For the last three years it has been my honour to have judged the security category entries to the Nominet Best Practice Challenge, and I have constantly been heartened by the dedication of those entering the competition, and by the wide range of often excellent ideas and initiatives that they bring to the table. High participation levels in the security category at previous IGF and UK IGF sessions also demonstrates that there is enormous interest and expertise in trying to make the Internet a safer place for people to interact and do business. Sadly however, we remain bombarded by daily reminders that the Internet remains far from secure, and all the signs are that this is not likely to change much in the foreseeable future.
It is ironic that a technology originally developed to further military aims has turned out to be both insecure and difficult to make secure, but of course it is often argued that the Internet’s highly open approach to access is one of the key factors in its success. Attempts to secure the Internet often have the effect of restricting that access, which is unattractive and limits takeup, leading to a kind of catch-22 situation that seems to ensure that security is constantly being degraded over time.
OK, time for some opinions to get the ball rolling – in the interests of its continued survival the Internet needs an effective immune system, and this can only happen if society as a whole deems it important. The Internet is a vast resource that has developed into a complex ecosystem, and like any ecosystem it supports a range of players, including analogs of predators (such as fraudsters or paedophiles), parasites (such as spammers) and diseases (such as malware and worms). In biology, any organism that does not have an effective immune system will be quickly exploited and/or killed – and those outcomes are pretty much guaranteed to be the only ones on offer. In terms of human society, an immune response is typically provided by the application of factors such as social rules, laws, codes of moral behaviour and by society’s willingness to back them up by enforcement. In the case of the Internet all these factors have proved extremely difficult to apply due to its patchwork global and distributed nature, and the result of this is clear to see: fraudsters rake in millions of dollars a year in virtually risk-free scams, nearly all email is now spam, and tens of millions of computers are infected with malware and forced to support yet more crime and disorder.
In my own industry of banking I see all too well the effects of being targeted by well-resourced organised criminals, often operating from countries where there is no realistic prospect of their being found or arrested, let alone prosecuted and punished. In a way though, banks have an easier task in terms of agreeing security measures – because they are targeted with some of the most advanced tools at criminals’ disposal, and because what they guard is clearly so important – banks can readily implement tough regimes such as two-factor authentication, restrictive access controls and so on. These measures are undeniably effective, but I’ve often heard that these are measures that many others would blanch at – too restrictive, too expensive, our users would never accept it, etc. etc. So we have a situation where patches of interested parties are taking various actions, largely independently of each other and with no real coordination or agreement on tactics or strategy. However, over time I believe that it is likely that these measures will see wider and wider use simply as a side effect of the continuing arms race.
The experience of the banking industry is an interesting case to consider further. Like many others, it entered the Internet as a sea of opportunity where it grew and grew with apparently no downside. Then about five years ago it was discovered by predators, and what had looked like a beautiful coral reef turned out to be a shark-infested ocean. When banks looked for help in solving the problems they found – not much. More accurately, they found no equivalent to “real world” problems of similar type. Instead they found a patchwork of dedicated amateurs, small security firms, the odd law enforcement body with all-too limited jurisdiction and not much else. Clearly the Internet is still a very new place, and society as a whole has yet to catch up, but in the last five years the situation can hardly be argued to have improved in any measurable sense despite the best effforts of many dedicated individuals and organisations. This is reflected in the low key nature of response at national and inter-national level and it is clear that society as a whole still seems to have a problem in accepting that:
a) The Internet is no longer a toy – it is hugely important to all civilised societies; and
b) It should be robustly defended as such; and
c) societies should make available the resources and expertise to create and maintain that defence
True, these are widely and vaguely-stated aims, but taken to heart they would represent a surprisingly large-scale change in how the wider world often seems to perceive the Internet (i.e. a play-pen where so-called “crime” is enacted by cheeky apple-scrumping boys who can’t be caught anyway). To see how big a change, one need only consider the size – or lack of – the budget for the Police Central e-Crime Unit.