Anti‑Abuse Working Group
11 May 2017
At 11 a.m.:
BRIAN NISBET: Good morning. We are still morning. Could I get my ‑‑ so, yes, welcome to the RIPE 74 edition the Anti‑Abuse Working Group. So, this is, as you are all no doubt aware, a streamed and recorded session. So please tonight say anything here you wouldn't want to say to the Internet. We have scribe from the NCC and chat room monitor from the NCC and thank you for that. If you wish to participate remotely please get suspensor's attention and let them know. Also, thanks to our wonderful stenographer, who will be taking as accurate a representation of our words as possible.
I should introduce myself, shouldn't I, that would be useful. I am Brian Nisbet, co‑chair of the Working Group. This is Tobias Knecht, the other co‑chair. We will be your hosts, for however long this takes.
Say who you are and whatever attribution you feel is most appropriate to you at that point in time. I think I announced a ‑‑ I really should run a competition for this to see who has come up with the most interesting one. Other things:
We have minutes, we have minutes from RIPE 73 which we circulated and everyone silently consented so unless someone verbally does not at this point in time we will take those minutes as accepted and put into the archives as official.
No, no one leaping up, excellent. The agenda:
Is there anything that anyone would like to add to the agenda at this point in time? Again, no one leaping up, so we will take ‑‑ there is an AOB section at the end, we always have an opportunity for that but, the agenda is the agenda.
So, moving on. Recent list discussion. Never have I said those words with more of a sense of dread. The anti‑abuse mailing list is an anti‑abuse mailing list and that comes with all of the good and bad that anti‑abuse communities have. I think it is generally speaking a good and useful thing, I think there is lots of useful conversation there. I think there has been lots of productive things said there over the years. However, that does not mean, like any mailing list, it can be ‑‑ it itself should not be abused. And I think unfortunately, during this year, it was, and I want to talk a bit about that and about some of the things that led to the decision that myself and Tobias made with the support of the NCC a couple of months ago.
Before I get to that, I just want to say that we did, we did talk in Madrid about taking the discussion about a definition of abuse and turning it into something. I have not done that, and the people who kind of had spoken about it on the mailing list didn't really push it, and I am kind of leaving it to one side for the moment to see where, whether there is more conversation or whether it becomes more productive so while I acknowledge I said in Madrid I would take some of those and try and synthesize that conversation, I have not, and I do not in ‑‑ I will say to the Working Group I do not intend to do so in the short‑term. We do have some other things that we will hopefully be announcing, in regards to work and and documentation and things, which we will talk about later in this meeting. To speak about the issues we had, the conversations we had which led to someone being removed from the mailing list and I think we need to talk about and to talk about it in this meeting as well as on the mailing list, that was a very unpleasant period of time, for those of you who are not on the mailing list, most of the time it's lovely, sweetness, light, rain bows, they felt they could not express their opinions without going very deeply into atomonom attacks and ration abuse and a number of other aspects and after a number of conversations, after speaking to them about this and trying to clarify why this was not acceptable on the mailing list, we as co‑chairs were given no confidence that they understood why this was a bad thing or at least ‑ that they weren't going to back slide back into their old behaviour. I think they only saw the issues that they had ‑‑ that we were raising to them, they were only going to comply with them as a matter of form rather than because they accepted that anti‑semitic I can comments etc. Were not acceptable in the public discourse we have in the mailing list.
So, yes, so after this conversation, after speaking to other members of the community we made the decision to remove someone from the mailing list. This is not something we did lightly and we would wish to repeat. I would like to re‑emphasise, especially to the other members of the mailing list, who then became seemingly concerned that myself and Tobias would start seasons erring opinions on matters of anti‑abuse, this is not the case. What your opinions are on various things, whether you like one organisation or dislike another or prefer one protocol or one method of doing things or whatever else, that is between you and your gods and certainly we would never remove someone because of that. Equally we would never remove ‑‑ no organisation has ever put pressure on us or even suggested to us that we should remove someone from the mailing list and if any organisation did suggest that, they would be politely told that that is not something that we are going to do. So I want to reassure everyone, mailing list is there and open and public, we encourage debate, we encourage differences of opinion and progress through that what. What we do not encourage is racism, is attacks or sexism or any of those kind of things. If you look at the RIPE community code of conduct, you can see in fairly straightforward form my opinion on what you should and shouldn't be doing in any area of the community. That code of conduct does not as yet apply to the mailing list but I think it is a good guide for any interaction in the community.
So, it would be a little easier for me if every time something happened on the mailing list I wasn't on holidays at the time. I was in rural Kerry in the southwest of Ireland when all of this happened, very far away from most mobile signals, until I was on the way home when Serge sent me a message on Skype saying have you seen what is happening on the list? It's always an ominous thing to get, but em..... Look, it is what it is and these things will happen, especially in.... Robust conversations will happen, in anti‑abuse communities, now and again. I am rambling here, but I wanted to say this was an exceptional circumstance, it's happened once in the history of the list, and while there are other people who have mailed the list with claims of censorship, I wish to reiterate that there is one single person certainly during my tenure as co‑chair that we have had to moderate and we have had to ban in that particular regard. I really don't particularly want to do it again if I can at all avoid it and say huge thank you to the NCC web team who... So Marita and Adam, especially and Oliver, who did great work in helping us with that and again the secretariat function, that the NCC performs, is vital to the Working Group.
So I want to ask if anyone, after my now long comments on this, I want to ask if anyone has any other feedback that they wish to say and if you don't way to say it here and if you have feedback on what we is it and what happened, please find myself or Tobias in the hallway, please give us your feedback on that because we do not run this Working Group, we are not overlords of this Working Group, We are stewards of this Working Group. We guide it and trust, for you, the community and that is extremely important.
Is there any actually you know real concrete discussion that was on the mailing list that anyone would like to talk about or reference? Or are you all happy with that? Fair enough. And no upset, you know, no upset Ninjas have dropped down through the ceiling, or in through the.... I specifically requested a windowless room, to avoid anyone repelling in and trying to take over.
