Is the Net Doomed?

[Jeb]

Is the Net Doomed?

 

One observer's take on why the Internet is the biggest crime scene in history--plus expert advice on cleaning it up.

 

Bruce Sterling

From the November 2005 issue of PC World magazine

Posted Thursday, September 29, 2005

http://www.pcworld.com/news/article/0,aid,122499,00.asp

 

 

The Internet's running amok. We're in a dark period for law and order.

 

At first hackers were inventive experimenters. Even the baddies who broke into systems were geeky teen scofflaws, high-SAT-types from tech towns like Berkeley and Cambridge. These guys are still around, and still making trouble. But every kind of unlawful Web-based activity visible ten years ago has increased in scale and intensity.

 

 

Where once there were a few relatively uncomplicated viruses, now there are torrents of fast-evolving, multifaceted viruses. Where once there was just small-time credit-card fraud, now there is international credit-card racketeering. Computer-network password theft has turned into sophisticated ID fraud that robs patrons of banks and online auction sites. Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion pieces a day worldwide last May, according to the e-mail security firm IronPort), some of it fantastically bizarre and/or obscene.

 

Then there are the newer electronic crimes, proliferating so fast that even experts have trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.

 

The Internet is now in a golden age of criminal invention. It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business models. Even encryption, supposedly a defensive measure, has become a tool for extortion--witness the weird new crime of breaking into a computer, encrypting its contents, and then demanding a payoff to supply a password to the victim's own data. The crime's so new, it doesn't even have a name yet. We can pray that it doesn't become so commonplace that it needs one.

 

With an estimated 1 billion people on the Net (according to the Computer Industry Almanac), much of the high-tech global village has become a big, cold-hearted, slum-ridden megalopolis. All the classic scams and rackets that city sharpies push on rubes can be digitized. The scammers have an endless supply of victims: There's always somebody new on the Net, somebody gullible, or too young, or incapable of understanding the language.

 

"The victims of malware are not techie people, but those who don't read the security bulletins." --Carlton Fitzpatrick, computer crime expert and cyber-counterterrorism teacherImagine yourself as a first-time PC buyer, says computer crime expert Carlton Fitzpatrick, a cyber-counterterrorism instructor at the Federal Law Enforcement Training Center in Glynco, Georgia.

 

The PC's cheap, the software's reasonable, everything is plug and play, Fitzpatrick continues. Then the salesperson recommends that you arm it with antivirus software, system utilities, and a firewall. What kind of machine needs all of that stuff, you wonder.

 

And once you venture online, Fitzpatrick says, you find yourself directly connected to hosts of evil strangers. Even if you are willing to hold your nose and make that big jump, you are ill-equipped to defend yourself. "The victims of malware are not techie people, but those who don't read the security bulletins--and those are the people who are being plucked like ripe fruit," Fitzpatrick says.

 

Trouble Everywhere

 

Security problems exist at all levels. Richard Clarke, counterterrorism adviser to the National Security Council during the September 11 attacks (and author of a book criticizing the Bush administration's record on terrorism), says that e-commerce is vulnerable because it generally rests on hastily deployed, jury-rigged systems that need a comprehensive rethink--one that builds security in, instead of trying to slap it on as an afterthought. Clarke, who now works for a Beltway consultancy called Good Harbor, cites the example of Microsoft Windows: Who would have imagined, ten years ago, that it would have so many hundreds of exploitable bugs, flaws, and holes?

 

Newer industries are just as hasty as their predecessors--and are just as likely to re-create the errors of the early Internet: the sloppiness, the hurried development, and the naive hubris of the techie pioneer who can't imagine that criminals, someday, might become as clever as he is. (For example, after users of Google's Web Accelerator complained that its caching technology allowed strangers to access password-protected sites, the company stopped offering the software, saying it could not support any more users.)

 

And finally, there's the ultimate threat: the possibility of a cyberterrorist attack that could bring down the Internet itself.

 

Outsourcing Crime

 

The Internet is global, law is local; that's a fundamental problem facing those who would combat the tidal wave of crime and sleaze. We're in a world where nation-states pit themselves against criminals who have no return address.

 

International organizations that ostensibly should be civilizing the Net--ICANN, WSIS, IETF, W3C--are so weak and obscure that most people don't even know what their acronyms stand for. (For the record, they are the Internet Corporation for Assigned Names and Numbers, the United Nations-affiliated World Summit on the Information Society, the Internet Engineering Task Force, and the World Wide Web Consortium.)

 

These outfits are in no position to do much about crime on the Net. They have no guns, badges, or jails. In theory, these groups and other organizations might be able to eliminate a lot of weaknesses in the Net's aging architecture: The National Science Foundation, for example, recently proposed a project to develop a next-generation Internet that would supercede the long-discussed IPv6 (Internet Protocol version 6)--which in turn is supposed to improve on today's IPv4. But the Net may now be too old, too big, and too anarchic for any single body to fix.

 

The lack of any immediate prospect for a global solution to the Internet's inherently global problem leaves officials at the national level to pick up the dropped baton. Nations have the means, the motive, and the opportunity to create and enforce law and order. They do have guns, money, and prisons. And when it comes to basic influence over the Net, the United States is the single superpower.

