The basic architecture of the Internet hasn't changed since it was conceived 40 years ago. But what was once the playground of wonks is now the main staging area for the global economy and open to an array of security vulnerabilities. Brooke talks with Internet experts who ponder a vexing conundrum: adjustments that increase security simultaneously hamper innovation.
CLICK HERE TO HEAR THE EXTENDED INTERVIEWS
Let's GoArtist: Build Buildings
BROOKE GLADSTONE: And I'm Brooke Gladstone. This year the Internet turned 40, and that’s an age when you start to feel a little vulnerable, especially if you've worked too hard, played too hard and swallowed too many foreign substances without reading the warning labels. You could pick up a virus, a parasite or worms. Conficker is all three. It can hop from computer to computer on its own power. It can attach itself to an innocent document. It can guess passwords and slip in through the back door. Last year, it infected roughly 12 million computers. Eventually, security teams defanged it. Then, just a few weeks ago, a new, more virulent strain appeared. The last time Conficker invaded U.S. computers, it mostly lay dormant. It didn't do anything. But there’s no telling what it could do, because Conficker is a multistage program. First stage, infect. Second stage, act. Imagine 12 million remotely controlled computers – an enormous botnet. [MUSIC TAG] JOHN MARKOFF: A botnet is essentially taking the open Internet and turning it into a supercomputer. BROOKE GLADSTONE: John Markoff covers technology for The New York Times. JOHN MARKOFF: In theory, at some point they will send the programming instructions to all the computers that have been turned into zombies, that have been taken over by Conficker, and they can do whatever they want. And so what might that be? They could cause them to distribute more malware, they could cause them to send spam, they could cause them to basically send fire hoses of data at different companies or networks on the Internet and shut them down, and no one knows what’s planned. BROOKE GLADSTONE: The Internet’s creators didn't fret over apocalyptic infections. In its first 19 years, it was the playground of trusting techies and innocent geeks. Then it became available for use on college campuses, and, well, you know what happens in college. JOHN MARKOFF: In November of 1988, a Cornell University graduate student, whose name was Robert Tappan Morris, launched this program into the Internet, which was then composed of about 60,000 computers. And he meant to simply have a program that would travel around the then- brand new network and basically do nothing. BROOKE GLADSTONE: Robert Tappan Morris, RTM, just wanted to leave his mark, a little Internet graffiti. But anticipating the network’s computers would rebuff his little program, he tweaked it so that it would send itself over and over again. The adolescent Internet was completely overwhelmed. JOHN MARKOFF: Think about the sorcerer’s apprentices, all those broomsticks running around. And it turned out to be a catastrophic programming mistake, and he brought the network to its knees. BROOKE GLADSTONE: It was the first worm. The thing is, 20 years later, the Internet is still susceptible to that kind of worm, only now the importance of the Net has grown, and, along with it, so has the sophistication of the attacks and the sense of impending doom, which the Air Force, in this ad, says it’s ready to confront. [CLIP]: [MUSIC UP AND UNDER] MAN: Nuclear power is regulated through the use of computers. Your water system’s regulated through computer systems. Because we operate so much inside cyberspace, that is the new battlefield. [END CLIP] RICHARD CLARKE: What we've seen in the course of the last 12 months is the United States government admitting publicly that both China and Russia have hacked their way into secret computer systems in the Pentagon, including the secretary of defense’s own computer system. BROOKE GLADSTONE: Richard Clarke, now author and security consultant, served as special advisor to President Bush on cybersecurity. RICHARD CLARKE: I think it’s very plausible that a group could, for whatever motivation, achieve destruction in the real world by things that they do on the Internet. The United States government has proved to its own satisfaction that you can attack the electric power grid through cyberspace. BROOKE GLADSTONE: Like the plot of the Bruce Willis film, Live Free or Die Hard. [CLIP]: ACTOR: Transportation system’s crashing and they just hit the entire financial sector, everything, all of them. BRUCE WILLIS