So again, I would say, please let's have some more conversation of a constructive nature on the mailing list and I look forward to that. There was a recent posting about the hijacking survey, which again I would encourage people to look at and fill out and that kind of feedback from the community is extremely useful.
So, let's move on down. We don't have any policies active at the moment but we will be talking about some policies. In just a moment I am going to invite the, one or more of the co‑chairs of the database Working Group to come up and speak about some of the conversations they are having about abuse‑c. I would also like to encourage those of you who don't have set plans for this afternoon doing to the database Working Group where there will be a number of items of abuse referenced. There are areas ‑‑ there are areas of concern for the Anti‑Abuse Working Group, which are all about the database, and in the ongoing horse trading of Working Group co‑chairs we have decided at the moment that we will discuss these in the database Working Group because they directly reference changes to the database. And what we want to avoid is back dooring changes to the database, should they be passed through the D PD, back dooring them through ‑‑ without the community being fully aware of what is going on, so there is a couple of conversations we have been having about increasing the amount of data, about data verification, how to improve traceability which Greg from Europol spoke about in Madrid, those conversations are progressing, as with any of these things they are not rapid fire and we need to do it properly and slowly but I think we are going to be looking over the next few months hopefully over the summer and into the ought a um of a number of possible approaches to improving some of the data there and the traceability that is in the database. We will be making it very clear within this Working Group where this is happening, when this is happening, encouraging people to make sure they have the opportunity to interact with it and to speak about it. But the main body of work in this will be taking place, or at least we will be proposing it will take place in the database Working Group, which is ‑‑ it's on directly after lunch in the big room next door.
So, I think that gets us to the point where I will, David is it you or somebody else who is coming up? Yes, unfortunately Denis can't join us this week, but David is going to speak about the abuse‑c conversations that are going on in the database Working Group.
David: Hello everyone. Co‑chair of the database Working Group. So, in the last couple of years the database implemented the abuse‑c, the abuse e‑mail address handler in the RIPE NCC so when you query a resource it came from a policy that came from the anti‑abuse swop whenever you query a resource in the RIPE database you should be receiving an abuse contact, an e‑mail that can be contacted in order to report whatever abuse. It's not really well‑defined everything on how the e‑mail should be reacting and those things. The main concern from the database Working Group is the implementation of the abuse‑c. If you have a simple network everything is OARC centric ‑‑ returns the same e‑mail address but as soon as you come to a lit more complex networks we have different operations, you have different services, it becomes a bit cumbersome on how to create different abuse e‑mail addresses. This is basically the discussion that has been going on for years in the database Working Group, people have had different ideas, different solutions, but no consensus has been reached, no perfect solution has been discovered, I don't think we will ever have a perfect solution, but we should at least have some form of solutions that pleases most of the people, that is point of consensus.
We would like to invite anyone who is interested in the Anti‑Abuse Working Group to also participate in the database Working Group to try to have some discussion going on and to find finally a solution so we can ask the RIPE NCC to implement the solution, change the way that the abuse‑c is being handled and finally close this one off. That is more or less what we wanted to ask from the Anti‑Abuse Working Group, so if you guys are not on the Working Group, on the RIPE database Working Group please register and come and attend the session this afternoon. Any questions regarding the abuse‑c here?
BRIAN NISBET: Any comments ‑‑ again, this is trying to encourage people in the community to discuss.
Kaveh: RIPE NCC. Just a comment. Yes, I just as being one of the people guilty of introducing abuse‑c, I just wanted to make a comment that when discussing the RIPE database one possibility is to look at the modern technology so you don't have to limit yourself to Whois because we fully support RDAP has already by definition is standard, in the standards it actually has a facilities to give you differentiated, if needed, I am not suggesting that should be used but there is a huge new set of tools which can be think about. And Whois can stay for the legacy purposes but you can think of new features developed on this new protocol, I am suggesting when thinking please not limit yourself to the classic Whois.
David: Thank you very much. Adding a bit of complexity to the abuse‑c.
FILIZ YILMAZ: I am just curious, you mentioned this is something like across Working Group topic that where it's going to land was a bit of a discussion. Have you considered also NCC Services Working Group to be involved because if this gets ‑‑ I mean, I don't understand if the aim here is to follow the full PDP, because if you end up asking RIPE NCC to implement this and have some policing done over the abuse‑c, right, abuse contact, then their workload will need to be investigated, how this is going toned up on them, and does this have any impact as well? And if you don't follow the full PDP then it won't get, I believe, an impact analysis automatically done, so I am wondering if NCC's perspective will need it and if, so, how that can be integrated? Thank you.
David: I am not sure about this one because it's part of the implementation.
BRIAN NISBET: What we are talking about now is implementation in the database. It's not ‑‑ we are not ‑‑ at the multi‑home the conversation, and as I have said many times in the logical equivalent of this room in various places around Europe, the abuse, the first abuse‑c policy was planned as a first step, with no assumption of what steps would come after that but certainly planned as a first step. What we are talking about right now is how the abuse‑c is implemented in the database in relation to organisational objects, etc.. this conversation is not about increased data verification or about penalties being applied for not having a valid abuse‑c. That would be a separate policy which would go through the full PDP etc.. what we are talking about right now is ‑‑ and maybe this needs doing through the PDP, I am not saying but this is how the current policy is implemented in the database on a technical level. Does that answer your question, Filiz?
Anything else? Okay. No, in which case again please ‑‑ yes, please go to database, please respond on the mailing list if you have thoughts on this. It is certainly a Knotty problem in regards to implementation in the database and how that gets done, etc., but it's very important.
(Applause)
So, now we have some more NCC, and as previously mentioned, while there are a number of places and avenues that the NC reports on its outreach activities, Paul Rendek's 90 minute monologues are particularly popular. The LEA is very important to the Anti‑Abuse Working Group so ** Richard Leaning from the NCC is going to talk.
RICHARD LEANING: External relations, and I have only got about five or six slides so we could be finished quickly for lunch at this rate. As you saw yesterday from Paul in the Services Working Group, we cover many, many stakeholders and I just want to concentrate on this session five, ten minutes on engagement of law enforcement agencies and governments because law enforce forcement agencies work for their governments. A flavour of what we are doing and their concerns regarding the database and how their interaction with us has increased over the last year or so.
