, perhaps traded or shared, instead of being reported and fixed. And when they leak out, they do damage to your friends as well as your supposed enemies.
  4. The security of our communications and applications matters a lot. Lives are at stake, not just your browsing history. Our entire societies run on top of our technical infrastructure, from hospitals and power plants to political processes and our economy. We cannot afford to compromise the security of these systems.

As noted, we think these are matters that are already known, but reminding ourselves of the big picture now and then can be useful.

From the IETF perspective we are of course committed to continuing our effort to provide the best possible technical tools for the Internet and the users. One technical observation that may be of use is that focusing on protecting data and not merely links or transport needs better support, make it easier to achieve in practise and at scale.


Share this page