Mr. Obama: It's Time To Secure The Internet
01/16/10 11:35
THIS IS YOUR BANK THIS IS YOUR BANK ON THE INTERNET
I’m deviating from my usual topic of energy because it’s time to fix the internet. (No, I am not kidding.) It’s about ensuring that you can read this blog, get cash from an ATM, make a phone call, ensure your electric power stays on, railroads run and your supermarket has food on its shelves.
What do all these vital services depend upon to operate? Twenty year old insecure internet standards.
Imagine if anyone could build an onramp to the freeway and you could drive a polluting 12 foot-wide car at 150 mph without penalty? Or your tap water had no purity standards? Or we ran out of phone numbers so your phone # was shared by an unknown number of people anywhere in the world? Or every street address in the world could be mixed up so mail & packages would not know where to go? These things are illegal in every country in the world - but you can do it all on the internet without breaking a single law.
Welcome to today’s internet where the pipes and switches we depend on to send email or use the web have little security - enabling attacks that send people somewhere else when they try to go to www.whitehouse.gov or block web sites and steal data.
Today’s internet is running out of addresses so most computers attached to the internet (almost certainly including the one you are reading this on) must use a “fake” (aka translated) address making it easy for bad guys to hide right under our noses. This makes spam and “botnet” attacks easy to perpetrate because no one knows where the spammers and “zombie computers” really are in order to cut them off. Small scale cat & mouse attacks have already disabled the US Dept. of Defense, Treasury Dept. and NSA . These attacks may have originated in tiny North Korea - no one is really sure - just as Google “cannot be sure” the recent attacks came from China.
The technologies to fix these gaping security holes are already built into almost all internet servers, routers and PCs, including the one you are reading this on. They are just not enabled.
The first fix is to secure the Domain Name System - that’s the system that routes your browser (or email) to the piggybank.com (or whatever) server. This fix is called Domain Name System Security Extensions or DNSSEC for short. The good news is that ICANN (the body that authorizes “Top Level Domains” like .com, .net., .cn) and VeriSign are rolling out DNSSEC for .com, .net and .edu and numerous other countries are doing so as well. The U.S. is securing its .gov domains similarly. These domains are expected to be secure by 2011 but there is no guarantee, and not all elements of DNSSEC (such as reverse DNSSEC) will be implemented.
The second fix is ensuring every computer connected to the internet uses its own real and unique address to eliminate hidey-holes for attacks. The internet has been managed since 1981 by Version 4 of the Internet Protocol (IPv4) which is running out of addresses. To patch this shortage, we now depend on workarounds like Network Address Translation (NAT) to allow multiple computers (or bad guys) to use (or hide behind) one address. The fix for this is IPv6 which is already built into all computers - including yours. It is simply not enabled by internet carriers or ISPs that connect us to the Internet.
Moving to IPv6 would render most spammers and botnets ineffective by making it easy to pinpoint & cut off the attack-launching computers. An indication of how crucial IPv6 is to security was China running the 2008 Olympics on IPv6 to mitigate potential for denial of service and other kinds of attacks. Google and Hurricane Electric (a US internet backbone carrier) are already running on IPv6.
These technologies are here - we just don’t use them because, well... because if it ain’t broken don’t fix it right? Wrong. Attacks happen every day, they slow down the internet and cost as much as a trillion $ annually in stolen data and constant fixes to computer systems.
How vulnerable would we feel if China upgraded its internet infrastructure this way while the US, which is far more dependent upon the internet, remained a soft target? Will it take a cyberattack of the kind that crippled Estonia to convince us to secure our banks, food supply, government and communications?
These fixes are not a panacea, but today’s situation is like leaving the front door wide open in a high-crime neighborhood. We can mitigate many of the most damaging cyber attacks with these simple and available fixes.
The internet has historically been self-regulating with “sender keep all” costs. However this approach has failed to update the fabric of the internet itself because unless the entire fabric upgrades, improvement to any part of the fabric has no effect. Standards bodies have made attempts - and leaders such as Google, Microsoft, banks and eCommerce companies are eager for improvement but systemically can have little impact.
