CableLabs Co-Chairs New M3AAWG AI Committee

M3AAWG Anti-Abuse Working Group

Kyle Haefner
Principal Security Architect

Andy Dolan
Senior Security Engineer

Feb 15, 2024

Key Points

  • M3AAWG has formed the AI Committee to proactively address challenges posed by the increased use of artificial intelligence in online abuse.
  • Addressing AI-powered abuse, the committee will study abusers' tactics and develops best practices to mitigate the impact of spam, phishing, fraud and online harassment.
  • Actively tracking and advocating for responsible AI development policies, efforts are directed towards enhancing AI system security and ensuring lifecycle protection against cyber threats.

The sudden rise of highly capable artificial intelligence (AI) has brought immense opportunities for beneficial innovation and advancement. However, alongside its benefits, AI also presents unique challenges concerning online abuse and threats to security and privacy. Recognizing the urgency of addressing these issues, the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) has taken a proactive stance by forming a dedicated AI Committee. The M3AAWG AI Committee, co-chaired by CableLabs, underscores M3AAWG’s commitment to fostering a safer and more secure online environment for users worldwide.

Tackling Abuse Facilitated by AI Systems

One of the primary objectives of the M3AAWG AI Committee is to address the growing concern surrounding malicious actions facilitated by AI systems. To bolster spam and phishing attacks, fraud, and online harassment, nefarious actors are increasingly leveraging AI-powered tools to amplify and accelerate their harmful activities. By studying the tactics employed by abusers and evaluating countermeasures, the committee aims to develop best common practices to help mitigate the impact of AI-facilitated abuse on individuals and organizations alike.

Public Policy and AI Abuse

The landscape of AI policy is in varying stages of development, with governmental and intergovernmental bodies around the globe proposing and enacting their own models of regulation and oversight. These efforts include the recent Executive Order in the United States aiming for "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," and the European Union’s proposed AI Act establishing stricter regulations for high-risk applications. The M3AAWG AI Committee is establishing an initiative to track policy developments and advocate for public policy promoting responsible and secure AI development.

Best Common Practices for Securing the AI Lifecycle and AI Systems

As AI technologies become more pervasive across various sectors, they also become prime targets for cyberattacks and exploitation. Vulnerabilities in AI algorithms and frameworks can be exploited to manipulate outcomes, compromise data integrity, and undermine trust in AI-driven solutions. In addition to combating malicious use, the M3AAWG AI Committee is focused on enhancing the security of AI systems and the AI lifecycle from training to deployment of AI models through the development of best common practices.

Harnessing AI to Counter Abuse

Although AI has been weaponized for nefarious purposes, it also holds immense potential as a tool for combating abuse and safeguarding online ecosystems. The M3AAWG AI Committee recognizes this dichotomy and is exploring innovative ways to harness AI for good. From proactive content moderation and anomaly detection to sentiment analysis and behavioral profiling, AI technologies offer many possibilities for enhancing online safety and security. By developing AI-driven solutions for detecting and mitigating abuse in real-time, the committee aims to empower service providers, platforms, and other stakeholders in their efforts to combat online threats effectively.

Why M3AAWG: Collaboration and Engagement

M3AAWG recently celebrated 20 years of combating online abuse and making the internet a safer place. The last 20 years of combating spam, malware, DDoS and many other forms of abuse has only been possible through collaboration and engagement with industry leaders, academic institutions, government agencies, and advocacy groups. The M3AAWG AI Committee will leverage and build upon these relationships within the unique trusted forum of M3AAWG to address the complex challenges posed by AI-driven abuse and innovate towards AI-enabled solutions. Through open dialogue, knowledge sharing, and collaborative initiatives, the M3AAWG AI Committee aims to foster a community-driven approach to combating online abuse and promoting responsible AI usage.

