Fixing The Internet
Updated: Dec 17, 2019
Let's face it, the Internet was not meant to be secure - not secure by any modern definition anyway. By now, most people understand that they face risk every time they go online to bank, make a purchase, or send a text. A smaller number understands that the problem lies with how the Internet was designed.
The Internet was built for survivability and integrity, not security. The Transmission Control Protocol and Internet Protocol (TCP/IP) – the engineering standard underpinning the Internet – was developed in a time when people's top concern was nuclear missile attacks, not carefully-crafted network vulnerability exploits. TCP/IP therefore ensures information gets to where it needs to go by breaking it up into lots of data packets and then using whatever viable route exists to deliver these data packets to their final destination for reassembly.
In the TCP/IP architecture, the focus is on connectivity, not content – TCP/IP delivers data packets reliably but without regard to what is being sent.
Almost since the inception of the Internet, however, malicious actors have exploited its blindness in order to send data packets embedded with harmful payloads or to simply open the packet delivery “floodgates” against others in DDoS attacks. As connectivity has become both ubiquitous and continuous, so, too, has online criminality. By some estimates, cybercrime will cost the global economy $6 trillion a year by 2021.
It may come as a surprise, then, that the technology which can eliminate most forms of online maleficence has existed – indeed, has been in use – for nearly 20 years. The inventor of this technology, called the Handle System, is Robert Kahn - an American, who, along with a gentleman named Vinton Cerf, invented the TCP/IP standard. Put simply, the Handle System takes the focus away from moving around anonymous data packets and instead re‑envisions the Internet as a massive database where the emphasis is placed on gaining access to “digital objects” such as web pages, research papers or Internet‑connected devices.
Under Kahn's system, these digital objects are assigned persistent identifiers, called handles. Handles provide metadata about an object, such as where it is available, what formats it is available in, who is permitted access to it, and whether payment is required for access. In a privacy-respecting scenario, persons wanting access to a resource should be permitted to retain some anonymity, creating a user identity that is used for that service alone. Libraries and academic institutions were early adopters of this system, using handles to identify and manage access to information resources in their possession.
Viewed through a security lens, digital object identification is attractive because it enables greater and more granular control over Internet-connected resources. As more and more devices join the Internet of Things (IoT), the Handle System would seem to offer some hope that these Internet-connected objects, such as dolls, refrigerators and water coolers, will not be turned against us.
The Dark Side
However, these principles can also be applied to enforce higher degrees of control over people, and especially their digital lives - China, Russia, North Korea and Saudi Arabia are all enthusiasts of a particular version of the Handle System called the Digital Object Architecture (DOA). Needless to say, all of these countries have a reputation for repressing their population's civil liberties and are all highly criticized by human rights activist groups.
China and Russia have long been clear that they see the goal of cybersecurity as securing information rather than information systems. Both of these countries have pushed for a series of resolutions that intended to incorporate the DOA in the UTU's work at the November 2016 meeting of the United Nations' International Telecommunication Union (ITU) in Tunisia.
The attempt was ultimately defeated by US and Canada, as such a move would run contrary to the ITU's technology-neutral tradition (DOA is a proprietary technology administered by the private entity called DONA Foundation). That said, the ITU remains a battleground for control over the Internet to this day, and the war is far from over.
So where does this leave us? Ultimately, even though the Handle System provides a solution to TCP/IP security caveats, shifting from one to another would not be as easy as flipping a switch - in fact, far from it. Thus the best chance to fix the Internet at the moment lies with regulators and in the form of communications framework adjustments. More on that in my next piece.