So basically, we do have a strategy we deal with governments and law enforcement agencies and inter government agencies within our service region. We do run roundtables and recently we have done a few roundtables in Ukraine and in bell RUS, which we have never done before and it shows you how our service region has expanded from our traditional paths into new parts of the service region where we traditionally haven't had a got relationship with law enforcement and governments.
And we do that through many dedicated events that we run, with agencies that we go to their events and they invite us and we invite them to our events as well and that shows you the type of expansion that we have been doing over the last year or so in our 76 countries.
Why? Well, law enforcement like it or not, do use our database, and they use it to try identify the service provider, and I use that loosely, closest to the end user, the person that they are looking for who is committing criminal activity. The reason they do is because they need to serve legal process on that entity so they can do the other bits and piece that is law enforcement uses to enhance their investigations. That is why they use the database. Is to find the service provider responsible for the IP addresses that are being used in criminal activity so they can serve legal process on that provider. That is all they use the database for.
There is a lot of confusion regarding the database because wave database, then we have something called registry and are the two the same or aren't the same? What feeds from one to the other. What is accurate and not accurate, what technical people call accuracy is not what law enforcement call accuracy so there is lots of confusion about the terminology. Law enforcement traditionally used to domain names because that is where the majority of their stuff with child abuse images and drugs and firearms etc etc.
Some law enforcement officers especially as you go further east still believe that the RIPE NCC, as we have responsibility for the administration of IP addresses can actually tell law enforcement who the person is at the keyboard, they still believe that we have that capability and the database does that. Of course, it doesn't. They also believe sometimes that if they can't find that, that the database is inaccurate. Well, we know that is not the case either. And yes, law enforcement do use other tools, the database is just one of the many tools that law enforcement use in their investigations.
So how do we educate law enforcement about what the database does and more importantly, what it doesn't do, because it's vitally important that we inform governments and law enforcement agencies what the database does not do, as much as it does do. So part that have we did, with Europol we put together a bespoke webinar training which was mentioned, which is six courses, instead of us going out to all these countries it's better if they can sit down and do it themselves as of yesterday we had 350 registrations for this course on the database. And that is into the true figure because some other registrations ‑‑ there is one registration for a classroom of law enforcement officers so we could talk in 400, 500 law enforcement officers are interested in this webinar about a database. That is shows you the thirst of knowledge that law enforcement/governments have about RIPE NCC, RIPE community and our database. Bear that in mind. That is more people than has come to this conference are interested ‑‑ law enforcement officers interested in our database.
Part of what else we do, to same technologies...., we are a member of their advisory group and communications, and we go to meetings two or three times a year with communication providers and we talk about things like carrier grade NAT that there was in the conversation earlier this morning, about attribution of IP addresses, etc., etc., so we are involved in a high strategic level. We also signed an MoU with Europol in December of last year. That is on the website. Please look at it, because what we want to you do is document our engagements of law enforcement so we are open, transparent and everyone knows in the community what it is that we do with law enforcement so that is why we thought it's imperative we signed an MoU to show everyone what we do and more importantly what we don't do. We do not have secret deals with law enforcement, anything is about capacity building, knowledge exchange etc., it's on the website, please read it.
We do the same with Interpol. We are a member of the high level group there, we haven't got an MoU yet, that is in discussion and we are devising training courses with them. Europol only cover 28, soon to be 27, countries of the EU, we have 76 countries in our region. Interpol covers all the rest it, makes sense we have the same relationship with Interpol as Europol.
We work very closely with the Commission, as Paul mentioned yesterday, DG connect is one of the co‑chairs of this Working Group, and that is all about IoT, you know, attribution, database, everything ‑‑ buzz words we have been hearing before, and more importantly we are doing training capacity building for the policy makers because if they are having discussions about policies that affects our business, then we need to be involved and sit at that table to help them and guide them and advise them about what can be done and can't be done, so they are fully aware.
So what our message, why do we do it? Because we have to explain law enforcement and governance, instead of them coming here and saying I want to you do this, we have to explain to them how do they influence policy, how to make a change if they think something is not done correctly or can be improved, so we have to spend a lot of time explaining the PDP process. We invite governments and we invite law enforcement and anyone that is interested to participate in these meetings, either personally or remotely. We try and get them involved in the mailing list and the policy discussions and we have actually got two law enforcement officers who are members of the accountability task force and I think one is sat here now.
Also, law enforcement, we believe that ‑‑ to help us make accurate our database we try to get law enforcement and anyone interested in the accuracy to report these inaccuracies to our website so we can look and investigate and see if they are inaccurate. While we are having, we are having loads of people saying our database is inaccurate but that is just a statement, we need proof of those inaccuracies so we can do something about it if that is the case. That is what we are trying to do, it's very hard for law enforcement sometimes to do that because they are concentrating on positive avenues and they don't sufficiently enough concentrate on the stuff they couldn't do so we have having that, how can they do it and report it, if they do find inaccuracies.
These are the stats of law enforcement requests the RIPE NCC since 2012. As you can see, it's going down each year. And that is due to the success that we are having in our outreach strategy of speaking to law enforcements and getting them to understand what it is that we do and more importantly, what it is that they don't do. So that is a good visual representation of the success we are having. Ideally, I would like that to be 2017 at zero, because then we have reached everyone we possibly can about what we can and cannot do. I have a feeling that it may go up in the next couple of years, because there is more law enforcement officers are involved because what you have got to remember is all crime is now on the Internet; it's no longer just specialist law enforcement officers dealing with specialist crime. Every single piece of crime you can think of has a presence on the Internet so we are going to get an awful lot of other police officers, who are dealing with burglaries, car thefts, etc., will probably start looking at us and saying can you help us with this IP address? So ideally, I want that to be zero for 2017, I have got a sneaky feeling maybe it will start raising up again as we get different law enforcement officers asking us different questions that people used to ask in 2012, we will have to wait and see, it shows that our outreach policy strategy is working, at the moment.