Looking Ahead: The Next 20 Years

As AI continues to evolve at a rapid pace, the importance of proactive measures to address its implications for online abuse and security cannot be overstated. With the establishment of the AI Committee at its 60th meeting in San Francisco this February, M3AAWG has taken a significant step towards addressing these pressing issues head-on. By leveraging collective expertise and resources, the committee is poised to drive meaningful progress in safeguarding the digital landscape against emerging threats.

Stay tuned for updates and insights from M3AAWG as we continue our journey towards a safer digital future, and please consider joining M3AAWG and the AI Committee to do your part.



Cybersecurity Awareness Month and Beyond: How We’re Safeguarding Network Integrity  

Cybersecurity Awareness Month

Massimiliano Pala
PKI Architectures, Director

Yuan Tian
Security Engineer

Darshak Thakore
Principal Architect

Kyle Haefner
Principal Security Architect

Oct 10, 2023

In the digital age, cybersecurity is the first line of defense against an ever-expanding and continually evolving array of threats. The increasing sophistication of cyber threats and a deepening dependence on interconnectivity have elevated cybersecurity technologies from a peripheral consideration to a critical priority.

October is Cybersecurity Awareness Month, but safeguarding digital integrity is a year-round commitment for CableLabs. In our Security Lab, we work to identify and mitigate threats to the access network. We proactively develop innovative technologies that make it easier for internet users to protect their digital lives.

Let’s take a look at some of the CableLabs technologies that are enhancing network security and reshaping the way we protect ourselves online.

DOCSIS 4.0 Security

The new DOCSIS® 4.0 protocol is another promising chapter in the successful life of hybrid fiber coax (HFC) networks, and it brings with it notable security enhancements to the broadband community.

It’s important to note that DOCSIS 4.0 cable modems (CMs) are compatible with existing DOCSIS 3.1 networks. This allows the CMs to take advantage of higher speed tiers even without needing to upgrade the network at the same time. To fully leverage the new upstream bandwidth efficiency and security features of the protocol, both modems and cable modem termination systems (CMTSs) need to support DOCSIS 4.0 technology.

Another key security-enhancing element of the technology is that DOCSIS 4.0 networks come with upgradable security. The technology continues to support the Baseline Privacy protocol (BPI+ V1) used in DOCSIS 3.1 specifications. It also integrates the new version that can be enabled as needed (BPI+ V2).

The new version introduces mutual authentication between devices and the network, eliminates the dependency on the Rivest Shamir Adleman (RSA) algorithm and implements modern key exchange mechanisms. This change enhances device authentications with Perfect Forward Secrecy and cryptographic agility and aligns DOCSIS key exchange mechanisms with the latest Transport Layer Security (TLS) protocol, v1.3.

Further upgrades include enhanced revocation-checking capabilities with support for both Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) in DOCSIS 4.0 certificates. DOCSIS 4.0 also introduces standardized interfaces for managing edge device access (SSH) aimed at limiting the exposure of corporate secrets (e.g., technicians’ passwords) and incorporates a Trust on First Use (TOFU) approach for downgrade protection across BPI+ versions.

Ultimately, the new DOCSIS 4.0 security is designed to provide several options for network risk management. These features include new speeds and capabilities that can be utilized alongside today’s security properties and procedures (e.g., BPI+V1 with DOCSIS 3.1 or DOCSIS 4.0 CMTSs) and advanced protections when needed.

Matter Device Onboarding

Passwords are meant to be secret, so why are users sharing them with all of their Internet of Things (IoT) devices? At CableLabs, we’re working to make it easy for end-users to add devices to their home networks without needing to share a password with every device.

Because so many devices are communicating with one another, standardization is critical — especially when it comes to security. That’s where Matter comes in. The open-source connectivity standard is designed to enable seamless and secure connectivity among the devices in users’ smart home platforms.

Our vision is for each device to have its own credential to get on the Wi-Fi network. The access point (AP) would use this unique credential to grant the device access to the network, and the device then would verify the AP’s credential. This has three incredibly significant advantages for subscribers:

1. It vastly increases the security of the home network. This is because a compromised device cannot divulge a global network password and lead to a compromise of the entire network.

