All posts by Zaid Zaid http://blog.cloudflare.com/author/zaid-zaid/

A return to US net neutrality rules?

Post Syndicated from Zaid Zaid http://blog.cloudflare.com/author/zaid-zaid/ original https://blog.cloudflare.com/a-return-to-us-net-neutrality-rules


For nearly 15 years, the Federal Communications Commission (FCC) in the United States has gone back and forth on open Internet rules – promulgating and then repealing, with some court battles thrown in for good measure. Last week was the deadline for Internet stakeholders to submit comments to the FCC about their recently proposed net neutrality rules for Internet Service Providers (ISPs), which would introduce considerable protections for consumers and codify the responsibility held by ISPs.

For anyone who has worked to help to build a better Internet, as Cloudflare has for the past 13 years, the reemergence of net neutrality is déjà vu all over again. Cloudflare has long supported the open Internet principles that are behind net neutrality, and we still do today. That’s why we filed comments with the FCC expressing our support for these principles, and concurring with many of the technical definitions and proposals that largely would reinstitute the net neutrality rules that were previously in place.

But let’s back up and talk about net neutrality. Net neutrality is the principle that ISPs should not discriminate against the traffic that flows through them. Specifically, when these rules were adopted by the FCC in 2015, there were three bright line rules: (1) that ISPs cannot block subscribers from reaching legal content, applications or services, (2) that ISPs cannot throttle subscribers’ access to content, putting some content in a “slow lane”, and (3) that ISPs can’t engage in “paid prioritization” which means charging websites and services for special access to their subscribers.

Net neutrality has a long history. In 2010, the FCC passed the first set of open Internet rules which were: (1) no blocking; (2) no unreasonable discrimination; and (3) transparency rules. In 2014, after a lawsuit from Verizon, the D.C. Circuit Court invalidated some of the 2010 rules, saying that if the FCC wanted to have these rules, it needed to treat ISPs as “common carriers.” (A common carrier is an entity that offers its services to the general public and will provide its services to anyone willing to pay the fee.) In 2015, the FCC did exactly that: it reclassified ISPs as common carriers, and instituted rules which we now know as net neutrality protections. In 2017, the FCC reversed course and repealed the rules. Now, the FCC again wants to reinstate them. It’s a dizzying chain of events.

And all the while, the Internet has carried on. For most Americans, net neutrality principles are reasonably uncontroversial — surveys show that more than 80% of Americans support them. And for all the lawsuits and regulatory ping-pong, in our view ISPs have largely followed these principles. The Internet has worked and is working.

What is broadband Internet?

In the same way that the delivery of Internet service hasn’t changed much, the underlying rationale for the net neutrality rules hasn’t changed. Broadband Internet is more critical than ever for our day-to-day lives, with more of our healthcare, work, education and entertainment happening over the Internet. ISPs still now, as then, are likely to have a monopoly on how subscribers reach the Internet – there’s only one path in and out of most people’s homes over the Internet, and even where consumers have a choice, they often face onerous switching costs. The FCC is ensuring there are rules for that road by defining the requirements that ISPs are obliged to fulfill.

In late September, the FCC released a public draft of its Notice of Proposed Rulemaking (NPRM) on net neutrality and gave the public about 3 months to review it and submit comments to the agency. The current NPRM asks what has changed about the Internet since 2015, whether the original principles are still the right ones, what should be the definition of an ISP, and many other things. The net neutrality principles proposed by the FCC will be familiar to net neutrality advocates, who have campaigned for similar ideas for years. As always, at Cloudflare we want consumers to have full access to legal content and services on the Internet.

What has changed – or at least become more complicated – is all of the various services that consumers and businesses use on the Internet. At Cloudflare, we know this well because we offer many of these services. We offer a content delivery network that protects and accelerates website delivery to consumers. We have a developer platform that developers use to deploy their code all across the world. And we have a platform that offers large businesses the ability to securely connect their offices and employees. Of course, we’re not alone. The ability of the Internet to foster permissionless innovation is unmatched.

For all the innovation (and some quite complicated services) flowing across the Internet, the ISPs that would be subject to these rules are, in our view, easy to define. In FCC terminology, an ISP is a provider of Broadband Internet Access Services (“BIAS”). As the FCC proposes to define it, a BIAS service is a mass-market Internet service which consumers purchase with the expectation they can reach the whole Internet. One of the main things we said to the FCC in our comments boils down to “you know a BIAS service when you see one.” Once we have a simple definition of BIAS service, we’ve also established that everything else is not BIAS.