AS JOHN McCLANE: All right, it just keeps spreading. About half the East Coast has already gone down. [END CLIP] BROOKE GLADSTONE: Hey, wasn't that about a pathologically frustrated former cybersecurity official who proves our vulnerability by almost destroying the country? RICHARD CLARKE: Yeah, The - unfortunately, The New York Times review of Live Free or Die Hard suggested he was modeled after me, which - [BROOKE LAUGHS]] - I didn't consider very flattering. BROOKE GLADSTONE: So then what’s the solution? Is it just better software, essentially fixing the devices we use to connect to the Net? Or do we need a new Internet? RICHARD CLARKE: I think we need parallel Internets for a limited number of very sensitive functions. What I'm talking about is probably migrating less than one percent of Internet traffic off the Internet. BROOKE GLADSTONE: You know, I'm just wondering, even if the Pentagon were to develop its own very secure Net, any time it hooked up to the regular Net it would become vulnerable, would it not? RICHARD CLARKE: Well, that’s exactly what happened two months ago. The people working in the Pentagon on the real unclassified Internet were downloading things and putting them on their thumb drives and then moving their thumb drives over to classified computers. Well, guess what? The Russians figured that out. And the Russians came up with a virus that looked for Pentagon Internet addresses, and then looked for computers that had thumb drives on them, and downloaded a virus onto those thumb drives, and the virus then walked across the room and got into the top secret network of the Pentagon. BROOKE GLADSTONE: So the hope of a separate network is really a false hope, right? RICHARD CLARKE: No. I think if you’re going to have a separate [LAUGHS] network, you have to have some [LAUGHS] real discipline on it. And what the Pentagon did, after the fact, was went around with cement and actually cemented up the USB connections on their computers so that people couldn't use thumb drives. BROOKE GLADSTONE: Oh, give me a break. Cement? This is why many computer scientists say it’s time to consider a wholesale redesign of the way data flows on the Net. NICK McCUHAN: The infrastructure that makes up the core of the Internet -- the switches, the routers -- they really haven't changed since the dawn of the Internet 40 years ago. BROOKE GLADSTONE: Stanford engineer Nick McCuhan is part of the Clean Slate program, one of several efforts around the world to create a Net that is capable of evolving. NICK McCUHAN: It hasn't stayed still because it was perfect, it’s really stayed still because as soon as there are billions of users using the Internet, it becomes almost impractical to change. BROOKE GLADSTONE: Take those aging routers. They're kind of like the post offices that sort and deliver our data online. Routers have to be adjusted or replaced by hand. That’s why it took more than a dozen years to fix a mounting problem – not enough IP addresses, the unique tags composed of digital bits that every computer online is supposed to have. NICK McCUHAN: Today it uses 32 bits. The idea is to use 128 bits. And so, when you move from 32 to 128 there are so many possible addresses that there is no way we're going to run out. So a very simple idea took 15 years to introduce. Why was that? It was because the network itself – how do the switches and routers know to look at the 128 bits instead of 32 - it’s baked into all of the boxes. BROOKE GLADSTONE: All the boxes in the whole world. How much easier it would be, say the folks at Clean Slate, if we could just send instructions to the routers when the need arose. NICK McCUHAN: For us it was a collective rallying cry, a wake-up call to ourselves, to say, you know, we really should be thinking a little bit more outside the box. Let's ask the question, what would we do if we had the opportunity to start over from scratch? How would we design the Internet? STEFAN SAVAGE: A new network architecture isn't going to solve our problems. BROOKE GLADSTONE: Researcher Stefan Savage teaches computer science at the University of California San Diego. He says he likes to use an unfair analogy. STEFAN SAVAGE: The question I like to ask people is, what are you going to do to the highway system to reduce crime. And when you put it that way, it sounds absolutely ridiculous, because while criminals do use the highway, no rational person is suggesting that if only we could change the transportation architecture that crime would go away. And yet, in a certain sense, that’s what people who propose that a new Internet