So just to summarise. It's very important that RIPE community and us as RIPE NCC are seen in front of the law enforcement and governments that we take cyber security, and Internet seriously, and we all do, otherwise we wouldn't be here, but we have to keep getting that message across, that we do understand the seriousness of what is happening out there and we do take our responsibilities, all of us in the RIPE community, very seriously.
We work with all stakeholders, and it's not just RIPE NCC that does this, all the other RIRs have similar strategies as we do, in their own regions and I know I work very closely with Leslie from ARIN and we do with Craig from APNIC and Oscar from LACNIC so we all speak to each other and we all have a similar view, similar strategy of how we engage so we are coordinated and we know where we are going and how we are going to deal with it, and you are probably aware that the FBI have put in a policy prosed in the ARIN region and they did that last month in New Orleans, so they are getting more involved, and it will be a matter of time that this ‑‑ our service region will also get a policy proposal from a law enforcement agencies or law enforcement organisation.
We do a lot, but we collectively can do more so that is what our message is. We trying our hardest, but we know we can always improve, because there is always room for improvement. I could talk a lot more about ‑‑ I am happy to take any easy questions.
BRIAN NISBET: You should encourage some hard questions too.
AUDIENCE SPEAKER: Maxim. The question is, what is the criteria of disclosure of information in RIPE NCC, so if there is some request going from any enty called law enforcement which ‑‑ what does the ‑‑ evaluation process is not a secret, how should correct request looks like?
RICHARD LEANING: Majority of the date that RIPE NCC has is on the public database so they can get it. If they want data that is not publically they have to send us an ML A T, a judicial request through Dutch court to the RIPE NCC requesting that information. Then we will consider that request and then we will make a decision, if we should abide by that court order to give that information.
AUDIENCE SPEAKER: So your disclosure not by request from law enforcement but in fact by request from Dutch court?
RICHARD LEANING: From the judiciary, yes, it has to be, not law enforcement sending us an e‑mail. We are based in the Netherlands so we only answer to the Netherland judicial process so any information that is not publically available must come through Dutch court to us and then we will consider if we will release that information. We to not give private information as a result of an e‑mail that comes into our inbox.
BRIAN NISBET: I mean, the history there I think is important as well, there was, I am trying to think how many years ago it was now, where the NC did act without a court order and the community was not best pleased with that activity. It wasn't in relation to the public information but it was reacting to something that should have required a court order and the NCC very wisely and sensibly said from now on, court orders only, which is absolutely the right way of going about it.
RICHARD LEANING: My lawyer is bouncing up and down at the back there.
BRIAN NISBET: It wasn't public information and I apologise.... The media shouldn't have said that, at all, but Athina, feel free.... yes.
Athina Fragkouli: Just to refresh everyone's memory of what happened. And I remember the year, ... but it was a police order, it was a Dutch police order, it was not about revealing non‑public information. It was an order for us to lock some records, that was it. And we immediately asked ‑‑ of course, yes, at first we obeyed, but when we realise that had we are not actually obliged to obey then we stopped obeying and we challenged this at the court. Thank you.
BRIAN NISBET: And I ‑‑ apologiesor my vagueness and thank you for clarifying. As I said, it is a positive story, it is a learning event for us all and the correct ‑‑ we are in the right situation now, which is very good to hear. Just one matter of interest, on previous slide ‑‑ you can go back with the thing ‑‑ there we go. I know this is sent out but it might be worth mentioning now again, is the ‑‑ there are, what, four incidents over the last four years, of requests to share non‑public information. Now, I think this is an e‑mail is sent out in relation to some of these but I am just wondering if we could clarify to the room whether there was a reaction to that in relation to whether or not public information was given out on those occasions or is that something that can be shared?
RICHARD LEANING: I am looking at my lawyer again.
BRIAN NISBET: So there are ‑‑ there is one last year, at least my counting is correct but four incidents over the last three years of requests for non‑public information, and I am just wondering, and I know there is information sent out about this but just briefly to the room if could you clarify ‑‑ as much as you can, what the reaction to those requests were.
ATHINA FRAGKOULI: Certainly. I realised I didn't introduce myself, I am Athina Fragkouli, I am head of legal from RIPE NCC. So, yes, the details ‑‑ but in general we receive a request for information about members and things that we don't have in the database, is not publically available in this cases, we advise them to come in touch with Dutch authorities because we only obey to Dutch orders and they haven't come back to us. Thank you.
BRIAN NISBET: Thank you.
RICHARD LEANING: Sometimes we get requests saying can you give us information, then the information is available in the database, they just don't know how to find it so some of the stuff we do get like this is an outreach by us to say what you are asking for is there and it will help you ‑‑ we will help you navigate through the database to find it is that you want. As we would do of any community member who is having trouble of removing themselves from the database.
ATHINA FRAGKOULI: One more detail because this is very important. Sometimes they realise it's not publically available information and they ask us, okay, how can we get it? They don't ask for this information per se but they say can you help us, what should we do. Of course we give them this information about the procedure. Thank you.
RICHARD LEANING: We are a double act.
BRIAN NISBET: Athina is wondering why she didn't just go up on stage herself. Any other questions, comments, points? No. Okay. Cool. Thank you very much.
(Applause)
I think the openness here is certainly from my point of view, very welcomed. I have said this before, but we have ‑‑ the NCC and the community interactions with law enforcement, it's a clear ‑‑ it's an up and to the right graph, you know, in a good way. The interactions have been very ‑‑ increasingly positive, we are having more ‑‑ talking more, we are understanding each other more and I think this is very much to be welcomed, because we are very much part of civil society and I think that it's important for us to regularly remember just how much the decisions we make at these meetings and on the mailing list can affect everybody, certainly across the service region and indeed on occasion beyond. So, moving along in that particular vain, I would like to invite Nathalie up. This is a presentation and discussion from the national cyber security centre in the Netherlands on the ‑‑ EU Directive on network and information security. Thank you.