2. It’s possible to leverage the device attestation certificate that comes with every Matter device to inform the network that it’s a verified and certified device.

3. There's no need to reset every single device on the network if the Wi-Fi password is changed.

Join us for a demonstration of Matter at SCTE® Cable-Tec Expo®, which is October 17–19 in Denver, Colorado. Come see us in CableLabs’ booth 2201 to see the future of networked IoT devices and how scanning a QR code can get a device on a network with its own unique credential.

CableLabs Custom Connectivity for MDUs

One of the fastest-growing market segments for broadband providers worldwide is the multi-dwelling unit (MDU) segment. The opportunities here include fast-growing apartment communities, as well as segments such as emergency/temporary housing, low-cost housing, the hospitality and short-term rental markets, and even emergency services.

A common theme across these is the need for an alternate deployment model that allows on-demand service activation and life-cycle management, as well as custom connectivity to various devices. The traditional deployment model of installing customer premises equipment (CPE) on a per-subscriber and/or per-unit basis has hindered operators in delivering services to these segments in a cost-effective manner.

The CableLabs Custom Connectivity architecture is designed to address these constraints by providing dynamic, on-demand subscription activation and device-level management to consumers across the operator’s footprint — without the need to deploy a CPE. The architecture leverages the security controls and mechanisms designed within the CableLabs Micronets technology to provide dynamic, micro-segmentation-based subscription delivery where a subscriber’s devices can connect to their “home subscription” from anywhere on the network and across different access technologies (Wi-Fi, cellular, etc.).

Additionally, it provides consistent operational interfaces for device authentication and service provisioning, as well as billing and subscription management interfaces to enable on-the-fly subscription activation and management.

Safer Networks, Empowered Users

The importance of proactive cybersecurity measures can’t be overstated, and these cutting-edge technologies are proof of CableLabs’ ongoing commitment to enhancing network security. These innovations not only make our networks safer, but they also empower users to take charge of their own online security.

By staying at the forefront of cybersecurity advancements, CableLabs continues to ensure we can all navigate the digital world with greater confidence and peace of mind.



Securing IoT Networks: NCCoE and CableLabs Collaborate to Develop Trusted Onboarding Solution

Securing IoT Networks: NCCoE and CableLabs Collaborate to Develop Trusted Onboarding Solution

Kyle Haefner
Principal Security Architect

May 9, 2023

Billions of Internet of Things (IoT) devices have been added to the internet over the past several years. During that time, millions of insecure IoT devices have contributed to massive Distributed Denial of Services (DDoS) attacks, exposing end users’ private data. To address the problem of insecure IoT devices, CableLabs participates in and contributes to several industry standards development organizations with the goal of building security into the very foundation of new devices and IoT protocols. This work culminates in the release of Matter 1.0, a secure interoperable IoT specification that major industry players are rapidly adopting.

Secure IoT Onboarding

The next critical challenge in enhancing IoT security is to extend interoperability between devices and the networks that connect them. Smart-home networks must be able to facilitate the addition of new devices, validate devices that are connected, help ensure that those devices are fully patched and updated, and safely isolate them if they’re vulnerable.

The next generation of smart-home networking begins with connecting the devices securely the first time. It’s no longer sufficient or secure to ask that consumers share their Wi-Fi password with every device on their smart home network. The network must be smart enough to give each device its own credentials to connect to the network. Crucially, the process for adding (also called onboarding) a device to the smart home network must be simple, seamless and secure.

