[Author’s note: As I write this in October, the second massive denial of service attack in two weeks threatening to take down significant sections of the internet has just ended. Could full implementation of Operation Safety-Net have prevented this? While technology on both sides – attackers and victims – is constantly evolving, I am forced to say yes, Operation Safety-Net could readily have helped. As my colleague, friend, and CAUCE Board member Kelly Molloy quipped just today, "this is why spam matters." Spam is a conveyance. Operation Safety-Net, the solution. For now. – NS]
The M3AAWG/London Action Plan (LAP is now called UCEnet)/CAUCE omnibus best practices document, titled Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats has been a boon to government, industry and end-users. And to be honest, to me personally.
The truth is that the complicated techno-jargon bandied around our industry too often serves to befuddle the audiences we most need to influence, and given this confusion, how are we to affect the foundational changes needed to secure the net infrastructure? Effectively cutting through this complexity, the 76-page report written by security experts from around the world was originally requested by the Organization for Economic Co-operation and Development in 2012, then updated in 2015.
As the lead author and shepherd André Leduc noted recently in his video accepting the 2016 M3AAWG JD Falk Award, "Translating our technical and engineering way of talking into plain language was probably the most important part of this work. We wanted to create a report that a security officer or an engineer could give to colleagues and management to help them understand cyber attacks and why their organizations might be targeted. We also wanted to make it easy for government policy makers in both the developed and developing countries, where they may not have much technical experience, to take action."
To make the information more accessible, the report, originally published in English, has been translated into French and Spanish, as well as localized in summary form in Japanese and Thai. That’s where I come in.
I was on the small team, along with former M3AAWG Vice Chairman Alex Bobotek and my long-time cohort CAUCE President John Levine, who presented the first iteration of the report to the OECD Consumer Safety Working Group in Paris. After that, the real work began. Everyone at M3AAWG knew about the document but that was kind of like preaching to the converted. We needed to get the document out into the rest of the world, to the users who were (and still are) blissfully unaware of the steps we all must take to batten down the hatches.
One of the most delightful things I get to do these days is speak and train in various parts of the world and Operation Safety-Net has been a foundational part of my materials since it was first published. I had the opportunity to facilitate inclusion of the document into the IGF’s Antispam Toolkit (although Operation Safety-Net deals with issues far more broad than "mere" spam) at the meeting in João Pessoa, Brazil. As well, through the help of the M3 Anti-Abuse Foundation, I presented the work to the African ISP association in Tunis, Tunisia, as well as to a group of law enforcement officials in Thailand.
Working with the M3AAWG member Team Cymru, CAUCE sent me to present in Santiago Chile, again to talk with law enforcement. Working with World Hosting Days, I put our work in front of hundreds of new and established hosting companies and registrars in Singapore and in Bangalore, India.
In November I travel to Japan, to lay out the groundwork to protectorates of critical infrastructure. Japanese power companies want to learn more, and better understand, how to protect themselves from simple vandalism, or – what could be far, far worse – attacks that could range to the point of being catastrophic.
By M3AAWG Award Co-Chair Neil Schwartzman (CAUCE)
The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.