Why Fixing The Internet Isn’t That Hard

469

The Internet is a scary place right now, similar to the old American Wild, Wild West, where well-armed gangs of bad guys faced off with common town folk, taking and destroying anything they wanted with near impunity. Hackers routinely steal so many data record each year that a new 100M record data breach barely makes the news. More email is malicious than legitimate. Thousands of fake web sites get created and deleted in a single day. Ransomware takes down hospitals, police departments, and entire cities. There are over a hundred million new, unique, malware programs created each year. And defenders have to be worried about every human adversary that wants to take advantage of their organisation’s data and resources, from advanced nation-state attackers to wily teenage script kiddies. Planes are hacked, power grids attacked, and nuclear centrifuges are spun out of control. You’re afraid to have an Internet-connected web-cam in your house. Each year it only seems to get worse.

But it doesn’t have to be this way. There are ways to make the Internet significantly more secure. Perhaps not completely crime-free, but at least functioning like today’s modern real world where crime is held to an acceptable level of minimum activity. It can be done.

Fixing the Internet

The Internet was not created with computer security in mind. It was created as an experiment to see if a huge national inter-network could be created to connect multiple stand-alone computers. The challenge was to reliably connect as many computers as was possible. Most of the critical underlying original protocols and technologies (like TCP/IP, HTTPS, and DNS) were created in the 1970’s and 1980’s and didn’t have huge security considerations. When the Internet blew up in the late 1980’s, the insecure protocols were brought along. Security was bolted-on and improved as needed. As anyone considering security will tell you, bolting it on after the product is delivered is no way to effectively secure the product.

So, what will it take to significantly reduce cybercrime on the Internet?

There are many ways to do this, but most of the thoughtful plans that have been discussed include the following common design features:

  • Default, pervasive authentication of devices, users, and applications
  • Default encryption and integrity
  • Centralised, but distributed security services, functioning much like DNS does today

I’ll discuss each more below, but the idea is that there are so any cybercriminals on the Internet because they almost always never get caught. In the US in the 1920’s and 1930’s this used to be true for bank robbers when it was easy for a gun-toting robber to pull up to a bank and head out minutes later with boatloads of cash. The fact that they almost never got caught led to more bank robbers and bank robberies until society finally decided to fight back. Then banks started locking safes, putting cashiers behind bullet proof glass, carrying less and so on. Police got better at stopping and capturing and bank

pretty soon robbing a bank became a risky occupation. The days of Bonnie & Clyde were over. The same thing has to happen to the Internet.

Default Real Authentication

It starts by having default, pervasive “real” identification of every connected device, user, and application. Most cybercriminals can’t be caught because we can’t identify them. This stops when we start requiring everyone on the Internet to authentication with their real, verified identity. This is already starting to happen on major social media web sites where real people are indicated as the real person they claim to be with a green checkmark or similar. Same thing here, except for the authentication will be accomplished and verified anytime the person wants to get on the Internet, no matter which web site they go to, and no matter how they have connected.

Sure, you’re going to have people and legitimate scenarios where anonymity is desired or needed, and for those cases, you’ve got two options. One, they can logon using pseudo-anonymity where some identity services confirms their real identity but allows them to use known fake identity. But if law enforcement needs to find out who the fake identity is the identity service will tell them.

For those people and instances who demand complete anonymity, well, there will always be a part of the Internet that will allow it. It’s just that the majority of the Internet who doesn’t want to interact with unknown individuals (which are more likely to also include hackers and malware writers), we won’t have to. Unlike today, my email server won’t automatically accept any email sent its way. If it’s an unverified identity, I may choose to discard that email, or maybe it undergoes heavier inspection before it gets to my inbox. Same thing with a bank or stock trading web site. They will probably require that people are who they say they are before doing business.

The idea is that right now the Internet is mostly pervasive anonymity. Anyone can claim to be anyone across almost every web site and service. I can claim to be Bill Gates on any web site he hasn’t already registered on. A far more secure Internet requires the opposite. It requires that most people (and devices and applications) be effectively identified, so that the person I’m doing business or communicating with is who they say they are and not some rogue actor. And when I download an application, it is from who it says it’s from and hasn’t been modified since it was published. The same thing applies to my device. Already you’re starting to see sites that notice when you sign on with a new device (or even software configuration, such as a different browser) and ask you to do additional authentication. We are on our way to this new Internet world.

Default Encryption and Integrity

Here’s the toughest one to get done. By default, every bit of data and communications is encrypted by default and checked for integrity. Technologically, it’s not hard to pull off. Much of the world’s web sites and organisations are already using HTTPS, which means encryption. But like the same dilemma we face with today’s Internet authentication, we need encryption and integrity to be built-in defaults for all traffic and data.

The hard part is getting the world’s governments to agree to allow it to happen. Many of the world’s governments (like China) are absolutely against their citizens using any form of encryption (or any form that the government cannot bypass). Most other governments, including the US and the UK, and every law enforcement agency doesn’t want more encryption. They want less. Encryption makes their jobs harder. Default encryption would make their jobs exponentially harder if not impossible. Most of the world’s governments would fight, fight, fight the idea that everyone on the Internet was encrypted by default.

