The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Do we need a new Internet?

Share:

Short answer: " Almost certainly, no."  

Longer answer:

The blogosphere is abuzz with comments on John Markoff's Saturday NT Times piece, Do We Need a New Internet? John got some comments from me about the topic a few weeks back. Unfortunately, I don't think a new Internet will solve the problems we are facing.

David Akin, a journalist/blogger commented on nicely John's post. In it, he quoted one of my posts to Dave Farber's IP list, which I then turned into a longer post in this blog. Basically, I noted that the Internet itself is not the biggest problem. Rather, it is the endpoints, the policies, the economics, and the legal environment that make things so difficult. It is akin to trying to blame the postal service because people manage to break into our houses by slipping their arms through the mailslots or because we leave the door unlocked "just in case" a package is going to be delivered.

Consider that some estimates of losses as a result of computer crime and fraud are in the many billions of $$ per year. (Note my recent post on a part of this.) Consider how much money is repeatedly spent on reissuing credit and debit cards because of loss of card info, restoring systems from backups, trying to remove spyware, bots, viruses, and the like. Consider how much is spent on defensive mechanisms than only work in limited cases -- anti-virus, IDS, firewalls, DLP, and whatever the latest fad might be.

What effect does that play on global finances? It is certainly a major drag on the economy. This was one of the conclusions (albeit, described as "friction") of the CSTB report Towards a Safer and More Secure Cyberspace, which did not seem to get much attention upon release.

Now, think about the solutions being put forward, such as putting all your corporate assets and sensitive records "out in the cloud" somewhere, on servers that are likely less well-protected or isolated than the ones being regularly compromised at the banks and card processors. But it will look cheaper because organizations won't need to maintain resources in-house. And it is already being hyped by companies, and seemingly being promoted by the NSF and CCC as "the future." Who can resist the future?

Next, stir in the economic conditions where any talk is going to be dismissed immediately as "crazy" if it involves replacing infrastructure with something that (initially) costs more, or that needs more than a minor change of business processes. And let's not forget that when the economy goes bad, more criminal behavior is likely as people seek value wherever they can find it.

The institutional responses from government and big vendors will be more of the same: update the patches, and apply another layer of gauze.

I have long argued that we should carefully re-examine some of the assumptions underlying what we do rather than blindly continue doing the same things. People are failing to understand that many important things have changed since we first started building computing artifacts! That means we might have better solutions if we really thought about the underlying problems from first principles.

I recently suggested this rethinking of basic assumptions to a few senior leaders in computing research (who shall remain nameless, at least within this posting) and was derided for not thinking about "new frontiers" for research. There is a belief among some in the research community (especially at the top universities) that the only way we (as a community; or perhaps more pointedly, them and their students) will get more funding for research and that we (again, the royal "we") will get premier publications is by pushing "new" ideas. This is partly a fault of the government agencies and companies, which aren't willing to support revisiting basic ideas and concepts because they want fixes to their existing systems now!

One part that makes sense from Markoff's article is about the research team making something that is effectively "plug compatible" with existing systems. That is roughly where a longer-term solution lies. If we can go back and devise more secure systems and protocols, we don't need to deploy them everywhere at once: we gradually phase them in, exactly as we do periodic refreshes of current systems. There is not necessarily an impassible divide between what we need and what we can afford.

I'm sorry to say that I don't see necessary changes occurring any time soon. It would upset too much of the status quo for too many parties. Thus, the situation isn't going to get better -- it's going to get worse -- probably much worse. When we finally get around to addressing the problems, it will be more expensive and traumatic than it needed to be.

As I noted before:

"Insanity: doing the same thing over and over again expecting different results."

Of course, my continued efforts to make this point could be branded insane. wink



An Aside

Over a decade ago, I gave several talks where I included the idea of having multiple "service network" layers on top of the Internet -- effectively VPNs. One such network would be governed by rules similar to those of the current Internet. A second would use cryptographic means to ensure that every packet was identified. This would be used for commercial transactions. Other such virtual networks would have different ground rules on authentication, anonymity, protocols and content. There would be contractual obligations to be followed to participate, and authorities could revoke keys and access for cause. Gateways would regulate which "networks" organizations could use. The end result would be a set of virtual networks on the Internet at large, similar to channels on a cable service. Some would be free-for-all and allow anonymous posting, but others would be much more regulated, because that is what is needed for some financial and government transactions.

I remember one audience at an early SANS conference at the time was so hostile to the idea that members began shouting objections before I could even finish my talk. I also couldn't find a venue willing to publish a speculative essay on the topic (although I admit I only tried 2-3 places before giving up). The general response was that it would somehow cut out the possibility for anonymous and experimental behavior because no one would want to use the unauthenticated channels. It was reminiscent of the controversy when I was the lead in the Usenet "Great Renamng."   

