Act Sooner, Rather Than Later, on Internet Security
The recent blitz of “denial of service” attacks on the Internet raises great concern and uncertainty with regard to the viability and the power of the Internet. Many of the most popular Web servers were shut down for hours with attacks such as “smurfs,” “Tribe FloodNet,” trinoo, ping storms, etc. These attacks operate by seizing hundreds, even thousands, of surrogate computers (e.g., the University of California at Santa Barbara) as unwitting accomplices in forwarding a barrage of requests that flood servers and cripple them. These attacks are not easy to prevent since almost anyone can download the software to launch them.
The fact is that the Internet is far less secure and strong than it could be. I have observed system crashes in the Internet since its earliest days when it was launched in September 1969 from my UCLA laboratory and we took over the responsibility to test the outer envelope of its capabilities. We were able to bring the network down at will in those early days, each time uncovering a vulnerability that was then remedied.
What is it about the Internet that makes it so vulnerable? It is the very same characteristic that makes it tremendously powerful: openness. The culture of the Internet has always been that of shared ownership and control. When I first developed the scientific principles of the Internet technology in 1961, I recognized that what was needed was a robust solution that would support very large networks. This led me to introduce distributed control; no single portion of the network should control the rest of the Net, but rather every portion of the network should share in that control.
This concept appeared again in the late 1960s when the Defense Department’s Advanced Research Projects Agency funded the creation of the Net and wisely recognized that it should offer minimum interference. We extended this culture by entrusting teams of graduate students with major portions of the network development. Today, that same culture of openness continues. No one owns the Internet, no one controls it and no one can turn it off. And it is exactly this sharing of ideas, openness and sense of community that leaves it so vulnerable.
Those who focus on civil liberties in cyberspace are fearful that the concern over these recent attacks may provoke actions by government and/or industry that will damage personal liberties. There is a natural tension between the necessity of authenticating and tracking users versus the protection of their individual privacy. We value access, privacy and openness over limits, regulation and control. The irony is that hackers want to maintain the openness of the Internet but, in fact, their recent behavior has created pressures to achieve exactly the opposite.
We are beginning to see the consequences of relegating security as the stepchild of design. Warnings of impending attacks were, in fact, published in the professional and lay media before they occurred, and little was done.
The introduction of “always on” connectivity with the deployment of broadband access to the Internet has exacerbated the problem. Hackers have plenty of time to probe and penetrate our always-connected computers. Moreover, the connection over which they can penetrate is high-speed, so once they “snatch” our computers, they can pump poison into the Internet at alarming speeds.
Currently, there are at least two approaches to defeating the hackers. The first is cooperation at the international level to ferret out and prosecute the perpetrators of these attacks. In last week’s attacks, German police, the FBI and the Russian police are seeking a 20-year-old living in Germany, using the alias “Mixter.” President Clinton has called for a summit on Internet security this week. Enacting laws that dole out severe penalties to perpetrators of high-stakes computer crime is certainly appropriate.
The second approach is to use technology itself to defeat the attacks. It is the professional service providers who are positioned to deploy such technology. For example, the Internet service providers should check incoming messages for forged addresses. They should deploy managed gateways and firewalls at the edge of the Net where the user technology first meets the managed infrastructure of the Internet.
Various companies are addressing these issues with new technologies. In fact, in 1998, I founded a West Cost Internet start-up that has developed broadband gateways capable of controlling network access.
The recent attacks have been mild compared to the kinds of truly damaging attacks that could have occurred. This is a clear wake-up call. We have been given fair warning and we must address these issues in a way that preserves the openness of the Internet. Democratic societies have always had to pay a price for freedom, but the rewards have exceeded the cost. The Internet now faces such a situation. The sky is not falling, the Internet will not collapse, the problem is manageable, but good judgment, creative engineering and care are required to protect its culture of open access.