NATHALIE FALOT: I am a legal consultant, senior, at Considerati, and I am also an advisor for the Dutch national cyber security centre on legislation, both national and European, and their operational process on privacy matters. I brought Bob with me, he is cyber security expert, at the NCC for the more technical questions since I am a lawyer. But I have been asked to give you an update on the European directive on network and information security and how we will implement that in the Netherlands and what are the choices, etc..
So, quick facts:
The aim of this directive is to create measures for a high common level of security and network information, systems across the European Union. So it has certain parts in it are active, for different ‑‑ so there are parts of it that are active, some are for governments and some operators of central services and some are for obligations, for digital service providers. So each government in European Union has to now create a national network and information security strategy. Also, every government needs to have one or more CSIRTs in place, they have to cooperate in the Cooperation Working Group on EU level. Also, create security requirements and breach notification in legislation and supervision. What is important to realise, this is a directive and not a regulation so it has to be implemented into national legislation this gives Member States room to interpret some parts with regard to how their own system works but also give minimum or maximum requirements, especially for operators on essential services. This can be ‑‑ can go varying across the EU.
So as I said, we have got two target groups: Operators of essential services and digital service providers. And operators of essential services is in essence a minimum list, so this list that you see on the top is are sectors of which the European Union has to look into the to identify whether there are operators of essential services within that sector in that Member State. This is the minimum that you have at least investigate but you are allowed to investigate more sectors within a your Member State. And an example for the Netherlands is dykes. They are very important to us, so we don't flood, but it might not be important in other Member States, that are not situated near the sea. So energy transport and transport has some sub sectors as well which is water, air, traffic and road, banking and financial infrastructures, healthcare, drinking water and digital infrastructure, and digital infrastructure is, for example, the Internet Exchange points, domain name registers, they all fall within that sector. But you are allowed to investigate more sectors. Digital service providers on the other hand is maximum harmonisisation which means you are only allowed to regulate these three specific kinds of digital service providers in your Member State. On line marketplace, on line search engines and Cloud computing services. For these services, for these kinds of digital service providers the directive has some clear‑cut measures that you have to implement anyway and the only difficulty for Member States is to interpret whether a certain service actually meets the definition of, for example, an on‑line marketplace or Cloud computing service.
So, OES stands for Operator of Essential Service, and DSP stands for Digital Service Provider. So a new directive of that each Member State creates obligations, international legislation, one of them is a security requirement, so if you actually identified operators of essential services within your Member State within a certain sector then that operator of essential services has to meet this security requirement which will be transposed into national laws and as always in European law it's not very specific, but it says appropriate and proportional measures. The EU does not really give guidelines on that, at least not binding on what is appropriate or what is proportionate, but they will have some working documents within Working Groups in the EU to create non‑binding guidelines on these issues, for Member States to have a little bit of hold on what the EU wants, and also to try and harmonise it at least a little bit because if each Member State can interpret what is proportionate in their own Member State then we will still not have any harmonisation or there is a risk it will not be complete.
Proportional is one of those words that will have to get some kind of guidelines from the EU. Also, the EU will try to create standards or at least work with existing standardisation, so if a sector already has a very good security standard, then that standard might be implemented into national laws by the supervisory authority saying if you comply with this or this standard then you comply with this requirement. So, those standards will industrial to be investigated and we have to compile a document that has an overview of all the standards that are available in the EU, and there is still some discussion on whether it should be European standards or international standards, but so that will all be put into one working document for EU Member States at least you use within their national implementations.
You not only have to take appropriate measures to manage the risks posed to your systems but also to ensure the continuity of your service. So, the EU makes difference between those two, so you have got to take preventative measures at one point but if you have had an ins tent you should have measures in place to create at least some continuity or at least try to ensure that continuity in the longer hall.
For DSPs it's different because since have maximum harmonisation you are not allowed to do more than directive states as national Member State. So, here also take appropriate and proportionate measures, measures to manage the risks posed but having regard to the state‑of‑the‑art, and you have to take in account at least certain elements when creating those measures, so the security of the systems and facilities, incident handling, etc.. also, for DSPs not only preventative measures but ensure continuity of the service after an incident.
Notification requirement and that is where a lot of organisations ask us how do we do this? There is a lot of admintive burden in these kind of requirements. I think with the security requirements you can already, most essential services will probably already have a certain standard of security so they might have to take some additional measures. Notification requirements in this subject and this field are quite new except for telecom and financial markets. But operations of essential services will have to notify certain incidents that have reached a certain level, which is significant impact, to the CSIRT or competent authority so you will have two existing bodies in each Member State and they can be combined into one or can be separate bodies. If they are separate men a Member State can choose whether you have the notification requirement at both the bodies or if you have a notification requirement in one and one body will then give your incident to the other body.
The incident that has to be notified are only the incident that have significant impact on the continuity of the essential service. Now, as a lawyer, the first question would be, what is significant impact? How do we establish significant impact. Also here, the directive gives us a few elements that we have to look at, for example numbers of users affected, the geographical spread, etc., but each Member State can take its own ‑‑ can establish for themselves how many users should be affected before a significant impact arises. So, in the Netherlands we do say at least 50,000 users have to be affected while Germany for us says significant impact is 15 or 10,000 so there can be differences with regards to these kind of elements. In the Netherlands we already have something quite like essential services, we call them vital services and vital processes, so if we try to combine those two programmes now with the ‑‑ our programme on vitality to make sure there is not another group and we have tried to make sure that they overlap quite consistently.
Notification to the competent authority and/or CSIRT, you have to include certain information; for example, the nature of the impact and the duration of the impact, etc., but you also have to look at cross‑border impact. And that is quite new for most Member States, especially if significance of the impact differs between Member States so we are not quite sure how to handle that yet. Should we look at the impacts and the elements they use to establish that impact or should we do it from our own perspective? So, those are kind of things we are still discussing in international setting in Cooperation Working Group and how to encourage this and how to help each other with regards to cross‑border incidents.