The problem, of course, is that if we try to support conflicting goals such as absolute anonymity and strong authentication on the same network we will fail at one or the other (or both). We can easily find situations where one or the other property (as simply two examples of properties at stake) is needed. So long as we continue to try to apply patches onto such a situation before reconsidering the basic assumptions, we will continue to have unhappy failures.

But as a bottom line, I simply want to note that there is more than one way to "redesign the Internet" but the biggest problems continue to be the users and their expectations, not the Internet itself.

Comments

Posted by A. G.
on Sunday, February 15, 2009 at 04:27 PM

Spaf, a hard-hitting post. Could you explain how a “new Internet” will be different from the “old” one in terms of security? Can we solve the spam and hacking problems seemingly endemic to this kind of communications, or at least drastically reduce them in kind, not just degree?

—-

Spaf replies:  That depends on the design assumptions.  The reasons spam works now is because it costs effectively nothing to send, and some people do pursue the offers.  A lot of spam comes from compromised machines in botnets, too.  So, fixed machines could drastically reduce spam because it might make it easier to identify and block sources.  It is also the possible that if all email went over authenticated links we could screen mail or traceback abuse.  Similar arguments attach to the question of people trying to compromise systems.

How much hacking and spam do you get on your cell phone?  Cable box?  Both are networks.  Different base assumptions mean differences in behavior.

Posted by Lost My Marbles in Chicago
on Sunday, February 15, 2009 at 09:57 PM

It depends what you mean by “Internet”.  If we are talking about the infrastructure, I’d agree with you that we don’t need a new one.  The evolutionary path of the existing internet seems to be adequate.

Things, though, get a bit nebulous near the top of the infrastructure, at what old timers might call the application or presentation layers.  Communicating with each other is not intuitive.  We just use the internet to replicate a technology that is centuries old (writing to each other).

I believe that the social network applications we see on the ‘net these days will help us formulate a “new internet” in terms of how we interact and communicate with each other.

Posted by Grants
on Tuesday, February 17, 2009 at 12:16 PM

If we can go back and devise more secure systems and protocols, we don’t need to deploy them everywhere at once: we gradually phase them in, exactly as we do periodic refreshes of current systems.

Posted by Jason
on Tuesday, February 17, 2009 at 10:23 PM

As an employee of a credit union, I strongly see the need for a separate “business Internet”.  A failure in the public Internet will cause a great number of businesses to become inert as their VPNs that depend on the Internet fail.  Too much business depends on a public network that has everything from federal reserve wire transfers and torrents of hentai on it.

Create a separate, non-anonymous network that shares no logical connection to the Internet.  Avoid calling it anything like “Internet 3”, just something like “Global Business Internetwork” or something.  Oh, and require IPv6 since it is a new network anyhow.

Having two connections, one to the public Internet and one to the semi-public VPN-only network, is still far more economical than running PtP lines between a business and all its partners, and will allow business to still run if the Internet is down from massive BGP or other failure.

Posted by Jason Charnov
on Friday, February 20, 2009 at 10:59 AM

I have no problem with another “internet.” We are always building new ones. What we don’t need, nor would I think such a thing could be possible to build today, is a new “Internet.” Notice the capital “I.” The Internet is a collection of other networks and its binding forces are laws, treaties, international technological standards, de facto standards, and its continued use.

Most, if not all, of the problems people complain about are caused by… wait for it… the people using it. As a long time IT and telecom worker, I can assure you that 99.999% of all the decision and policy makers have no idea what so ever of how anything works or should work with regards to technology. The only reason the Internet works as well as it does it due to economic forces and really good work (and lots of valiant fights in committees) at the beginning.

I propose backing off most of the attempts at new regulations and attempts at control of the transport pieces. Standards can be set through various vectors of control, economics and law being the best, but ultimately trying to control the fabric of the Internet is like trying to squeeze jello: you’ll never really get anything done for your effort, it makes a mess, people will look at you funny, and it serves no real purpose other than tragic comedy.

If you want to really fix issues, then fix the people running the various networks. IT workers have as much impact on life, limb, and infrastructure as medical personnel, architects, engineers, accountants, etc. yet they do not have a state or federal license?

I have been rebuked for refusing to do unethical, illegal, or damaging actions requested by clueless management. I have been caught between poorly thought out legislation and corporate lawyers. I have no recourse. Unlike a nurse or an engineer, I can’t turn to them and say “that puts my license in jeopardy and I’ll go to the licensing board.”

Just like our legal system, for the most part all of the components of the Internet are good and sound and also like our legal system it’s the implementation that is faulty.

Fix that.

