Such vulnerabilities imperil more than individuals and commercial institutions. Secure installations in the government and the military can be compromised this way, too. And indeed there have been cases in which these loopholes did allow data to be stolen and records to be altered.
How do we come to be in such a mess? The reasons are partly historical. Today's protocols descend from ones developed 35 years ago when the Internet was still a research network. There was no need to safeguard the network against malicious entities. Now the Internet has opened up and grown explosively, but we have not developed inherently stronger security: the protocols still take for granted that the billions of people and devices online are both competent and honest. Nobody ever went back to do the difficult job of developing inherently stronger security.
Fixing the Internet protocols will be a formidable challenge. Some improvements are relatively simple to imagine-for example, switching to identification codes that use more than 16 bits-but would involve considerable work to adopt on a global basis. Techniques for authenticating that messages come from the proper parties are well developed, but those technologies are not necessarily fast enough to be embedded in all the routers on the Internet without bringing traffic to a crawl (or forcing prohibitive investments in new equipment). Some other important kinds of protocol improvements still need to be conceived. Of course, an essential feature of any new protocol is that it can be implemented without seriously disrupting Internet operations in the process.
For these reasons and more, in its February 2005 report, the President's Information Technology Advisory Committee (PITAC), of which I was a member, strongly recommended increased federal funding for basic research into cybersecurity. The Department of Homeland Security currently devotes only one-tenth of 1 percent of its research budget to this concern. DARPA (the Defense Advanced Research Projects Agency) used to fund this kind of work more generously but its current focus is more narrowly military and its research on cybersecurity is classified, limiting the amount of research that can be conducted at universities, and inhibiting the transfer of technology to industry. The National Science Foundation studies the problem but can only do so much. And, although industry takes the problem seriously, inadequate profit incentives discourage companies from aggressively developing broad-based solutions.
Even once better protocols are in hand, convincing the world to accept them represents its own set of headaches. No central governing body rules the Internet, and standards bodies have been ineffective at getting parties to adopt adequate security specifications. The situation is further complicated by the fact that national governments differ in their views of how the Internet should be run, and many key Internet players argue against any government intervention at all.
What is clear is that cybersecurity deserves immediate, sustained attention. As noted in the PITAC report, "the IT infrastructure of the U.S.... is highly vulnerable to terrorist and criminal attacks. It is imperative that we take action before the situation worsens and the cost of inaction becomes even greater."
This article was originally published with the title The Net's Real Security Problem.