 

Anyone who doubts that has only to look at the federal government's recent annexation of ICANN's DNS root servers--the names-and-addresses core of the Internet, the central scheme that makes the Internet global. In August, just days before the launch of an ICANN-approved top-level domain (.xxx) intended to create a virtual red-light district for segregating pornographers, the U.S. Department of Commerce got ICANN to put the contract to run .xxx on hold. (Other countries weren't happy about the new domain either, but only the United States had the power to halt its implementation.)

 

As the most powerful force on the Net, the U.S. government actually has a high-level, official plan to make the Internet safer and more civilized: Clarke's "National Strategy to Secure Cyberspace," which, in addition to recommending basic security housekeeping and training, calls for the creation of a multiagency, rapid-response "cyber warning and information network" to handle emergencies. But the plan, while never formally discarded, hasn't been implemented, either.

 

Clarke says federal law enforcement is crippled by turf wars: Responsibility for cybersecurity is split between the Office of Management and Budget, which, says Clarke, has ability but no direct authority, and the young Department of Homeland Security, which has authority but lacks ability. Why hasn't this turf war been resolved? Clarke says a regulation-averse administration hesitates to empower a new cyberbody that might impose new regulations on private enterprise.

 

That's why the Office of Management and Budget looks like a mighty contender in federal security policy, even though the cops are in Homeland Security: The OMB can require that all federal agencies--as well as anyone who wants to do business with them--use secure software.

 

Beyond the Feds

 

What about the states? After all, California's law requiring credit companies to report any breaches of security, as well as the risks the break-ins pose to individuals, helped bring to light the massive CardSystems scandal in which 40 million debit and credit card accounts were exposed to intruders. Arizona assistant attorney general Gail Thackeray, who has spent much of her law-enforcement career pursuing electronic marauders, says the feds are great for education, clout, and funding. But Thackeray says Congress will water down any legislation with teeth: The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act, in her judgment, "doesn't do squat" to fight spam.

 

Thackeray says that she'd like to see more cooperation (and face-to-face meetings) between everyone affected by or involved in combating cybercrime--bankers, phone companies, private security, vendors, feds, states, locals, and gurus. The goal: to rebuild ties of trust and polite understanding that are being eaten away in our connected society.

 

A county attorney who attempts to call a major Internet service provider, Thackeray explains, quite frequently finds no one to talk to. Support has been moved offshore, or the call ends in voice-mail jails where robots fend off the unwary. And e-mail messages go unanswered.

 

In fact, Thackeray says, large corporations are more interested in using their legislative clout to isolate and protect themselves than in sharing their intelligence on cybercrime with law enforcement agencies, which could result in negative publicity. She notes that the annual Computer Crime and Security Survey, conducted jointly by the Computer Security Institute (an industry organization) and the FBI, consistently shows that corporations report only a fraction of computer crimes to authorities.

 

Today, isolation--the off-site backup, placing one's digital valuables into areas that are simply not on the Internet at all--is probably the only genuinely effective security measure. And that's not good.

 

The Net We Deserve

 

The Internet doesn't have to bring peace or prosperity to anybody. It remains what it has been from the beginning: a fun-house reflection of the entire planet.

 

We're going to get the Net we deserve. How would we deserve better? We would have to relearn the art of citizenship. We would have to convene all the major players in business and government, get them to stop their finger-pointing, buck-passing, border-jumping, and check-dodging, lock them into the same room--most likely, the same physical room--and not set them free until they had hammered out new solutions.

 

If we could do it, we'd be like rapidly developing countries--places that once seemed hopeless (think China and India) but suddenly find themselves with a newly energized populace that realizes anything is possible. Then we'd look again in the fun-house mirror of the Net and see developments so powerful that we wouldn't even have words for them.

 

Hey, it could happen.

 

The Big Net Cleanup: Experts Weigh In

 

Illustration by Stuart Bradford.There are lots of things that could be done to make the Internet more secure, but most of them would destroy much of its intellectual, commercial, and entertainment value. One key point here is that the starting point of achievable security should be a fair deal. Durable security should enhance rather than diminish the power of individual network users.

 

Whitfield Diffie, chief security officer, Sun Microsystems, and public-key cryptography pioneer

 

Developers need to stop expecting users to police themselves, and take responsibility for the users' safety.

 

Blake Ross, cocreator of the Mozilla Firefox browser

 

The security community needs to provide information and incentive to change behavior. This means education for users, developers, and organizations doing business on the Internet; attribution and penalties for criminal activities; and accountability for unsafe software, unprotected systems, and insecure handling of sensitive information.

 

Art Manion, Internet security analyst, US-CERT (United States Computer Emergency Readiness Team)

 

Since a world where everyone is good and understanding is still in a future far, far away, I would vote for giving legislative and judiciary personnel a proper education, or at least introduction into the online world.

 

Patrick M. Kolla, creator of Spybot Search & Destroy

 

The single most important thing is to educate end users. But then you have to ask, who should educate them? I think it is the vendors' job, and it is in vendors' interest for the Net to be--and to be thought of as--useful, fun, and secure. The challenge is how to make the education interesting and intelligible, rather than boring and scary. Vendors also need to provide effective tools for users to protect themselves, since security is as much about knowing whom to trust as it is about technology.

 

Esther Dyson, writer-editor of CNet Networks' Release 1.0, a newsletter about emerging digital technology