Industry and Government Collaboration

To address this challenge, CableLabs has joined the National Cybersecurity Center of Excellence (NCCoE) Trusted Device Network-Layer and Lifecycle Management. CableLabs and 10 other companies have been collaborating to develop a reliable network-layer onboarding solution for all IoT devices. This solution leverages established non-proprietary standards and protocols, offering secure onboarding while providing device identification, authentication and authorization. This project covers the following objectives:

  • Provide the device with unique network credentials that can be updated securely and automatically, allowing the network to authenticate the device and eliminating the need for a shared password across all IoT devices.
  • Employ a secure network-layer protocol to facilitate the secure and automatic provisioning of devices with both network and application-layer credentials for connecting with other devices and the cloud.
  • Demonstrate successful interoperability between devices built and configured by participating industry collaborators.

Streamlining the User Experience

CableLabs’ contributions to the Trusted Device Network-Layer and Lifecycle Management project harness the simplicity of Wi-Fi Easy Connect from the Wi-Fi Alliance, the secure interoperability of IoTivity from Open Connectivity Foundation and the powerful technology behind CableLabs’ Micronets to create a secure and streamlined process that allows users to onboard, provision and secure devices on their smart-home networks in a single intuitive step.

CableLabs’ involvement in the Trusted Device Network-Layer and Lifecycle Management project underscores its commitment to advancing IoT security and developing best practices for secure and effortless device onboarding. By collaborating with other industry leaders, CableLabs aims to promote the adoption of secure IoT technologies and ensure that consumers have access to reliable and user-friendly solutions for managing their connected devices.

A draft of this work can be found at NIST Special Publication (SP) 1800.



With Great Bandwidth Comes Great Responsibility

With Great Bandwidth, Comes Great Responsibility.

Kyle Haefner
Principal Security Architect

May 5, 2020

Cable's next generation, 10G networks, holds the promise to deliver symmetrical multi-gigabit speeds that are 100 times faster than what some consumers are currently experiencing today. This great leap forward will enable services and experiences that will drive internet innovation for years to come. It is our mutual responsibility to assure that devices we connect to these blazing 10 gigabit internet connections, are updated and patched, free from default passwords and use proper authentication and authorization.

The lack of following basic cyber-security principals surfaced in the late Fall of 2016, when many popular sites such as Twitter, Amazon, Reddit and Netflix, were unreachable for several periods, lasting hours. The cause was a massive distributed denial of service (DDoS) attack coming from hundreds of thousands of compromised internet of things (IoT) devices. Traffic from these devices overwhelmed the DNS service provider and effectively blocked customers and users from reaching these popular Internet locations for hours at a time.

As we approach a world where households are connected at gigabit and greater speeds, building secure devices and getting them in the hands of consumers is essential. Over the last several years CableLabs has been engaged with standard organizations such as, the Consumer Technology Association (CTA) and the Open Connectivity Foundation (OCF), to draft specifications and guide security baselines for IoT devices. This work has culminated in the release of OCF's international ISO\IEC specification for IoT interoperability.

The OCF specification brings together over 450 member companies and work that spans half a decade to apply cyber-security best practices to the IoT. This specification, combined with an open source reference implementation, seven approved global testing and certification labs and an active community of practitioners and member companies (from device vendors, network device venders and network operators), is uniquely positioned to be the secure standard that unites the industry.

With the OCF specification a consumer can buy a certified device from Vendor A and be confident in the knowledge that not only will it work with their certified appliance from Vender B, but it will do so in a way that is encrypted and authenticated. OCF can work with many cloud services but does not inherently need the cloud, promising consumers a good balance between the convenience of the cloud and the privacy and availability of their local networks.

The OCF specification's security-first approach brings it into close alignment with several of the security guidelines from government and industry, including:

OCF mapping of Security Baselines

Figure 1: OCF mapping of Security Baselines

The road ahead for 10G and IoT is bright. Ultra-fast networks and connected devices have the potential to change every aspect of daily life, making our surroundings aware and interactive to our presence and able to predict and adjust to our needs. Work, entertainment and social interaction will happen whenever and wherever we are, dynamically and organically. Education and healthcare will be forever changed as sensors and ubiquitous devices allow us to interact in ways never before possible. Yes, the future is bright, but it also must be secure.

Learn More About 10G Security