Radical steps are needed to fix Internet security

The Internet as we know it today was designed to be a place where people could go about their business, whatever it happened to be, anonymously and without interference from other users. This model worked reasonably well for a long time, but it’s become painfully clear in recent months that some fundamental changes are needed in the way people use the network and, more importantly, how their PCs are allowed to behave.

The Internet as we know it today was designed to be a place where people could go about their business, whatever it happened to be, anonymously and without interference from other users. This model worked reasonably well for a long time, but it’s become painfully clear in recent months that some fundamental changes are needed in the way people use the network and, more importantly, how their PCs are allowed to behave.

The ongoing attack by the Conficker worm, the seemingly unstoppable spread of botnets and the massive worldwide problem of online fraud have underscored the fact that the bad on the Internet is beginning to outweigh the good. It’s become so dangerous just to get online and check your bank account balance or look at a friend’s photo album that it’s hardly worth the effort anymore. Every email–even innocuous looking messages from your mom–must be considered suspect, and thousands of legitimate Web sites are infected with malicious code and are busily attacking unsuspecting users every day.

It’s the end of days for the Internet.

Unless, that is, some radical action is taken. And soon.

The fact that the Internet is fundamentally unsecure and unsecurable is not news. It was designed to be an open, collaborative network, not a closed, monitored one. But that inherent openness is also what has gotten us into the predicament we’re in now, with pandemic levels of malware, spam accounting for upwards of 90 percent of all email and even the smartest among us falling prey to online scams.

What we need, as soon as possible, is for law enforcement agencies, along with groups such as US-CERT, to be granted the authority to remotely disinfect compromised PCs and take down malicious servers, regardless of where they are. This needs to happen, now.

This isn’t a new proposal, but it’s one whose time has come. There are a lot of obstacles to the implentation of this idea, including privacy and computer misuse laws, international relations and the patchwork of laws around the world. But none of those is going to be relevant if the Internet is unusable for most of the world in five or 10 years, which is entirely plausible given the direction we’re heading.

I had a discussion recently with Ori Eisen, founder of 41st Parameter, who said he had no doubt that the current Internet would be useless for any sort of valuable transaction very soon. He said it would need to be scrapped and replaced by something entriely new in the next few years, a separate network on which people can carry out banking, e-commerce and other transactions. I’m afraid I agree with him.

Security experts for years have been talking about their need to be able to reach out and take attacking machines offline, and this has been happening in an ad hoc way for a long time. Anti-phishing groups and ISPs in countries around the world have been cooperating to take down phishing sites for years, and they have developed a remarkably efficient and effective method of doing it, without stepping on toes or breaking any laws. It just works.

In the larger sense, security experts say putting the evidence together and finding the servers that are delivering malware or launching other attacks can be difficult, but is an important step.

“ We must begin by addressing the issue of attribution. We need to be able to fuse intelligence with private sector information to determine where attacks come from. We do have the capabilities in hand to trace where attacks come from,” Paul Kurtz, a former White House information security advisor, said at a conference in February. “If you link what we know in the private sector with the intelligence community, you can come out with a declaratory policy that says we will look to connect the dots and fuse information through all the capabilities we have to better understand who is attacking the networks. That’s the beginning of a deterrent policy.”

And that would be a start. The next step is taking action against those machines. If people are uncomfortable with the notion of the FBI or some other agency remotely cleaning malware from their PCs, I can understand that. I am too. So maybe we create a separate, independent consortium comprising representatives from a number of countries that can take this on. Whatever it ultimately looks like, something needs to be done or we won’t have the Internet to kick around anymore.

Suggested articles

Four New Normals for 2017

Ransomware, insecure connected devices, bug bounties and governments buying bugs: All four ceased to be novelties in 2016; they’re all new normals for cybersecurity.