Why Isn’t the Internet More Secure?

It seems day after day we are learning about “HUGE!!” hacks. As I write this, I can’t get gas because some ransomware program attacked a company who managed a gas pipeline in the US. A co-worker of mine in the Netherlands said their country has been told to expect gas rationing impacts because the US is moving tanker ships to the US that would normally be supplying the Dutch. And that’s after multiple, severe, nation-state-related, supply chain attacks that impacted hundreds of thousands of customers.

Here’s a secret many people don’t know. We can make the Internet a significantly safer place to compute.

It wouldn’t be that hard and we don’t have to invent anything spectacularly new. We’ve got all the protocols and ideas we need.

I’ve written about how to do it many times over my career, including several whitepapers, dozens of articles (mostly in InfoWorld and CSO Online, where I was a weekly security columnist for nearly 15 years), and even scholarly defenses of those ideas in top university forums. There are many ways to better secure the Internet. Mine isn’t the only way, but here’s a quick summary of my proposal:

·        Build a second, opt-in, more secure version of the Internet (the original Internet continues unimpeded for those that want to use it)

On the new, more secure, version of the Internet:

·        Default, pervasive, strong, authentication of users, devices, and network traffic replaces the current Internet’s pervasive default anonymity

·        All users, devices, networks, and services can establish a minimum level of assured authentication they are willing to accept to and from willing parties

·        A centralized, DNS-like, service, but for dynamically, collecting and reporting pockets of originating maliciousness

·        All based on open standards and protocols

This new, more secure, internet would not prevent anyone that wants to remain completely anonymous from staying anonymous. In fact, my design, allows anyone to choose their desired level of authentication, ranging from total anonymity to very strong authentication of their true, real-world, identity, for every different service and connection. Hence, you might want to stay anonymous when talking to your cancer support group, but your bank may only allow you to make withdrawals when you use strong authentication. Some services could cater to people who desire absolutely anonymity and others for people who desire the opposite end of the spectrum. And if someone’s device gets compromised and is sending out malware, the entire world would know and be able to react accordingly, and their own desired actions.

A more secure internet could be implemented by the various groups that control the Internet (e.g. ICANN, W3 Consortium, etc.) coming together on what to implement. All the planning could be done in a few months. And it would not interrupt a single current operation or require the buying of anything new. Most of it could be implemented through software updates. Although it would also jumpstart a ton of new start-ups and services who wished to take advantage of the new feature sets.

Why Isn’t the Internet More Secure Now?

So, that begs the question: Why isn’t the Internet already more secure today if all of that is true? Well, it’s a complicated answer. Here’s the biggest reasons I can think of off the top of my head:

The Internet Wasn’t Built Securely from the Start

First, the Internet was not built to be very secure from the start. That’s problem number one. The Internet was built to connect lots of people and things and function even if significant parts of it were down or under attack. So far, it has accomplished these goals exceedingly well. But the original designers of the Internet and its most common protocols (e.g., DNS, IP, etc.) did not design those protocols with security against malicious attacks in mind. I do not blame the early internet pioneers, especially because almost no protocol, even today, is built from the ground up with security in mind. And every new platform we introduce (e.g., mobile, IoT, etc.) seems destined to repeat every mistake made with the previous platform.

And even when a protocol or feature is designed from the ground up with security in mind, it doesn’t mean that it will be super secure. Sun/Oracle’s Java language was built from the ground up with security in mind. It was a major worry of the developers and they spent a lot of time developing things to defeat security attacks. But despite all those efforts, Java became the most hacked software for over a decade. In 2014, Cisco reported (https://www.cisco.com/c/dam/global/en_in/assets/pdfs/cisco_2014_asr.pdf) that Java was responsible for 91% of all successful web exploits. One software program! So, even when you try, you don’t always succeed.

Feature Sets and Speed Win Over Security

Sadly, people care more about cool, new, features than security in most cases. Vendors rush to get new features and products to market and those that slow down to get the security right are often financially punished. Since at least 2003, Microsoft products have had less security vulnerabilities than their closest competitors (e.g., Apple, Linux, etc.) and that did not stop Apple from virtually taking over a large segment of the world and their stock price splitting and exploding. Google Chrome OS and Chromebooks are clearly one of the most secure options on the planet today, and lost cost as compared to their competitors, and still, they aren’t the most popular. The most popular, most secure, free OS’s, SE Linux, Open BSD, and Qubes, aren’t even close to the most popular free operating systems. You know which ones are far more popular? The ones with more, cool, default features and cool-looking desktops.

Unfortunately, general consumers don’t really care about security, until it negatively impacts them. And even then, not so much. Most consumers, if you asked them to be honest, hate logging into anything. They want to open or turn on their device or application and be able to do what they want to do immediately. Logging only slows them down.

Consumers love to use things that are even routinely compromised. The average person’s credit card is compromised every few years. And despite that fact, most people not only use credit cards, but use the same credit card from the same issuer. The victim gets a new card, often must wait as the fraudulent charges are reversed, and life goes on as usual till the next time. No one is giving up their credit cards simply because they are compromised all the time.

Damage Is Often Minimal or Acceptable

The damage caused by hackers and malware can be bad. Sometimes “shuts-down-the-gas” bad! Still, most hacker and malware attacks cause very little damage and minor inconveniences. Your credit card or identity gets stolen, and it causes some inconvenience. But it’s not like it used to be. Used to be when your credit card or identity was stolen, it would take you weeks if not over a year to fix the financial damage. Now the bank is calling you before you even realize anything has happened, they send you another credit card by 1-day mail, and they automatically reverse all the fraudulent charges.