The reason you need default encryption and integrity is to ensure that what is sent on behalf of someone’s real, verified identity, is what they sent. Without default encryption and integrity (of communications, identity, and data), you couldn’t as easily tie back what a person sent or did back to the verified identity. Without encryption and integrity, a malicious interloper could modify the message or communications’ stream without the sender and receiver knowing it. With default encryption and integrity, the hacker and eavesdropper’s task becomes significantly harder.

Centralised Security Services Like DNS

Lastly, we need one or more centralised security services, which function much like DNS. Many of the organisations in this world know where the daily badness is coming from. They watch and keep track of all the bad actors and have a pretty good idea of what locations and IP addresses they are using, often up to the second. We need to take that sort of information and make it free, widespread, and easy to share (like DNS).

The idea is that when badness is identified (such as a spammer sending out millions of phishing emails), that the origination of that badness is shared with every device (e.g. routers, firewalls, etc.) and software (e.g. email, browsers, etc.) that cares to know. Then if your device or software received a connection from a known bad location, it could drop or handle it accordingly.

Here’s another example. Suppose you’re a good person without a history of sending malware, but somehow your computer gets infected by a phish-sending spambot. In this new Internet, the person or device that infected you would be easier to find, stop, and prosecute. And while your computer was spewing phishes, the world could be proactively alerted that your node is sending badness and at the moment was untrustworthy. You wouldn’t have to notify anyone. And after you got your computer cleaned up, the Internet security service could mark your device as a trustworthy device again, and people could be free to accept your communications normally again. And if you got infected again and again, maybe the service would start to mark you as questionable, at least until after you proved to it that you had taken the appropriate steps to keep badness of your device.

No Need to Invent New Technologies

The best part of this is that we already have all the technologies and protocols we need. No one has to invent anything new. All that has to happen is for the people that manage and control the Internet to come together and decide what is required, and then implement it. The current Internet could even be left running and anyone objecting to the new system could be left on the old version. But the new version would be safer and faster. Imagine how much faster the Internet would be if most email was legitimate and if quadrillions of denial of service packets were not there. You can stay on the old version, but the vast majority of Internet users would gladly give up their default anonymity to compute on a version that gave them far more default security.

What Will It Take to Make It Happen?

After over 30-years of fighting Internet crime, I’ve come to the conclusion that we will never move to make the Internet a far safer place to compute until some big, cataclysmic, 9/11-like digital equivalent event happens. Something like the Internet going down for a few days or the stock market or banking system going down for a day would probably do it.

Why do I think it will take a huge event to make it happen?

Well, for one, I’ve been waiting for Internet security to get better for 30 years and it hasn’t happened naturally. In fact, it seems to get worse each year. To make a far more secure Internet, it’s going to take a global set of leaders (and their governments) to agree on common goals. And you can’t get the people around your dinner table, much less around the world, to agree on what needs to be done to make the Internet far safer…at least until some bigger motivator causes it to happen.

Think about all the things we do to travel by commercial plane today. We have to verify our identity. We can’t just hand someone our ticket (yes, you used to be able to give your ticket to anyone and they could fly using it). We have to show our verified IDs to at least two different sets of guards. We can only have certain things on our person or our luggage. We have to take off our shoes and throw away any water bottles, and so on. The pilot’s cabin is now secured by metal doors and many flights contain anonymous, armed agents.

All of those required safety features came about just after 9/11. Can you imagine how travellers would have reacted to the airlines before 9/11 if they would told they would have to take off their belts, remove their shoes, and throw away any carried-on liquid or gel bigger than a small toothpaste container? There would have been a riot of complaints and a drop-in air travel. Instead, after 9/11, travellers willing do whatever it takes to get past the airline enforcement guards. They may groan and not be happy, but they are willing do it, and we are safer.

A Safe Internet Will Come

This isn’t new. This is what happens to every infrastructure and civilisation. All societies naturally move from wild, more chaotic cultures to safe, more stable societies. Most of the involved citizens willingly give up some of their anonymity and past freedoms in exchange for more safety. A century ago, anyone who wanted to drive a car could. Children routinely drove heavy equipment and cars. Now, a legal driver must meet a base set of requirements (including age and good eyesight), verify their identity, take a written and physical driving test, and get re-certified every few years. If you can’t do that, you’re not legal to drive in any civilised society on Earth.

You used to be able to get water from your well. Now you have to prove your identity to your water company and you get relatively cheap and safe drinking water at a price and amount that much of the uncivilised world can’t even imagine. The same thing is happening with the Internet. It’s going to move from the Wild, Wild West to a safe, more civilised society. Gun slingers can’t legally destroy a town anymore. Bank robbers usually get caught. The only question is how long it will take and what it will take to make a far safe Internet a reality.

Roger Grimes
Roger Grimes, Data-Driven Defence Evangelist at KnowBe4

Roger Grimes Web Site
In this article