Like it or not, we're stuck with an insecure information infrastructure
In the battle to secure cyberspace the best we can hope for might be to not let the bad guys get too far ahead
The pickings were rich at this year’s Black Hat Briefings, the nuts-and-bolts computer security conference held last week in Las Vegas. From smart parking meters to Secure Socket Layer to routers, hackers and researchers keep finding new ways to undermine the information infrastructure that underlies our economy.
In a sense this is good news. Every vulnerability, exploit and hack that is discovered and published is one more that we might be able to fix before the bad guys get hold of it. But it also is sobering. After enough of this the obvious truth begins to sink in: We are never going to get the end of this. No matter how hard and fast we work to secure the Internet and its associated systems, there will always be more vulnerabilities to discover and all we can do is try to stay one step ahead of the bad guys. Realistically, the best we can hope for might be to not let the bad guys get too far ahead.
The problem is that the systems on which our information infrastructure are based are fundamentally insecure. We can talk about architectures and engineering, but the truth is, the Internet was never designed, it evolved.
In the debate between evolution and intelligent design, the best argument for the evolution of man is that he does not seem to be very intelligently designed. Why are we such attractive hosts for a variety of viruses, bacteria and parasites? Why do our bodies start breaking down halfway through our allotted three-score years and ten? Why do we carry the seeds of our demise within us? We’re stuck with an imperfect system and the best we can do is try to maintain it as best we can and put off the inevitable.
The same traits are apparent in the Internet. It is resilient and long-lived, but it is vulnerable to myriad failings and attacks, and the best we can do is try to keep up and running because it is what we depend on. No sane person would have designed it the way it is today. It has grown, organically, in a way no one person or organization ever envisioned, and it is evolving today in ways that we don’t yet realize. Because no one understood how the Internet would be used from one year to the next, the underlying protocols are as flawed as human DNA. And we have about as much chance of switching these protocols as we have of reengineering our DNA.
While the researchers, engineers and computer scientists are working as hard as they can to understand these systems, find the flaws and figure out ways to fix them, thousands more tinkerers are working just as hard coming up with new applications, functionalities and tricks for the online world. Some of these will become essential tools every year. But because so many of these are designed originally not as tools but as toys, they are not built to be particularly secure or robust. And they are built to run on the existing insecure protocols, embedding them ever more deeply into our infrastructure.
But I am not as pessimistic as this sounds. After all, it is amazing that our complex networks and systems work at all, let alone as well as they do. And the irresistible urge to tinker and continuously find new ways to use our systems, even before we have perfected what we already have, is an expression of the ever optimistic human spirit.
The Internet is sloppy and sometimes threatening. But that’s the way humans do things.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.