Also, the directive states notification shall not make the notifying party subject to additional liability, which could be, for example, private liability or something like that. So you can still, a notification can lead to supervision on the requirements in the so, if the notification to the supervisory authority has elements of which the supervisory authority says maybe you didn't really look at your security requirement as well, didn't take enough measures with regard to security, this incident shouldn't have happened that is the kind of liability that is allowed but it should not lead to additional liability with regard to civil liability. The DSPs have notification requirement to the competent authority or the CSIRT. Here, there is a difference in what kind of incidents should be reported. Since the operators of essential services have to operate ‑‑ have to notify incidents that have a significant impact and DSPs have to notify incidents that have substantial impact. I don't know the difference yet, neither do my colleagues in my legislative department so we are still trying to figure out ‑‑ where are the differences, should we have different thresholds for one or the other.
So the DSPs, since that is maximum harmonisation it's important there is a clear‑cut scheme there and it has an international framework for it as well, so for these kinds of incident notifications the European Commission will make implementing acts to make sure that there is harmonisation on what is substantial impact, what kind of thresholds you should think about when establishing this substantial impact. Also here notification should enable the competent authority or CSIRT to look at cross‑border impact since we will have no notify the other Member State of that cross‑border impact so we can make ‑‑ can look at the incident together and see who will do supervision, who will do the investigation, etc..
And here it's the same, the notifying party shall not be subject to increased liability.
So as I said, parameters and thresholds and security requirement, data breaches, fines, they will all be established on a Member State level since it's a directive and not a regulation. This can also mean that fines in Germany are a lot lower than the Netherlands, and what I have noticed in the last few weeks is that everybody is now looking at implementation and they are making their own legislation, the working documents from the European Commission to give some guidelines, whether they are binding for DSPs or non‑binding for operators of essential services, are still in the making and they are scheduled to be released in Q3 of this year, but for the Netherlands, for example, our legislative process, especially with regards to implementation, is really long; we have got to take a lot of steps with regards to our government, so our parliament, our congress, etc., so our implementation proposal has to be ready by the end of May if we want to make sure that the ‑‑ that our implementation law will be into effect in May 2017, when the directive should go into force. So, we are waiting on the guidelines and, at the same time, we already have to have a proposal, so the Netherlands is making its own proposal based on our own experiences in this subject, and we try of course to get out other Member States on our identify with the choices we make, and we still have some checks and balances moments in the future, even when it's already in parliament, but the guidance from the European Commission on this for our legislative process is a bit late in time and it might be so for other member states, especially if you really want to make policy choices in this directive, in this implementation, which you can, a lot of Member States take this directive because it's the first of its kind on cyber security as a subject on its own and not in sectoral other piece of legislation, rale serious and I want to make sure their implementation law really creates some possibilities for both the government and operators of essential services to just get cyber security to the next level.
Also with regards to the cross‑border aspects of this directive, it's really hard to create implementation which has ‑‑ implementation legislation which has certain provisions on how to work in a cross‑border setting if you don't know what you have to work non‑that cross‑border setting so the implementation, the national implementation will probably have quite broad wording just to make sure that we have got enough room to create for details on a lower legislative scale.
So, the Dutch implementation, which is still ongoing, we are still negotiating but there are a few things we have already told parliament which I can share with you as well. So in the Netherlands we have got one thing going for us in this subject, is that we have already had quite a lot of the things in place that the new directive wants from a Member State, we have a strategy at least for essential S we only have to elaborate on that strategy for digital service providers. We also have a CSIRT which is the national cyber security centre for essential services. We don't have CSIRT yet for DSPs so we have got to create that or create mechanisms to make sure it can look at DSPs or create new one. Those are the choices you have got to make as Member State and that can differ on how you attack cyber security or how you look at it from a policies perspective as well, who is responsible for cyber security in a certain sector?
So what we have tried to do in the Netherlands is to really go for decentralised approach on cyber security, at least for supervision. So, the CSIRT, since we already have one for essential services, for vital services, that CSIRT will also look at essential services. But supervision on cyber security is a completely new subject in the Netherlands, we don't really have that except for in case of personal data. So, we had to ask ourselves, are we going doing for one new soup risery authority, one cyber authority super advisor or fit it into the existing framework, also all sector already has some kind of supervision, it night not be cyber security but on physical or quality of the S we have chosen in our implementation which will stale be negotiated in a couple of months doing for sectoral approach. So the supervisor the banking sector will also interest have to supervise on cyber security in that sector. The reason we do is thank is we feel that cyber security is not something that should be looked as different from the rest of your working it's part of your work it's part of your sector, every sector will have some dependency on cyber security, also the supervisor in that sector should take it into account in its supervisory tasks.
So this is different from other Member States. There are Member States that have already said we are just going to create one cyber security supervisor and he is going to do supervision on all the sectors mentioned in the ** NIS. That is a choice you can make as a Member State. For us it's important that every existing supervisory authority also takes network and information security into account with regards to their normal supervisory tasks.
That also means that our supervisors will have to work together and share knowledge but it gives them the opportunity to take specific sector criteria or specific sector related issues into account with regards to their supervision. For example, a supervisor in the healthcare sector might make very different choices with regards to fines than supervisor in the banking sector. That ‑‑ this allows flexibility in the long run but with regards to implementation it's extremely difficult. Also, at the Netherlands does is the parameters with regards to and the thresholds with regards, to, for example, significant impact, how do you establish significant impact in drinking water. We will tell ‑‑ we will publically make available the information on what kinds of parameters we use so the duration of the incident, numbers of users affected, geographical spread but we will not make publically available the thresholds we will use to actually establish whether that impact is significant. The reason for that are is that we feel that is a part of national security since it's about essential services, and we don't want to make publically available what scale an incident should have before we will have societal and economical impact that is of such a degree, that we will have social unrest in the Netherlands. That is something the EU frowns upon when we tell them so we, we really always have to fight for the confidentiality of these kinds of thresholds and we will continue to do that. We will share this information with the actual operators, the operators that have the notification requirement will know what kind of thresholds we are looking for with regards to significant impact, and that is something we will also have to look at with the supervisory authorities.