It is time for the US to seize the first-mover advantage to secure our nation and create new opportunities for our internet technology leaders. As it once did when pushing Y2K upgrades, the federal government should act to mandate that every US internet carrier and ISP must operate solely on DNSSEC and IPv6 by 2012, and that internet traffic passing through US networks must be compliant, or be forced to route around the US. Such a precedent-setting requirement would help ensure the rest of the world upgrades its cybersecurity.
Welcome to today’s internet where the pipes and switches we depend on to send email or use the web have little security - enabling attacks that send people somewhere else when they try to go to www.whitehouse.gov or block web sites and steal data.
Today’s internet is running out of addresses so most computers attached to the internet (almost certainly including the one you are reading this on) must use a “fake” (aka translated) address making it easy for bad guys to hide right under our noses. This makes spam and “botnet” attacks easy to perpetrate because no one knows where the spammers and “zombie computers” really are in order to cut them off. Small scale cat & mouse attacks have already disabled the US Dept. of Defense, Treasury Dept. and NSA . These attacks may have originated in tiny North Korea - no one is really sure - just as Google “cannot be sure” the recent attacks came from China.
The technologies to fix these gaping security holes are already built into almost all internet servers, routers and PCs, including the one you are reading this on. They are just not enabled.
The first fix is to secure the Domain Name System - that’s the system that routes your browser (or email) to the piggybank.com (or whatever) server. This fix is called Domain Name System Security Extensions or DNSSEC for short. The good news is that ICANN (the body that authorizes “Top Level Domains” like .com, .net., .cn) and VeriSign are rolling out DNSSEC for .com, .net and .edu and numerous other countries are doing so as well. The U.S. is securing its .gov domains similarly. These domains are expected to be secure by 2011 but there is no guarantee, and not all elements of DNSSEC (such as reverse DNSSEC) will be implemented.
The second fix is ensuring every computer connected to the internet uses its own real and unique address to eliminate hidey-holes for attacks. The internet has been managed since 1981 by Version 4 of the Internet Protocol (IPv4) which is running out of addresses. To patch this shortage, we now depend on workarounds like Network Address Translation (NAT) to allow multiple computers (or bad guys) to use (or hide behind) one address. The fix for this is IPv6 which is already built into all computers - including yours. It is simply not enabled by internet carriers or ISPs that connect us to the Internet.
Moving to IPv6 would render most spammers and botnets ineffective by making it easy to pinpoint & cut off the attack-launching computers. An indication of how crucial IPv6 is to security was China running the 2008 Olympics on IPv6 to mitigate potential for denial of service and other kinds of attacks. Google and Hurricane Electric (a US internet backbone carrier) are already running on IPv6.
These technologies are here - we just don’t use them because, well... because if it ain’t broken don’t fix it right? Wrong. Attacks happen every day, they slow down the internet and cost as much as a trillion $ annually in stolen data and constant fixes to computer systems.
How vulnerable would we feel if China upgraded its internet infrastructure this way while the US, which is far more dependent upon the internet, remained a soft target? Will it take a cyberattack of the kind that crippled Estonia to convince us to secure our banks, food supply, government and communications?
These fixes are not a panacea, but today’s situation is like leaving the front door wide open in a high-crime neighborhood. We can mitigate many of the most damaging cyber attacks with these simple and available fixes.
The internet has historically been self-regulating with “sender keep all” costs. However this approach has failed to update the fabric of the internet itself because unless the entire fabric upgrades, improvement to any part of the fabric has no effect. Standards bodies have made attempts - and leaders such as Google, Microsoft, banks and eCommerce companies are eager for improvement but systemically can have little impact.
It is time for the US to seize the first-mover advantage to secure our nation and create new opportunities for our internet technology leaders. As it once did when pushing Y2K upgrades, the federal government should act to mandate that every US internet carrier and ISP must operate solely on DNSSEC and IPv6 by 2012, and that internet traffic passing through US networks must be compliant, or be forced to route around the US. Such a precedent-setting requirement would help ensure the rest of the world upgrades its cybersecurity.
blog comments powered by Disqus