The Internet pioneer
An headstrong woman behind the Internet security
Anne-Marie Eklund Löwinder is one of Sweden's foremost IT experts and according to her own statement a real nerd when it comes to the heart issue - encryption. As a crypto officer, she is one of the world's seven most important internet watchdogs. Twice a year, she participates in a process where new keys, under rigorous security, are created to protect the Internet's address register DNS in the network's root zone (Note 1). But above all, Eklund Löwinder has for over 20 years fought for a democratic, open and secure network. Since 2001 as head of security at the Internet Foundation. Read below Anne-Marie Eklund Löwinder's views on the network she fights to protect.
At the end you can see who she hands over the RELAY!
What do you think was the most interesting thing that happened in Sweden around the turn of the millennium?
"The IT Commission did an incredible number of things during the period around 1999/2000. Among other things, we tried to help authorities and companies to procure internet services. At that time, organizations and companies had no real idea of what they were buying, what was included and what the service would be able to do. There were few who could make demands based on their needs. We wrote a general requirements specification together with The Swedish Agency for Public Management. It was a great activity, which I thought was important.
In 1999, the IT Commission presented its proposal for a future-proof IT infrastructure for Sweden. We proposed that Sweden should build a comprehensive fiber network. A redundant chicken net and on it lay a mosquito net where each municipality would be responsible for digging down fiber so that it finally covered the whole country. This would give operators the freedom to build with the technology they wanted. It turned out that we were out too early, no one understood our recommendations. The consequence is that today we do not have the infrastructure we could have had if we had build as proposed. The basic infrastructure, i.e. cables in the ground, are today not sufficient to secure a robust network. We will have to live with interruptions precisely because we do not have the redundancy we would need. I think that is a very big and unresolved issue. We can not sit back and believe that Sweden is finished. Digitization generates large amounts of traffic in the network and we need a robust and well-functioning infrastructure so we can take care of that traffic. Long ago, all LAN networks were provider-specific and could not talk to others outside their own network. During the 80's, the IP protocols broke through which meant that we got a common communication infrastructure, it was a major breakthrough. "
What do we need to do better?
“Above all, we need to increase capacity, redundancy, ie. to open up for several alternative routes so that you do not end up dependent on individual links. At the IT Commission, we had the ambition that all groups of properties with more than 50 households would have a separate connection to the municipality's two fiber centers in order to create a technical environment where an interruption would not have major consequences. But then no one listened. "
What happened to IT around New Year 2000?
“Around the turn of the millennium, there was an incredible hype and a huge hysteria about the possible chaos that a millennium change could entail. We who sat in the same corridor as the "2000 delegation" had the discussions close to us, at the same time as we ourselves worked with internet-related issues. The experts said that “nothing will happen. The Internet is built to handle things like this. ” What many were afraid of was probably most that the coding of programs had not become correct, so that things would stop working. Suddenly, programmers became the most sought after skill in the entire world. Even if nothing happened, we should not underestimate the concern. It is difficult to know in retrospect what would have happened if no one had done anything. That question remains unanswered. After all, it is better to be prepared than to just keep your fingers crossed. ”
How do you view the so-called IT bubble?
“It is called the IT bubble, but it was not an IT bubble, it was just a number of young IT entrepreneurs with deficient business models without consequential thinking, even if there were some exceptions. It was very immature but at the same time the optimism was fantastic. Everything was to be done and everything could be made money on and one business idea was wilder than the other. Some survived, others did not. Many have learned a lesson when it crashed. There are plenty of parallels to be found in history: the stock market crash on Wall Street, or the Kreuger crash and all the way back to the Baroque tulip war, where the value of tulip bulbs was inflated to unreasonable proportions to later plunge. "
What do you think are the biggest threats and challenges of digitalisation?
“It is not possible to put your finger on an individual threat because there are many interacting factors that must be taken into account. Information security is made up of four cornerstones: accuracy, accessibility, confidentiality and traceability. Depending on which cornerstone is most important, the threat is different. For example, if you have something that must always be reachable, accessibility is most threatened. Right now during the pandemic, it is an important issue because many work from home and connect to the company's network. If, on the other hand, the greatest risk is that something leaks, the requirements for confidentiality are important and then you must protect yourself against it. You must take an inventory of what you have that is worthy of protection, in order to be able to identify threats and then be able to assess risks and what to take.