As we said in our comments to the FCC:

[The FCC’s] historic definition identifies two primary characteristics of BIAS: (1) “a mass-market retail service” that (2) “provides the capability to transmit data to and receive data from all or substantially all internet endpoints.” The proposed definition of BIAS places the focus where it belongs: the ability of Internet end users to reach and interact with all Internet destinations without interference from their BIAS provider.

Interconnection and traffic exchange between networks

The interconnection section of the FCC’s proposed rules is also worthy of attention. Interconnection is how networks send data to one another on the Internet. Cloudflare is one of the best connected networks in the world (we’re directly connected to over 13,000 other networks, and are present at nearly as many Internet exchanges as any other network) so we know this topic well.

To give a very brief overview of the way interconnection works, assume a user on the network of ISP A requests cloudflare.com in their browser. That request goes out from the subscriber’s home through the ISP’s network. At some point it will reach an interconnection point, which is a data center where lots of networks connect together. If the ISP network and the content network (in this example it’s Cloudflare, since they are requesting cloudflare.com) directly connect (called “peering”) then the request will pass to Cloudflare and Cloudflare will respond, delivering back the HTML, JavaScript, images, and everything else that makes up a website.

Maybe the ISP and Cloudflare aren’t peered directly, but if they are both members of the same Internet Exchange, traffic could be exchanged there. Or, if neither of those are an option, the ISP and Cloudflare might exchange data through an IP transit provider, a 3rd party network that gets paid to deliver traffic on their behalf.

Interconnection is relevant to the FCC’s net neutrality proceeding because an ISP makes a representation to their subscriber that the subscriber can access the whole Internet, and the ISP needs to make interconnection arrangements to make good on that representation.

What the FCC is proposing is that ISPs would be required to make interconnection arrangements as part of their responsibility to deliver the whole Internet to their subscribers without blocking, throttling, or paid prioritization.

Beyond the representation that ISP’s make to their subscribers, the FCC is not proposing to directly impose rules on interconnection. Instead, the FCC is proposing to adopt a “watch, learn, and act as required” case-by-case approach to interconnection challenges. Interconnection disputes between ISPs and content and service providers have happened. Famously, in 2014, Comcast and Netflix didn’t have enough interconnection capacity and thus Comcast subscribers trying to watch Netflix were subject to lots of buffering and a generally bad experience. But they worked it out between themselves. Similar disputes in the United States have been rare since.

Both from the Comcast-Netflix instance, and other issues we see internationally, we know interconnection disputes can arise, and they can affect users. For example, we’re currently monitoring interconnection in Germany, where users on one of the largest networks have had trouble reaching normal websites like GitHub, or just browsing the Internet. It’s likely those issues are caused by insufficient interconnection capacity.

While we don’t have this type of interconnection issue in the United States currently, under the proposed rules the FCC would be set up as an arbiter of last resort for disputes in the United States. With this approach, hopefully we would be able to avoid the type of issues we’re seeing in Germany. And if ever consumers’ Internet experience was being harmed by the interconnection policy of any network, the FCC could adjudicate the matter.

It has been eight years since net neutrality rules were passed in the United States, and six years since they were repealed. During that time the Internet has kept growing. If the FCC does reinstate net neutrality rules, we’re hopeful they will be common sense rules of the road for ISPs, making official the already-widely-followed principles of a free and open Internet.

Don’t Let the Cyber Grinch Ruin your Winter Break: Project Cybersafe Schools protects small school districts in the US

Post Syndicated from Zaid Zaid http://blog.cloudflare.com/author/zaid-zaid/ original https://blog.cloudflare.com/project-cybersafe-schools-update


As the last school bell rings before winter break, one thing school districts should keep in mind is that during the winter break, schools can become particularly vulnerable to cyberattacks as the reduced staff presence and extended downtime create an environment conducive to security lapses. Criminal actors make their move when organizations are most vulnerable: on weekends and holiday breaks. With fewer personnel on-site, routine monitoring and response to potential threats may be delayed, providing cybercriminals with a window of opportunity. Schools store sensitive student and staff data, including personally identifiable information, financial records, and confidential academic information, and therefore consequences of a successful cyberattack can be severe. It is imperative that educational institutions implement robust cybersecurity measures to safeguard their digital infrastructure.

