Bill Woodcock wrote: > One of PCH’s long-term efforts has been to encourage governments to > restrict their use of offensive cyber attacks against civilian > networks. We've successfully gotten that effort out of the U.N., > where it was floundering, and into a well-supported stand-alone > commission. It’s being taken seriously by governments, and will be > one of the main topics under discussion at the Global Conference on > Cyberspace in Delhi next week.
couple of comments: - the term "critical infrastructure" has a specific legal meaning in the European Union, and may be a good idea to either change the terminology here or else make it clear that when the UN talks about "critical infrastructure", it will mean something different to what the European Union means. - regarding IXPs specifically, there is little to no basis for categorising them the vast majority of them as "critical" on the basis that if you turn an IXP off, or if it fails due to technical or administrative reasons, traffic will generally re-route somewhere else within BGP dead-time seconds and most people will probably not even notice. This isn't the case with some larger IXPs, but the vast majority of them can fail in service, you get a short blip, and life carries on. > But that’s a distraction from the issue: do we think > [hospitals|schools|the power grid|IXPs|root servers|whatever] should > not be cyber-attacked by governments, or are we just fine with them > being attacked? - once organisations gain political protection status of one form or another, they also attract legal / regulatory obligations. So the question for e.g. IXPs should be reframed as: given that most IXPs are not in fact critical to the operation of the Internet in any meaningful sense of the word (i.e. the world can continue on without them), is the attraction of gaining a mention on a UN declaration worth the cost of the regulatory obligations that will inevitably ensue? Nick