Posted by JimR
on Saturday, February 21, 2009 at 10:59 AM

My thanks to Prof. Safford for sharing his knowledge. I watched him on C-SPAN and wrote down some things like this site. I’m fairly new at the computer but older and a quick learner. The Internet is a fantastic place but very dangerous. I have a friend that I suck info from him like a spongue. The first thing I realized even before I started talking to him is, you better have good security program on your system and havfe everything backed up that you can remove from your system. The biggest problem with the Internet is the IT guys that work for places like MS etc, are the same guys writing alot of the of things bad for our computers. Its job security for them. The other is the guy that was turned down by MS for employment. Now he’ll show them!!! I don’t want too much government intrusion in what I do because its none of their business. I wish software was better. But if you’ve anything living in America, you first must buy the “junk”, then they will upgrade you for a price. That too is just business. We do like to shoot ourselves in the foot most of the time, “Isn’t it great to live in America. I love it here but I’ve been in the Marine Corps and got to see how others have to live. Going somewhere for a weeks vacation isn’t the same as spending 13 months there.

Back to todays problem. There has to be something we can do to help protect was from ourselves and places outside our shores. Alot of the servers people use for the major damage or hacking, are outside the U.S., they are afraid of our FBI would come knocking. I feel that if we can address thats situtation, we in America, could have a safer Internet to play on and get great knowledge from. Thanx for your time!!!!!!!

Posted by Rita
on Monday, February 23, 2009 at 07:55 PM

My computer has been hacked twice. If the new internet could correct some of the current security problems, it would be great.

=======

Spaf replies:
But the problem you are reporting is with your computer—not the Internet!  You need a better OS and protections on your computer…..

Posted by Angellaa
on Monday, February 23, 2009 at 09:25 PM

Hmm, very cognitive post.
Is this theme good unough for the Digg?

Posted by Mike Jons
on Tuesday, March 3, 2009 at 01:23 AM

very nicely written stuff here, but i would say, let us all explore the one available to us right now, then may be we can shift to other, coz only 10% have used the net properly.

Posted by Brian
on Friday, March 6, 2009 at 02:25 PM

I don’t think a new internet would solve the problem.  No matter what criminals will always find a way to commit fraud and scam people.  Look back in the day when there was no internet, people would do phone scams all the time.  However, the internet has given them the ability to reach more people in the masses faster then before.

Posted by Free Government Grants
on Wednesday, March 11, 2009 at 09:39 PM

New internet will NOT solve the problem..

Posted by dafa
on Sunday, March 15, 2009 at 10:35 PM

good..!

Posted by Cute Easy Hairstyles
on Monday, March 16, 2009 at 12:03 AM

If you have virus or spam problems, I think the quickest way to protect your computer is to use Linux. It is free to download and way faster than Windows. But internet-wise, we just need to be more aware of the risks as those criminals get smarter.

=======

Spaf sez:  Linux has its own problems.  Unfortunately none of the common systems is very safe.  As you say, it requires some informed risk analysis.

Posted by fortune 500
on Monday, March 23, 2009 at 10:49 AM

Nice writing. You are on my RSS reader now so I can read more from you down the road.

Allen Taylor

Posted by Short Health Article
on Thursday, March 26, 2009 at 07:44 AM

dont think it will solve that problems that easy though. good article else…
its not healthy surfing and downloading things without taking security options first!
use firewall, updated antivirus program and your brain, better safe then sorry…

Posted by RaiulBaztepo
on Saturday, March 28, 2009 at 05:32 PM

Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language wink
See you!
Your, Raiul Baztepo

Posted by DANIEL DPK
on Wednesday, October 28, 2009 at 09:51 AM

We are amid the greatest technological transition in our media since the invention of the printing press. An open Internet is driving this change. It’s a communications tool that, while still in its infancy, is already storming the gates of media’s old guard.  its ability to give everyone a chance to be heard – whether a little-known blogger, local environmental group or giant multinational corporation. But they’re not letting us in without a fight.As the Internet breaks down old political, economic and social barriers, it raises new concerns about free speech, control, privacy and equality.

Posted by DANIEL DPK
on Wednesday, October 28, 2009 at 09:55 AM

We are amid the greatest technological transition in our media since the invention of the printing press. An open Internet is driving this change. It’s a communications tool that, while still in its infancy, is already storming the gates of media’s old guard.  its ability to give everyone a chance to be heard – whether a little-known blogger, local environmental group or giant multinational corporation.

But they’re not letting us in without a fight. smirk As the Internet breaks down old political, economic and social barriers, it raises new concerns about free speech, control, privacy and equality.

Posted by satrap
on Friday, December 18, 2009 at 07:11 PM

You know, i just dont think with the current thinking we are going to change anything. I think the whole thing needs to be changed from inside out. We are just relying on things that worked before and keep thinking its gonna work. But everything is changing and there should be a new game plan to go with this fast changing world.

Posted by Accountants Solihull
on Saturday, March 13, 2010 at 05:22 PM

It is such a shame that in a thriving global computer security industry that is projected to reach record billions in revenues in 2010, and the fact that Microsoft itself began an intense corporatewide effort to improve the security of its software, Internet security has continued to deteriorate globally.

I wonder how long it will take to iron out the ‘new internet’ bugs?

Leave a comment

Commenting is not available in this section entry.