Taken together, the biggest threat today is that many have not fully understood how much is digitized, but also that we humans have no real perception of risk. After a number of thousand years, we have learned to duck and run away if someone throws something at us. That is about as far as humanity has come when it comes to predicting risk in a longer perspective. We're lousy at it. That is why we need a methodology when it comes to the internet and digitalisation and that mature people gather and talk. At the Digitization Council, we released a publication in November 2020 in which we take a closer look at these things. (Note 2)
What do you mean by the lack of sensible tools for risk analysis?
A big difference from before is that in the past it was important to keep the information inside the walls of the organization and take measures so that it could not come out. Today, it is important that the information can be distributed to everyone who needs it, to the device they need at the time and to the place where they need it. It is a completely different approach. The fact that it is difficult to handle classified information is probably mainly due to the lack of sensible tools and clear guidelines.
In which layers should we think security?
We humans trust that the internet is there and works, we have no backup plan if BankID should go down for a longer period of time or if Swish should stop working. We have become dependent on services which, if they were to fall away, would cause quite serious strain on society if it were to last for a long time. We will not be able to prevent bad things from happening, security leaks and major interruptions are everyday events. We also use connected gadgets at home without having a thought that we should think in terms of security. The network itself has very little intelligence in it. It is in the use and the end system that most of the security should lie. It must be required that you have security by design / by default in the services and products that are developed. We know from experience that the infrastructure itself is very resilient and can be redirected so that there is another path for traffic. But of course it is possible to attack and get the Internet on its knees a bit. ”
You are passionate about a democratic internet. Do you think we can continue to have an open network?
"I hope the Internet can continue to be a global phenomenon. We are too small a market to be able to develop new services ourselves, it is in the service warehouse that the innovations take place. Then you can distance yourself from the internet for political reasons but I do not think it lasts in the long run. If, for example, a regressive military government says to shut down the internet and goes to its ISPs and threatens them with weapons, there is not much they can do about it other than obey. The situation would have been the same even if it was electricity. According to the addition to the UN Declaration, everyone should be able to retrieve information and express themselves freely also online. Some states were against this, for some states it was a threat and moreover, not everyone in the world has access to the Internet. "Is it possible to turn off the internet?", Was a question I was asked some time ago. The network is built not to be shut down, but residents' access to services can be restricted in a variety of ways. Censorship, surveillance, and even by screwing up the legislation. These are difficult questions and can not be accessed with the help of technology. Ethical issues are also important. Both Google and Facebook have helped filter content because you are more eager to make money than to have an ethical dignity. Just as the sun shines on both the evil and the good, the Internet can be used by both good and evil forces. Today, criminals are trying to attack the Internet's infrastructure. "
Do you remember what you did on New Year's Eve at the turn of the millennium?
"I was cool and knew nothing would happen," concludes Anne-Marie Eklund Löwinder with a laugh.
The relay continues
Anne-Marie Eklund Löwinder hands over the Waystream relay to Patrik Fältström, technical and security manager at Netnod and asks him:
"In a high-profile article, Microsoft writes that they believe that the Geneva Conventions do not cover the IT and cyber field. They think that type of document is needed. Do you agree that we should have more writings that protect civilians from state-sponsored cyber attacks in peacetime? ”
Read Patrik Fältström's answer in the next instance of the Waystream relay.
Note 1: DNS, Domain Name System or domain name system, is simply put a way to simplify addressing in systems that use IP addresses - for example the Internet. For a computer, an address for a web page consists of an IP number, for example 194.15.212.181. Since it is almost impossible for us humans to remember that type of address, we use names in text format. Therefore, a system is needed to translate it.
NOTE! The charming movie (in Swedish) "The Key to the Internet" can be seen here: https://www.internetmuseum.se/tidcslinjen/ny-film-tar-oss-in-i-internets-hjarta/