architecture is going to solve our security problems are heard to be saying. BROOKE GLADSTONE: Most of the experts I spoke to said we have far less to fear from cyber-terrorists than we do from online vandalism and crime – a flood of spam, a website crash, a clever rip-off. But Savage says we're fighting that battle exactly wrong. There are way more computers than computer criminals, and yet - STEFAN SAVAGE: We tend to focus on protecting the PCs, spending about 100 billion dollars a year on IT security. We have chosen the broadest and most expensive front to take on this fight. And I'm suggesting that, in fact, there are bottlenecks on the financial side of cybercrime that are far more vulnerable. BROOKE GLADSTONE: Savage says more cops should be following the money, and he doesn't think we should mess with the structure of our wide-open, free and easy, online-nobody-knows-you’re-a-dog Internet, because that’s what’s led to everything we now enjoy – YouTube, Google, the World Wide Web itself. They happened because people willingly took candy from strangers and risked having their computers turned into zombies or bricks. STEFAN SAVAGE: The fact that we have these rich experiences on the Internet, where you can have Flash come up and you can have messages from all of your different friends on Facebook and so forth, is a testament to that freedom. And I just can't contemplate – I mean, you'd be literally inventing everything from scratch, and I'm not sure if you could replicate a significant fraction of the experience that we have today. That one I don't see happening. CLAY SHERKEY: I don't believe that a practical alternative for the Internet is conceivable - BROOKE GLADSTONE: Clay Sherkey teaches new media at New York University and is author of Here Comes Everybody: The Power of Organizing Without Organizations. CLAY SHERKEY: - in part because of the installed base, but also in part because I don't think anyone would allow the engineers to do their work in peace. BROOKE GLADSTONE: Any improvements would have to pass muster with copyright holders, law enforcement, political interests. The pressure would crush any wholesale redesign of the Net. But Sherkey does think that adjustments are needed to cope with the fundamental problem of life online – anonymity. The Internet’s greatest virtue is also its greatest vice. Hippie geeks built the Internet on trust. We need to address the reality that often nowadays trust is not an option. The old neighborhood just ain't what it used to be. CLAY SHERKEY: How do two people who want to do business with each other come to trust each other? BROOKE GLADSTONE: The answer, says Sherkey, actually comes from a professor of political science named Robert Axelrod. CLAY SHERKEY: And Axelrod’s answer was, only the shadow of the future. Right? I won't rook you in a transaction today because you and I might do business again tomorrow. And so, successful regimes create the shadow of the future and then they can actually set up cooperating networks, even inside incredibly hostile environments. We start having digital signatures in one way or another that says, essentially, I trust you directly because we've done some business together, or I trust you because people I know trust you, or I don't trust you, no one I know trusts you, and then I'm either going to not do business with you or I'll do business with you at arm’s length. BROOKE GLADSTONE: So how would we know when it’s safe to take candy from a stranger? What would a Good Housekeeping Seal of Approval look like online? JONATHAN ZITTRAIN: It could look like a dashboard on your machine. BROOKE GLADSTONE: Jonathan Zittrain is cofounder of the Berkman Center for Internet and Society and author of The Future of the Internet and How to Stop It. JONATHAN ZITTRAIN: Before you run some new code, the dashboard would have a needle that simply indicates whether experts, or not, tend to run the code. And then I can piggyback on the decisions of the nerds about what they run and what they don't. BROOKE GLADSTONE: Right now, Zittrain sees a worrisome trend: people handing over responsibility for their online security to outside vendors with cool new toys. It’s happening now. Take the iPhone. It’s a lot like a computer, except outsiders can't write programs for it unless they submit them to Apple first. Only Apple decides if can go on the phone. The upside, a more secure device. JONATHAN ZITTRAIN: The downside is it sets up a new gatekeeper that’s going to have its own motives and incentives that are not always the same as the consumers it’s supposed to serve. BROOKE GLADSTONE: Example. Somebody submitted an iPhone application to Apple called “Freedom Time.” Basically it was a countdown clock for the Bush Administration, and it had the tagline, “Till the end of an error.” The author couldn't understand why it was rejected. JONATHAN ZITTRAIN: Steve Jobs wrote him back when he complained, and said, this is an application that will offend roughly half of our users. What’s the point? And my strong belief is that so much of the code we now think of as central and crucial and cool and revolutionary is code for which, when most rational people first see it, their reaction is, what’s the point? You could say that about something like Twitter [LAUGHS]. Somebody says, now people can update their status with 140 characters or fewer. And the obvious reaction to that is, what’s the point? Or with blogs or with Wikipedia – now at last everybody can edit a page simultaneously. I'm sure it'll produce a reliable encyclopedia. [BROOKE LAUGHS] You know, the right answer to that is, you guys are on drugs. And it’s only when somebody can just try it out and doesn't have to persuade anyone else that this is something for which there’s a point that you get this kind of innovation taking place. BROOKE GLADSTONE: Say we want to stay in charge of our own security and get in on that innovation. How? Zittrain has an idea involving what he calls red and green zones on our computer’s hard drive - a safe zone for our most important documents, bank records, health records, the novel we're writing, that would be blocked off from Internet invaders, and then another zone where we play at our own risk. One thing he’s sure of, we have to figure this out and offer ways to work and play online with confidence, because if we don't - JONATHAN ZITTRAIN: Most people will naturally migrate away from the personal computer as we know it and into architectures that are much more like gated communities with the security outsourced to a vendor. And that would be an unfortunate state of affairs. You'd end up with just the nerds back in their own playpen, happily doing cool things but not able to share it with the rest of us. [COMPUTER SOUNDS/HUBBUB] [MUSIC UP AND UNDER] BROOKE GLADSTONE: So once there was this thing that was too good to be true, and then the whole world got in on it and then it wasn't true. It’s a sticky wicket, adapting the erstwhile nerds’ playground to the realities of a nasty world. People used to call the Internet “the information superhighway,” but to me it’s more like a beating heart, pumping oxygen to every nook and cranny. Protect it. Replace the valves and close up the leaky pipes. But block its arteries and it will die, and with it, not just future Wikipedias and Skypes but all that may come from unbounded interconnection – ad hoc communities, colliding imaginations, the terrible and glorious potential of minds unfettered by time and distance. All of that lives and dies by the Net. [MUSIC UP AND UNDER] If you want to hear more about some of the ideas you just heard, go to Onthemedia.org, where you'll find practically unedited interviews with Jonathan Zittrain, John Markoff, Clay Sherkey and Richard Clarke. BOB GARFIELD: Next week, in the second installment of our three-part series on the Internet, we look at the intersection of privacy, reputation and the law. What legal recourse do you have if someone publishes mean-spirited, salacious and even defamatory material about you online? Michael Fertik is CEO of a company called Reputation Defender. MICHAEL FERTIK: Unlike in the law, unlike in a courtroom, when someone reads something about you on the Web, they do not have to believe it beyond a reasonable doubt. They just have to believe it enough not to take a risk on you. That is a murderously low threshold. BOB GARFIELD: Tune in next week for our piece about personal privacy and the Internet. [MUSIC UP AND UNDER] That's it for this week's show. On the Media was produced by Jamie York, Mike Vuolo, Mark Phillips, Nazanin Rafsanjani, Michael Bernstein and P.J. Vogt, with help from Kara Gionfriddo, and edited – by Brooke. We had technical direction from Jennifer Munson and more engineering help from Zach Marsh. Our webmaster is Amy Pearl. BROOKE GLADSTONE: Katya Rogers is our senior producer and John Keefe our executive producer. Bassist/composer Ben Allison wrote our theme. You can listen to the program and find free transcripts, MP3 downloads and our podcast at Onthemedia.org. You can also post comments there and email us at Onthemedia@wnyc.org. This is On the Media from WNYC. I'm Brooke Gladstone. BOB GARFIELD: And I'm Bob Garfield.