Securing Critical Infrastructure

OTF launched the Core Infrastructure fund in 2015 to make sure internet freedom tools runs on secure internet infrastructure they can rely on. As part of our revamp, we simplified…
Thu, 2021-04-08 18:00

This is the third blog post in our application process revamp series, here’s a short recap and links in case you missed them. In the first blog post, we discussed changes to our application in-take process, including a “single button application” and unified concept note. In the second blog post, we introduced category types and no-deadlines.

OTF launched the Core Infrastructure fund in 2015 in order to support the development, maintenance, and improvement of fundamental, building block technologies upon which internet freedom tools rely. This was in the wake of the discovery of the Heartbleed software bug highlighting how underfunded critical internet infrastructure and open source software projects are.

While there is much work to be done to secure and maintain the complex infrastructure of the internet and open source software, projects supported by our Core Infrastructure Fund have had much success in making the internet a safer place. EFF’s Certbot and Let’s Encrypt have helped more than double the amount of HTTPS encrypted websites from 40% in 2016 to 80% in 2019. The DNS Privacy project helped design, test, and eventually make encrypted DNS a reality. Tolerant Networks Ltd. and the Guardian Project are helping introduce eSNI into the openSSL library, improving privacy for people accessing HTTPS websites, and making it harder for censors to block them.

And those are just a few examples of the work OTF has supported with CIF, which complements the work supported by our fellow human rights donors, such as the Critical Digital Infrastructure Research by Ford Foundation, Sloan Foundation, Mozilla, Omidyar Network and Open Society Foundations. We would also like to highlight the important work on this by public interest technologists working within internet standard bodies (check out their newsletter here), and the open source tech community, such as OpenSSF.

So it’s clear that while the Core Infrastructure Fund will no longer have a seperate application, it still remains a priority for OTF as part of the technology development projects we support. Here are some of the areas that we believe are priorities for the near future. We welcome applications in these areas, as well as any other efforts focused on securing critical internet and OSS infrastructure that clearly impacts internet freedom tools and people living under repressive surveillance and censorship.

Encrypting the Internet/Privacy by Design

When the internet was first developed, no one could have imagined the scale and number of use cases it would grow to cover. We want to build on the great strides taken in the past decade to secure and encrypt the protocols that the internet relies on, and introduce privacy by design into its fundamental building blocks. Example applications here would focus on introducing privacy by design into internet standards/protocols, and the implementation of these changes to help secure web applications, secure instant messaging, as well as encrypted email infrastructure.

Securing the Internet Freedom Supply Chain

Open source internet freedom software relies on pre-packaged software libraries that are often supplied via software repositories. While this approach may lead to faster development, and improved security and maintainability if done correctly, it also introduces attack surfaces that can be exploited to compromise the security of that software.

Securing the open source internet freedom software supply chain is not an easy lift by any means, so we welcome any applications in this regard that can secure the supply chains internet freedom software relies upon. Example applications here may include research that raises awareness of risks to critical internet freedom projects, and their dependencies; supply chain management best practices to secure the OS IF software supply chain; and the maintenance widely used and relied upon software packages.

Shutdown-resilient Infrastructure

Internet shutdowns continue to escalate as a repression tactic in response to protests, elections, and other forms of dissent and participation in public life. Shutdowns are essentially an attack on communications infrastructure, and they come in many forms, from partial to complete shutdowns, to service degradation, and could have an impact nationally or locally. We would like to see more internet infrastructure efforts focused on making shutdowns less efficient/possible, development of easy to deploy infrastructure that allow peer to peer communications during shutdowns, as well as infrastructure that can help circumvent shutdowns or restore pathways to the global internet during different types of shutdowns.

Quantum-resistant Cryptography

As a responsible technology funder that’s wary of the traps of techno-solutionism and putting hype ahead of the needs of the community, we are cautiously presenting this area of work forward. We recognize that the field of quantum computing, while nascent, would massively disrupt many of the fundamental internet freedom technologies we rely upon. While we have received a couple of applications so far on post-quantum, quantum-proof and quantum-resistant cryptography, none so far have passed the bar of justification for us to be convinced that those efforts are the best use of OTF’s limited funds at this time.

While frankly, the bar for justification is still high, example applications here would be ones most focused on improving the community’s understanding of the threat of quantum computing to people living under repressive surveillance and censorship, as it relates to internet freedom tools, the technologies they rely upon, and what work is needed to prepare ourselves to respond to such a threat as the field evolves.

We consider everything we presented above as the start of a conversation, and if you have thoughts on any of our areas of work, or if you think there’s a crucial area of core infrastructure work that we may have missed, please reach out to [email protected]