If you are a small public school district in the United States, Project Cybersafe Schools is here to help. Don’t let the Cyber Grinch ruin your winter break.

The impact of Project Cybersafe Schools thus far

In August of this year, as part of the White House Back to School Safely: K-12 Cybersecurity Summit, Cloudflare announced Project Cybersafe Schools to help support eligible K-12 public school districts with a package of Zero Trust cybersecurity solutions — for free, and with no time limit.

The response from school districts across the United States exceeded our expectations. We have had inquiries from over 200 school districts in over 30 states and Guam. Over the past few months, we have onboarded dozens of qualifying school districts into the program. As a result, over 60,000 students, teachers, and staff are protected by Cloudflare’s cloud email security to protect against a broad spectrum of threats including Business Email Compromise, multichannel phishing, credential harvesting, and other targeted attacks. These school districts are also receiving protection against Internet threats with DNS filtering by preventing users from reaching unwanted or harmful online content like ransomware or phishing sites. There are more than 9,000 small public school districts across the United States with fewer than 2,500 students. All of those school districts are eligible for Project Cybersafe Schools (for free, and with no time limit — see below for all the details), and we want to help as many as possible.

Since we launched the program, the White House has continued to amplify awareness around the risks for schools as well as the opportunities school districts have to protect themselves. Cloudflare hosted a series of live onboarding sessions at the start of the program and also created a Cybersafe School Resource Hub for school districts to learn more about the program and submit an inquiry.

What our participants are saying about the program

Here’s what a few Project Cybersafe Schools have to say about the impact of the program on small school districts.

“Project Cybersafe Schools has been incredibly helpful, especially for school districts with smaller enrollments, to provide resources, tools and information that otherwise might be out of grasp. Often, these smaller districts have individuals with many responsibilities and cybersecurity may not always be at the forefront. The tools Cloudflare offers as part of the White House focus to strengthen Cybersecurity across the K-12 spectrum allow us greater visibility into the threats experienced through E-Mail as well as protect our devices by layering DNS-based filtering on top of our existing environment to protect against threats that may come through via ransomware or phishing sites. Being able to leverage multiple layers of security helps us be more robust in protecting our student and teacher devices and ensure our learning environment is successful, safe and productive in the current digital landscape.”  
Randy Saeks, Network Manager, Glencoe School District 35, Glencoe, Illinois

“Quitman School District was excited to add another layer of security for our staff and students with Cloudflare Project Cybersafe Schools. Living in a low income, rural community, we were grateful for the opportunity to add a world-class free service to our school’s network architecture. Partnering with Cloudflare allowed us to continue to modernize and strengthen our security measures and protect our staff and students from a wide variety of threats. This implementation was quick and easy, and we were ecstatic that there was no expiration date for this service.  We were amazed to see that Cloudflare caught nearly 4,000 malicious emails in the first month of implementation!  We are confident that Cloudflare will continue to keep our district and infrastructure safe from harmful threats.”
Matt Champion, Technology Coordinator, Quitman School District, Quitman, Mississippi

What Zero Trust services are available?

Eligible K-12 public school districts in the United States will have access to a package of enterprise-level Zero Trust cybersecurity services for free and with no time limit – there is no catch and no underlying obligations. Eligible organizations will benefit from:

  • Email Protection: Safeguards inboxes with cloud email security by protecting against a broad spectrum of threats including malware-less Business Email Compromise, multichannel phishing, credential harvesting, and other targeted attacks.
  • DNS Filtering: Protects against Internet threats with DNS filtering by preventing users from reaching unwanted or harmful online content like ransomware or phishing sites and can be deployed to comply with the Children’s Internet Protection Act (CIPA).

Who can apply?

To be eligible, Project Cybersafe Schools participants must be:

  • K-12 public school districts located in the United States
  • Up to 2,500 students in the district

If you think your school district may be eligible, we welcome you to contact us to learn more.  Please visit our Project Cybersafe Schools Resource Hub.

For schools or school districts that do not qualify for Project Cybersafe Schools, Cloudflare has other packages available with educational pricing. If you do not qualify for Project Cybersafe Schools, but are interested in our educational services, please contact us at [email protected].