IGF 2019 WS #406 Ethical Hacking: Risk or chance for a more secure internet?

Organizer 1: Civil Society, Western European and Others Group (WEOG)
Organizer 2: Technical Community, Western European and Others Group (WEOG)
Organizer 3: Civil Society, Western European and Others Group (WEOG)

Speaker 1: Tim Philipp Schäfers, Civil Society, Western European and Others Group (WEOG)
Speaker 2: Sebastian Neef, Technical Community, Western European and Others Group (WEOG)
Speaker 3: Viktor Schlueter, Civil Society, Western European and Others Group (WEOG)
Speaker 4: Houston Sam, Private Sector, Western European and Others Group (WEOG)

Policy Question(s): 

Within this workshop we want to address certain policy questions which are outlined here:
What is the status quo of ethical hacking and vulnerability reporting processes and how can it be improved?
Is ethical hacking viewed as an uncontrollable risk or a chance for a more secure internet?
What are the different stakeholder's interests?
How can responsible disclosure guidelines or bug bounty programs help to improve the internet's security?
What legal and ethical challenges arise in the context of ethical hacking?
How can those challenges be solved in the best interest of all stakeholders?
How should a best practice for vulnerability reporting look like?
Is it in all stakeholder intrests that there is a certain world-wide standard for vulnerability reporting (e.g. for government systems) and how can this be achieved?

Relevance to Theme: The security of IT systems or critical infrastructures are very important for a stable and reliable society. If those central systems are not working as intended prosperity, environments or lifes could be in danger.

The current development shows that there is a growing amount of connected devices and systems, therefore leading to a constantly expanding attack surface. Furthermore the professionality of cybercrime is constantly growing.
This means we not only need to adress the technial challenges, but also adapt an international, organisational standard for incident responses in order to ensure a secure internet.
One component could be allowing ethical hackers to conduct research and report security vulnerabilities to the providers or goverment agencies. Issues could be fixed before harm is done by a malicious attacker.
In the past there were several cases where ethical "white-hat" hacking lead to more secure IT systems and within the open-source community it is pretty common to report security risks to the maintaining party. Several government Computer Emergency Response Teams (CERTs) have implemented a vulnerability reporting process in order to protect their own systems and the ones crucial for the well-being of the society - but there is no world-wide standard or agreement how to deal with ethical hacking, so most of the time this security research is acting in a "greyfield".

Furthermore, there are regulations in a few countries, e.g. the so called "IT-Sicherheitsgesetz" in Germany, which motivates providers of "critical infrastructures" to adhere to certain IT security standards. However, this is not enought because the internet is borderless, what makes security, safety, stability and resilience a global challenge.
Current political discussions focus mostly on prohibiting hacking or hacking tools instead of using the hackers' creative work in a positive way to build a more secure ecosystem. Right now, security researchers might face legal threats or repercussions. Several such cases (in which ethical hackers were criminalized) are known in the IT security community.

A positive side effect of allowing ethical hacking could be a constant (e.g. yearly) report about handled vulnerabilities or the state of the internet security. This could strengthen the trust in new technologies of the civil society, because they know that people care and think about their privacy and data on a global and not only national level.

Relevance to Internet Governance: The regulation and acceptance of ethical hacking can help to assure the security and stability of the internet. Security is only achievable when all participants of the global, interconnected infrastructure - that we call the internet - work together. Due to it's distributed nature, it is not sufficient if only parts of the internet are secured, because they still can be attacked by unsecured and unpatched systems.
One way to assure the internet's stability is to convince policy makers that there is a need for certain standards of vulnerability reporting to facilitate reporting and addressing of potential security issues.
Hacking in general should not be condemned but be seen as an opportunity to achieve higher security standards. A specialized framework and process that different stakeholders can rely on would immensely improve the current situation. The status quo does not provide any international standards on ethical hacking or guidelines on how to handle reports from security researchers. During the recent years the privacy aspect of internet governance developed in a quite positive way. For example most of the companies have a privacy policy and point of contact for issues in that regard. Having a similar point of contact for security related issues, especially for bigger organisations, is one of the goals. Internet Governance provides a multi-stakeholder way to discuss and implement the most pressing topics around "ethical hacking".

Format: 

Break-out Group Discussions - Flexible Seating - 90 Min

Description: The workshop consists of multiple phases.

First, all stakeholders and a few participants get the chance to present their views in short introductionary statements and contributions to get a deeper understanding of the topics and current challenges. By exploring and discovering different common topics within the context of ethical hacking, all participants will gain an overview, common knowledge and different perspectives of the topic.

After that, the participants will be separated into topic-specific groups (e.g. legal challenges, ethical challenges, organisational challenges, etc). Each group will discuss one or more questions on their topic with the goal of trying to find possible and feasible solutions to them. All results and outcomes of the group work will then be discussed in the plenum by each group (presenters by 1-2 member each group).

The moderator will gather all results, take notes and close the working with an ending statement.

Possible timeline (~90 minutes):
- ~10 minutes x ~3 (~30 minutes): Introduction statement from diffrent stakeholder groups
- ~15 minutes: Discussion and exchange between the stakeholder views / view from different angles / looking for core topics and clusters
- ~20 minutes: Working on the core topics (for example: ethics, policy, legal, etc.)
- ~20 minutes: Getting together - presentation of the group work
- ~5 minutes: Conclusion / ending statement and next steps

Expected Outcomes: The result of the workshop should be that each stakeholder group knows about current challenges, the status quo of vulnerability handling and ethical hacking. We hope that we can facilitate a better understanding between the stakeholder groups and new impulses for developing a common standard routine for vulnerability disclosure processes.
As most security researcher worldwide still have to fear prosecution when disclosing vulnerabilities, common guidelines for vulnerability discosure processes could make the internet a safer place.

Discussion Facilitation: 

The session will be interactive because we want to bring all important questions to the table. There is a lot of space for open statments and even people who don't want to present their ideas to a hugh audience could work on the topics they want to deal with in the smaller groups. Furthermore we will arrange an online moderator

Online Participation: 

We want to use the remote participation for statements of security researchers worldwide.

SDGs: 

GOAL 3: Good Health and Well-Being
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 11: Sustainable Cities and Communities
GOAL 16: Peace, Justice and Strong Institutions
GOAL 17: Partnerships for the Goals