You might have to change all your passwords, format your computer, or even buy a new device because you are so frustrated. But for the most part, in a year or two, you barely remember what you had to do. I’m not saying this is right or even that it is everyone’s experience. Heck, I’m fighting an identity theft charge that is impacting my credit for over a year (although it likely didn’t have anything to do with digital theft). But what I am saying is that for most of us, most of the time, as bad as hacking and malware is, for reasons I do not understand, most consumers think the level of hacking is acceptable. They don’t like it, but they aren’t permanently cancelling their credit cards, they aren’t swearing off electronic devices or the Internet. Somewhere along the way consumers just got used to the amount of cybercrime we have today as acceptable or at least tolerable. If consumers did not tolerate how bad internet crime was today, they would “dollar-vote” differently and force vendors and the Internet’s controlling bodies to make it all more secure.

Most Companies Do Not Suffer Long-Term Financial Damage from a Hack

Most hacked public company’s stock prices are up soon after the news of them being hacked fades. It is exceedingly rare for a hacked company to get financially impacted from a hacking event. It does happen. Hacked companies do go out of business. Hacked companies do suffer significantly financial issues due to hacking. CEOs, CIO’s, and CISO’s do get fired because their company was hacked. But if you look at their financial statements and customer counts a year later, usually both are up over prior years.

Can’t Prosecute Most Hackers

Malicious hackers hack because they make a lot of money and they almost never get caught. It is very hard to collect acceptable evidence (for a court of law) that a particular hacker or hacking group did a specific hack. Most of the time the hackers are operating in foreign territory outside the law enforcement jurisdiction of the victim, so the victim’s law enforcement’s requests are not accepted or followed. And let’s not forget to include nation-state hackers which are operating on behalf of their country’s claimed interests. China and Russia will not be extraditing their country’s accused hackers to the US anytime soon; and vice-versa. And if the world’s hackers can commit crime and almost never be prosecuted for it, we’re going to have malicious hacking and malware.

Getting Global Consensus Is Impossible

You likely can’t get all your family to agree on anything, much less all your neighbors or the whole world! Even on very good ideas that you think everyone would easily support, there is not a consensus. People have lots of different reasons and motivations for thinking the way they do, and when those people are spread across the globe, it is nearly impossible to get them all to agree on something. Most people would likely agree that the Internet needs to be significantly more secure, but they likely disagree greatly about how to do it. There is a large percentage of my peers in my own country that disagree with my solutions on how to make the Internet more secure. Many are radically against any system that attempts to force them to identify themselves even if the choice is voluntary. They see any system that can enforce some non-anonymous transactions to be coercive because no doubt what is voluntary today will become required tomorrow. And that’s a real possibility.

The Internet is a global entity for the benefit of all. We all do not agree on what that means. And until we are forced to agree on some basic rules, the Internet will not change.

Gov’t and Law Enforcement Don’t Want It

It is impossible to make the Internet more secure without making it harder for everyone to eavesdrop on others. Most of the world’s governments and law enforcement agencies don’t want the Internet to become more secure. Well, they want the Internet to be more secure, but at the same time they don’t want their access to other people’s information and behavior made harder for them to monitor, collect, and use. Some of the world’s governments, like China, are very open that they want to know what their citizens are doing. Many other countries, like India, are moving close to full-time government surveillance. Even the countries that claim to be all about freedom, like the US, actually don’t want any protections put in place that make it harder for law enforcement. Law enforcement and government agencies do not like that people have the ability to encrypt their communications, much less, make it a default, which a more secure internet would likely require.

Some government and law enforcement entities think we can get to a happy medium, where everyone’s stuff is protected, but “only” they can see into someone’s stuff, and only upon valid court order. For many citizens, including myself, we don’t accept that as a viable option. Many people simply don’t think any government agency should have the absolute right into their stuff, period! I’m very close to that camp, personally, but the bigger sticking point is there is NO WAY to give some people access to something that not far more people, intentionally or unintentionally, will end up with access to. Whatever access you give to a limited group will eventually be given or stolen by other groups. I believe this likely. Unfortunately, for many of the world’s governments, this sort of arrangement, with limited, legal, access, is the only way they’d come close to supporting a global, very secure, internet. For just as many others, it’s a non-starter. Hence, refer to how hard it is for different groups of people to agree on anything.

What Will It Take to Have a More Secure Internet?

So, will the Internet ever become a far safer place to compute one day? I hope so. There is a strong potential that it will just meander along as it has for nearly 3 decades, being largely insecure, but secure enough that most people use it. It could also become incrementally more secure, slowly, over time. That seems natural enough. Indeed, our real world that all of us live and work in is full of crime and criminals, and wars, and we still, for the most part, can conduct personal and business activities the majority of the time without excessive interruption.

There could also be a tipping point event, like a digital-9/11, where the damage and outrage are so extreme that everyone comes together in a global kumbaya moment and we greatly improve the default security of the Internet. If I were a betting man, and I am, I would guess that this scenario is more likely. One day, a major part of the Internet (e.g., DNS, the stock market, banking, etc.) will be shutdown and enough people will say they have had enough that something more will be done. Although we’ve had some pretty big outages before (e.g. Robert Morris worm of 1988, SQL Slammer in 2003, the Iloveyou worm and MS-Blaster macro virus) that caused “great outrage” that lasted about a week and didn’t end up making the Internet significantly more secure.

What I am sure of is that nothing anyone is doing right now is going to make the Internet a significantly safer place to compute for the foreseeable future. All the “whack-a-mole”, reactive, responses to each individual injury, is not going to make the Internet significantly more secure. It’s going to take a re-invention of the default security of the Internet. What makes that happen? Does it happen? I don’t know. What I do know is that there will continue to be more digital bleeding happening every day until we get a more secure internet. I’m ready for a big change. Are you?