November 2024 | Washington DC

Executive Summary

The Internet Resiliency Workshop brought together over 30 experts to examine critical challenges facing Internet infrastructure resilience. A Marconi Society Internet Resilience Institute initiative, the workshop’s objective was to discuss the resilient Internet we all want, and how to get there. The gathering was held under the Chatham House Rule, with the exception that participants can be identified, though no attributions are to be made to individuals or entities. 

The Internet’s fundamental technical architecture continues to provide a solid foundation. However, discussions identified areas for ongoing refinement and strengthening, specifically within the Border Gateway Protocol (BGP) for Internet address routing, the Domain Name System (DNS), and the Certificate Authority (CA) system. 

The workshop identified four primary threats: increasing system complexity, intensifying regulatory pressures, insufficient funding for preventive measures, and software supply chain vulnerabilities. For instance, the interdependence between electrical power and Internet infrastructure creates a “circle of dependencies” where each requires the other to function. Modern software development practices have introduced a “crisis of complexity,” with applications depending on numerous APIs and third-party services whose security is often indeterminate.

The regulatory landscape emerged as perhaps the most pressing challenge, with policy issues expected to influence Internet development over the next 10-20 years in a more direct way than before. The relationship between technical operators and government policymakers and regulators has become strained as  Internet and Internet-enabled services are now embedded in every aspect of modern life. The technical community’s traditional approach of fixing problems as they arise is now politically untenable. Governments demand clear accountability and quick responses to incidents given the impact of the Internet on all aspects of the economy and national security. There is a clear need to build and maintain constructive public-private partnerships.

The workshop revealed a fundamental tension in how resilience is funded and prioritized. Participants repeatedly emphasized that “resilience is a prevention problem, and prevention does not attract money.” While reactive measures to incidents readily attract funding and attention, the crucial work of preventing failures through good operational practices, proper training, and systematic thinking about dependencies is often underfunded. This challenge is compounded by information asymmetry between different stakeholders – operators, regulators, and users often have different levels of information and understanding about incidents and their causes.

The software supply chain emerged as a critical concern, with participants noting widespread dependence on poorly validated and under-funded open-source libraries. This led to recommendations for developing systematic curricula for Internet-scale infrastructure operations, moving beyond the current reliance on anecdotal “war stories” for training. The workshop identified key audiences including network operators, engineers, and C-suite executives (CIOs, CFOs, CISOs), with regulators and policymakers as important secondary audiences globally.

The workshop established nine comprehensive workstreams addressing best practices, accountability protocols, infrastructure support mechanisms, operational practices, and talent development:

1. Best Practices Framework/Badges
2. Accountability, Agency and Risk Management
3. Create a group, process or funding mechanism to support critical infrastructure
4. Build and Promote “Always Be Rolling” Program
5. Collaborative Exercises and Information Sharing
6. Infrastructure and Sectoral Dependencies
7. Education and Talent Development
8. Governance and International Collaboration
9. Evolving Resilience Goals

 These initiatives aim to balance immediate operational needs with long-term strategic goals. The workshop emphasized connecting resilience efforts to business metrics like Service-Level Agreements (SLAs) and customer experience, while noting the challenge of justifying investment in infrastructure components that appear low value until they fail. The Marconi Society was designated to serve as a channel for raising awareness rather than implementing technical solutions directly. Discussion included plans to produce a comprehensive paper providing concrete examples and evidence for stakeholders and convening follow-on meetings that advance the understanding of these topics.

In conclusion, participants agreed that to get the resilient Internet we want, a few important things must happen: 1) improved dialogue between technical experts and policymakers; 2) better incident response frameworks; 3) systematic approaches to identifying and managing complex interdependencies; and 4) learning from best practices in other industries (for example, power, telecom). Research should be conducted to evaluate best practices in other critical infrastructure sectors, including inviting relevant experts in those fields. 

 The workshop recognized that Internet resilience is part of a complex interdependent system and that dependencies must first be identified to provide a foundation for future building blocks. The path forward involves partnering across sectors with technical organizations, academic institutions, civil society organizations, and Internet governance bodies to amplify the message and reach key stakeholders, while addressing the persistent challenge of funding preventive measures over reactive responses.

Read the full report here.

Join our mailing list to receive the latest insights on Internet Resilience.