So other options are centralised approach or creating an entirely new cyber security framework, which is possible for Member States that might not have cyber security in their legislation or in their policies yet. Since we had to try to fit the existing framework with the interactive, we have gone for a decentralised approach. So how does it work and on especially with regards to the notification requirements, because one of the fears a lot of operators have is that they will have loads of notification requirements. You can have one with the CSIRT, with competent authority, you might have already data breach notification requirement which is another authority again and an incident might not just be network and information and security incident, it might also have other effects so you might be subject to other notification requirements. What we are trying to do in the Netherlands at least for more cyber security related incidents since we will have a notification requirement with both the CSIRT and the competent authority, is that we will say, we will try to make sort of a one‑stop‑shop for it but not actually. Reasoning behind it is that we want to have the CSIRT to have one ‑‑ to have the notification with regards to support and we want to have the ‑‑ we want to make sure the soup risery authority has the incident with regards to supervision. But as a CSIRT you might get different information or an operator might be more inclined to share certain information with you as regards to support, but they don't want that same information to also go to the supervisory authority. So in our legislation we will make it possible to do two different notifications if that is the choice the operator wants to make. At the same time, we have to look at administrative burden you don't want organisations to have to do completely different notifications to authorities, especially not at the start of your incident, since you will probably have better things to do.. we will give them the choice, we will make it possible in legislation to do separate notifications but, at the same time, in practice, we will make sure that there is sort of a one‑stop‑shop where you can fill in one form that will go to the supervisory body and the CSIRT at the same time. So that is what you see at the top. The breach notification will be going through one forum but will be sent to different bodies, one the CSIRT and one your own sectoral authority. The operator has to make sure that once he sends the form he indicates to which authority it has doing, since we don't know who the operator is, once he sends the form and he has to make sure that its his obligation to do the notification requirement.
Then, the form will go to both parties, the CSIRT will provide the support that is needed and then the sectoral supervisor authority will do supervision. To make sure that process is actually not a burden in itself that you have three authorities especially if you also have the data breach notification to make sure not all two or three authorities call you at the same time for more information about the incident and to help you along, we will have a protocol between the CSIRT and supervisory authorities with just agreements on who gets to act first and who has to wait for what information from the other before they can act. So we are trying to streamline that process to make sure the operators can focus on fixing the incident first and only have get supervision after the incident is actually gone.
This is our approach, as I said it's still being negotiated so there might be some small changes. Our proposal is scheduled doing to parliament within a month. I hope we make it, but it's an extremely difficult process, there is a lot of choices, policy choices, etc., also for our government, so we have to really convince them that we feel as a department that this is the right approach, we also have to convince the other departments since the Netherlands has a very decentralised responsibility framework, every sector has its own ministry, mostly, so yeah, we have got to work together and there are choices to make, difficult choices to make but for us this seems to be in the long run the best solution. Any questions?
BRIAN NISBET: Thank you very much, that is perfectly clear, all of it. No. It's an interesting piece of ‑‑ interesting directive, certainly. So, let's start here, please.
AUDIENCE SPEAKER: I am here as private citizen for this question. With the privacy of the parameters of what qualifies as an incident, I assume you have worked with the essential services to define those requirements, so is there a concern that industry has had input into what an IR is but citizens that are impacted have no way to help define those parameters, isn't that sort of anti‑democratic a little bit?
NATHALIE FALOT: Yes, so to establish these requirements we have the process of working with the sectoral department so for drinking water, that would be with ministry environment, and infrastructure, but plus the ministry of justice and the operators themselves. So the ministry of justice has taken the role of going for the more critical approach, so the parameters shouldn't be too high, and, at the same time, the ministry of ‑‑ that is responsible for that sector has its own responsibility there, so we will evaluate those parameters annually, probably, to look if they work, but we have had some experience with incidents so I feel that the parameters shouldn't be too high and I think that the, by working together with the three groups that we might have pretty good balance there.
MALCOLM HUTTY: From the London Internet Exchange LINX, and I am also with Euro‑IX which is an association of the European Internet Exchange point operators, are listed as essential services in annex 2. First of all, thank you very much for your presentation which was very interesting. But one thing did you move quite quickly past was the identification of operators for essential services. So I have got some questions for you about that. Firstly, it says in the definition that is an operator of essential services means an entity of the type referred to in annex 2 such as ‑‑ that is Internet Exchange points, which meet the criteria laid down in 5.2. Is it your understanding of that that they are separate qualifying criteria in Article 5.2 you have got to be both operator of ‑‑ both an Internet Exchange point, for example, and also a particular ‑‑ an IXP that happens to meet the criteria in 527 or is it your view that everyone that is an Internet Exchange point no matter how small, by definition meets what is said in 5.2?
NATHALIE FALOT: It's the first one. So the way we look at it and we have checked this with the implementation process and also with the NIS directive was negotiated, is that first you have to look at are you mentioned in annex 2, are you ‑‑ annex 2 has three columns, so you only have to look at the first two of them, the third is an example, but Internet Exchange points are mentioned in the digital infrastructure in the second column so what we do is first we look are you an Internet Exchange point and then with regards to Article 5.2 you have got certain parameters and those will be combined with thresholds. So, the threshold has to be, you have to have a certain number of users, for example, and you have to have a certain potential impact on society, that is what we do with regards to identifying our current vital processes in the Netherlands, and those thresholds will also be used to identify the operators that are part of that process. So, not all drinking water companies will be essential or have to be essential; they also have to meet certain thresholds with regards to their importance to society.
MALCOLM HUTTY: If I may follow‑up, that is what I was hoping you were going to say. The criteria in 5.2 that talks about an incident would have dis ‑‑ significant disruptive effects on the provision of that service, that is your parameters there, so I was trying to understand in the context of Internet Exchange point what service is being referred to, is it the service that have particular exchange point operator, is it the service of Internet Exchange provision within the Netherlands or the provision of Internet ‑‑ inter network interconnection within the Netherlands or is it more generally the availability of accessibility and connectivity of Internet access in the Netherlands?
NATHALIE FALOT: I have got to admit I don't know, so what I have looked at is just the implementation of this piece of legislation. There are working documents on this on the, for example, we have Amsterdam exchange point so we have looked at them and to see which processes would have that impact, I am not part of that group.
