Viewpoint
Is the Internet broken?
My initiation to the Internet and the World
Wide Web occurred in 1994 in a large meeting
room at an Atlanta hotel. Most of the 100 or
so seats were empty. Those in attendance
seemed fairly rabid about this new network
and took exception to one speaker’s
prediction that the Web would become a major
marketing vehicle. "Not gonna happen," said
one attendee. "We’ll spam them into
submission if they try. We won’t let this
become commercialized." I kind of chuckled
to myself.
Those early adopters were mainly
concerned with protecting the Internet from
commercialization and marketing. Security
was not even part of the discussion. Now, it
is threatening to dismantle the Internet as
a communication and commerce tool.
Cyber attacks on U.S. government computer
networks increased a reported 40 percent in
2008, according to data from the U.S.
Computer Emergency Readiness Team. More than
100 million credit card accounts at
Heartland Payment Systems were compromised
last year. In November, the Pentagon
suffered from a cyber attack in the form of
a global virus or worm that spread rapidly
throughout a number of military networks,
and caused the agency to ban the use of
external storage devices, such as flash
drives and DVDs.
And this is just the tip of the Internet
security iceberg. Enterprise networks are
being used to launch phishing and other
Internet scams, such as the Conficker worm
that infected 12 million computers late last
year.
IT directors everywhere are adding
multiple layers of protection to their
networks and constantly having to upgrade
those measures to adjust for new threats. Is
this good? Is the Internet too broken to
fix? Is there a better path to enterprise
network security?
According to John Markoff of the New
York Times, "There is a growing belief
among engineers and security experts that
Internet security and privacy have become so
maddeningly elusive that the only way to fix
the problem is to start over."
One of the options being debated is a new
"gated community" Internet, where users give
up their freedoms and anonymity for safety.
That alternative, however, does not sit well
with Internet purists like those I met in
Atlanta in 1994, who see such control as the
antithesis of what the Internet should be.
"In many respects, we are probably worse
off than we were 20 years ago," Markoff
quotes Purdue University security expert
Eugene Spafford, "because all the money has
been devoted to patching the current problem
rather than investing in the redesign of our
infrastructure."
Stanford University scientists currently
are working on a new network they say can be
placed "underneath" today’s Internet. While
the Stanford Clean Slate project will not
solve all the security problems, it will
provide software and hardware designers with
a toolkit they can use to make security an
integral part of the network. Eight campus
networks are expected to be using the "new"
Internet by the end of the summer.
Not everyone agrees that a new Internet
is necessary, particularly security vendors.
"I don’t think today’s Internet needs
killing at all, but the creation of gated
local networks is already with us today,"
says David Perry, global director of
education at Trend Micro. "Certainly, as the
age of Internet insecurity becomes more and
more egregious, this will lead eventually
into integrating more and more security into
every facet of internetworking. It just
can’t happen in that ‘tear it down and build
a new one’ kind of fashion."
Susan Wei, marketing executive at
American Portwell Technology, agrees. "It’s
not feasible. People do worry about their
privacy. However, unless their privacy is
guaranteed by something as concrete as
‘military-strength,’ there is no point."
"On the whole, a shift like this on the
entire Internet is unlikely," states Mark
Parker, senior product manager at
Marshal8e6. "There are far too many things
that users of the Internet want to do
anonymously. Adding a level of ‘tracking’ to
what they do would be met with resistance by
most users.
"Regardless of what changes are made on
the Internet, the opportunists will always
be attempting to find ways to bypass
existing security," Parker adds.
"Enterprises will need security devices that
can protect the network and enforce the
security policies for users."
According to Stephen Pao, vice president
of product management for Barracuda
Networks, "A shift in the Internet paradigm
will happen in an evolutionary, not a
revolutionary way. Many individual users
(already) are abandoning e-mail as their
default communication channel and are
turning to media, such as social networks
and IM, which already incorporate the
ability to only allow authorized users to
contact them."
Billy Austin, chief security officer at
Saint Corp., says gated Internet communities
already exist and that, while the current
Internet is sure to get plenty crowded, it
will remain as it is "forever."
"Regardless of what happens, we will
still face the same challenges," he
predicts. "We are already on the front end
of IPv6, (but) will IPv6 be secure?
Absolutely not, as crime will always be an
issue with whatever industry starts up. In
fact, we have many exploits and Trojans that
are awaiting those that migrate (to IPv6).
Hackers are already anticipating this move."
Don Leatham, senior director, solutions
and strategy, at Lumension has a different
solution. "The only way that I see this
working is if it is approached using a
public infrastructure model, where the cost
of the secure Internet is handled via
general tax legislation and some sort of
publicly funded licensing authority is
established to authenticate, validate and
allow access to the secure Internet. This
approach would also definitely require the
dismantling of the free Internet to be
effective. A big issue here is will this
model scale globally?
"To a certain degree, we already have
examples of gated communities on the
Internet in the form of global corporate
VPNs," he adds. "These provide a high level
of safety for their users and their data,
but there is absolutely no anonymity or
unbridled freedom. So one way to look at
this issue is to consider what it would take
to build out a public VPN. From a private
enterprise standpoint, it will be difficult
to come up with a compelling economic model
that will successfully entice individuals to
switch to a new Internet. And can a large
enough group of ISPs put aside petty and
territorial differences to get this to
happen? Probably not."
Trend Micro’s Perry expects that
enterprises will always need to shore up
their network security. "We are currently
seeing more than 130,000 new threats every
day," he says. "Even the best protection
calls for constant vigilance and update.
‘Fixing’ the Internet could not conceivably
protect us against all future threats."
"Enterprises will always have security in
place," says Marshal8e6’s Parker. "Even if a
gated community Internet does exist, there
are still going to be holes that
opportunists will work to exploit."
And, offers Lumension’s Leatham, "No
security is perfect. For many enterprises,
it would not be appropriate to rely solely
on the general security provided by a secure
Internet. Fundamental security principles
dictate that a layered security model be
deployed to protect valued assets. Any
company that has a need for high levels of
security would not leave its security
totally in the hands of any secure Internet
provider and would definitely deploy
additional security measures."
kanderberg@comnews.com