MALCOLM HUTTY: But impact on what? Certainly for smaller Internet Exchanges they might think, well, clearly I am going to have an impact on the provision of my own service, the level of impact that I might have if I had a failure on the network operators in my country might be limited, and the impact that I might have on the actual ‑ users might be zero. In those circumstances, would you be looking at saying, actually you are not going to have an impact on end users so you are not covered, or you have got some level of impact on network operators so maybe you are covered, we need to assess that and have a threshold. What ‑‑ which is the parameter applying to, essentially in legal terms when it says that that service, which service is being referred to?
NATHALIE FALOT: It's the service that you offer, so I am not sure about Internet Exchange points but if we look at drinking water, we look at the safe and secure distribution of drinking water so the drinking water has to be safe, it has to be good water and it has to be distributed properly so everybody has to have access to that. It will be quite similar in Internet Exchange points, if you want I can connect you to the people that actually do the impact analysis for Internet Exchange points in the Netherlands, they might be able to answer your question better.
MALCOLM HUTTY: Given that there is a queue, I would love to take you up on that offer thank you.
Martin Swissy: Thank you very much for the presentation which shows the diversity of implementations within member states. I have two questions. The first is about the identification of specifically the operators of essential ‑‑ essential services. So one of them is, NIS and the other is operator of ccTLD or national so one assume that not ‑‑ are involved in that ‑‑ now I said one condition, that is not ‑‑ what about the gTLDs and especially those with whatever threshold you will pick, they are above the threshold, are they to be identified within each Member State or will be the sort of orphan or in a foreign country not within the European and if not, it might have some unbalance between ‑‑ of treatment between the national TLD operators and the others because in terms of competition the national TLD operators will have much more burden in terms of admintive things. And my second question is about there is a lovely thing coming in same time‑line which is in GDP R, if I haven't missed it, I didn't, so within your boxes actually ‑‑ if I understand correctly your implementation, so maybe you will have three notifications in case of security incident involving personal data so did you think about that? How would be the cooperation with the authority of a personal data in your country, do you have any idea, maybe, to share here?
NATHALIE FALOT: With regards to your first question, the NIS directive states that the service has to be offered in the Member State, so to people in the Member State, it doesn't have to have its main establish inspect that Member State. So in theory the legislation would apply to operators not being situated within that Member State but offering essential service to that Member State. I am not how often it will apply, it could be for more the DNS kind of services. But if you offer your service in different Member States you will have the security notification requirement in all those Member States. That is something we have to look at at the EU level and Cooperation Working Group is currently working on that.
Second thing is ‑‑
AUDIENCE SPEAKER: GDP R.
NATHALIE FALOT: You will have triple notification requirement in the Netherlands which is not new, we have ADO S regulations so for trust services, which also states you have notification requirement with the competent authority, the national body for network and information security and the supervisory for data personal data. What we say there is you have the notification requirement in all three ‑‑ to all three of those bodies, which is an EU regulation so within EU we already established that in certain incidents you will have to communicate with different bodies. In the Netherlands we have implemented that as well, but we have made an obligation for government to make a protocol in working agreements so what I said ‑‑ so you are not allowed to it or you are not supposed to be confronted with three authorities at the same time, each authority that is their own role in the process and should take their role at the right time so the CSIRT and supervisory authority and the data protection authority will have to make arrangements together to make sure that the process goes through.
AUDIENCE SPEAKER: Is one‑stop‑shop feasible solution?
NATHALIE FALOT: Is something that very heavily discussed in the Netherlands as well of course. There are reasons why we want it or not. One‑stop‑shop for supervisory authorities can work very well if you have different super authorities. The NCC has fought being part of that because of the confidentiality of the information but also because we feel that operators should be able to just come to us even if they are not sure if it's a required notification, yet it might be voluntary notification that then evolves into a bigger incident that falls under the requirement. One‑stop‑shop for supervisors I would applaud, I wouldn't make the CSIRT part of that.
AUDIENCE SPEAKER: Raymond, Finland. Did I miss something in your presentation about the coordination between these different groups and especially the how to prevent these disasters in the future ‑‑ once they have happened in the document that is brilliant are you going to do something to prevent them.
NATHALIE FALOT: That is with regards to security requirement so it takes into account preventative measures, to prevent incidents from happening and then once an incident would have happened or happened, you also to have measures in place to ensure continuity. Does that answer your question?
AUDIENCE SPEAKER: Yes.
AUDIENCE SPEAKER: Although Malcolm asked the question I was going to ask, I have one more. Could you please go to your very first slide. Not I have the RIPE number wrong.
AUDIENCE SPEAKER: I would like to ask you where you bought the time machine. Not I have got 47 instead of 74. Apologies.
BRIAN NISBET: From my own point and this was raised, the fact that this is happening at the same time as the GDP R work is humorous, I think, at least, but it was certainly ‑‑ will certainly make a lot of work for everybody. And it's going to be interesting to see what comes out as people try to either define themselves or specifically not design themselves as critical infrastructures and operators and within this, and I have particular sympathy for the British who will have to do all of this and stop doing all of this, every time I hear about a new EU regulation or directive it's oh...
Thank you very much.
(Applause)
So, that looks very much like AOB to me. Is there any? So in that case, and this is one of those moments where I thought this meeting might be less than an hour but no, hey still very much running to time. I would like to thank you all for your participation, I would like to remind you it's never too early to submit agenda items pieces for RIPE 75, we will be talking more and Tobias will be sending a mail to the mailing list in relation to some of the work we are doing with MAAWG and abuse ‑‑ abuse desk documentation and things like that that we are going to try and steal and file the serial numbers off and reuse for this community or point this community at but we will be talking about this on mailing list at a later point in time. Thank you and we shall hopefully see you all in Dubai in October. Thank you very much, have a good day.
(Applause)
LIVE CAPTIONING BY AOIFE DOWNES RPR
DOYLE COURT REPORTERS LTD, DUBLIN IRELAND.
WWW.DCR.IE