Introduction–A growing urgency
British scientist, Tim Berners-Lee, launched the World Wide Web in 1989 as a system for posting and accessing information. However, it wasn’t until 1993 that Mosaic, the first usable web browser, began to popularize the net–paving the path for Netscape Navigator, Internet Explorer and the full range of browsers available to users today.
In the 1990s, there was little concern about internet security among internet/IT leaders. They believed the internet would allow people to exchange a wide range of information with civility and objectivity. It was taken for granted that built-in anonymity would protect privacy and that people would behave decently online. –Too bad it didn’t turn out that way! –According to the National Telecommunications and Information Administration, as we approach the 2020s, over 50% of Americans are curtailing their use of the internet because of widespread, growing concerns about security, trolls, and privacy. –While there’s no easy fix for these problems, ignoring them will cause more pain in the long-term than implementing some combination of strategies in the near future.
Can’t live with or without it
It’s a great idea to take periodic cyber breaks—and, I believe, a sound policy to limit after work hours email and other communication from managers. But returning to a non-digital world isn’t going to happen because the internet continues to be the greatest engine of economic growth since the industrial revolution.
That said, while the Internet facilitates business, education, and communication, its lack of built-in security leaves the door open to toxic discourse and criminal exploitation.
The internet needs two main fixes–
- Some Restrictions on Anonymity— Why not dedicate part of the internet to open/transparent communication where all parties are identified? Such an internet domain would require layers of security to verify identity and authenticate a person’s IP address. An increasing number of online publications disallow comments because they have become so routinely nasty and thoughtless. If online news and opinion sources inhabited a more secure part of the internet where identities are transparent, the assumption is that people would feel more accountable for whatever they say and do online. This also would allow for safer financial transactions, reduce cybercrime and spam. One thing is clear: Where there is no accountability, people don’t behave in a moral or ethical manner.
- A New Revenue Model for News and Other Information Sources— The New York Times, the Washington Post and many other news outlets now require subscriptions to gain regular access to their content. Ad revenue simply doesn’t pay the bills. More concerning– advertisers in too many cases degrade online publication content and quality. What can be done to support the almost limitless number of small, reputable online publications? Accessing one interesting article on an obscure arts newsfeed isn’t enough incentive for a person to buy a year’s subscription. –The fix? Easily managed payment systems that would allow a person to pay, e.g., $.20 to download the occasional article from a small circulation information source. They deserve and need the revenue!
What, if anything, can or should we do to restore public trust in the internet? I’ll discuss this next…
This far in this post I discussed why the internet would needs (1) some restrictions on anonymity, and (2) a new, more precise, revenue model for news and other information sources. Again, the problem with anonymity is that bad actors are seldom held to account for their online behaviors, making everyone more vulnerable to internet crime, trolling and other toxic experiences.
The overriding challenge is that the internet was originally designed to transmit packets of information with no tracking of the sender. While people may still enjoy visiting webpages anonymously, making comments and downloading content anonymously, malevolent actors soon took advantage of this open environment with malware, spyware, ransomware and toxic trolling. In response, trillions of dollars have been spent to try to make internet transactions more secure—with programmers needing to double check every line of code to build in a level of security lacking on the internet itself. All of this has dampened business productivity and undermined profits.
But isn’t anonymity essential to online security?
Yes and no. The problem is that internet criminals and trolls hide behind their anonymity. If the internet were more transparent–for a wide range of communication and transactions, security would improve overall. A person could enter this transparent domain voluntarily with the assurance that security is integrated into its basic structure without any need for labor-intensive security programming.
Unfortunately, so far we’re only talking about long-overdue internet fixes. So, allow me to digress for a moment to remind you of basic security measures you need in the current unsafe environment to protect yourself.
- Essential Security Strategies in 2017—Encrypt your email and mobile device messages; ensure websites you visit are https trusted sites; use only strong passwords which you frequently update. Also essential—establish a VPN (Virtual Private Network) link for all data transmitted from your device to a VPN server.
- More extreme measures include paying for transactions with a decentralized currency like Bitcoin instead of credit cards (though many merchants don’t accept cryptocurrencies). As a last resort, after securing a VPN connection, you could download TOR, the darknet web browser for what is, by all accounts, complete invisibility. Once there, however, you are in a world inhabited by criminals involved in, e.g., human trafficking and the sale of illegal products. Bitcoin is the standard currency. While not everyone on the dark web is a criminal, be aware that there is very limited accountability for those who take your money and fail to deliver.
Commonly recommended internet fixes
IT engineers and architects have recommended internet fixes ranging from government-directed action to voluntary self-regulation. In my next installment of this article, I’ll describe how some organizations are voluntarily using the Mutually Agreed Norms for Routing Security System (MANRS) launched in 2014. This system includes, e.g., an originating address for emails.
I’ll also discuss how some are suggesting we use the National Institutes of Health (NIH) government model to build a more secure internet, one with built-in safeguards against undue political interference.
MANRS and Other Strategies
So far, I provided the historical perspective on why the internet lacks built-in security. Creating a more secure and functional internet would require, e.g., immediate identification of the senders’ IP addresses as well as fixes like a new revenue model for reading/downloading articles and documents.
While greater transparency would reduce cyber crime, it would at the same time reduce or eliminate privacy/anonymity. Yet in the current environment, we need greater privacy precisely because we lack online security. That’s why in Part II I also provided an overview of essential security measures that will be needed until such time the internet is fixed.
There are two standard reform models: the first involves a voluntary system, as with the Mutually Agreed Norms for Routing Security Systems (MANRS) launched in 2014. The second, not necessarily exclusive of the first, is creating an independent panel of internet engineers to collaborate with stakeholders (i.e., the cyber world-at-large) to create a government sanctioned safer, more business-friendly internet architecture. Such a panel would have to conform to the highest standards of integrity and impartiality to prevent potential sweeping government control over encryption that could stifle tech innovation and civil liberties.
MANRS includes ISP and other network operators who are voluntarily implementing at least one of the following four security controls— transparent routing policy, email source validation, anti-spoofing filters, and global validation. There are 42 members in 21 countries that have addressed at least three or more of these four criteria. Comcast, for example, has implemented all four. One positive development–44% of ISPs already have anti-spoofing filters in place, up from 37% three years ago.
We have a long way to go, however, because there is a total of 50K autonomous networks worldwide. The immediate, practical goal is to encourage the smaller regional ISPS, which constitute 80% of the internet, to either join MANRS or independently implement at least some of their standards.
There are clear advantages to doing so. MANRS network operators, e.g. ISPs, stand above their competition in their ability to block the growing threat of distributed denial of service attacks (DDoS). (DDoS exploit the internet’s routing infrastructure to attack and shut down sites vital to commerce and other vital business activities).
The hope is that MANRS will eventually gain enough momentum to achieve a ‘tipping point’ whereby those outside of the network lose more money in missed business opportunities than they would by investing in the required controls. For example, if several ISPs compete for a project, the MANRS-compliant ISP would have the advantage of offering stronger security.
Government directed internet reform
Last year, security expert, Dan Kaminsky, proposed creating an ad hoc central internet governing body to force ISPs to implement routing and other security measures. He suggested using an NIH (National Institutes of Health) model to come up with long-term structural reforms that would move the security sector away from its long-standing focus on short-term, limited-scope fixes. The broad objectives would be the same as those of MANRS but would rely more on in-depth research to develop a much safer internet infrastructure. –The biggest challenge in this second strategy is staying clear of political manipulation. A number of private industry players, for example, would likely push for a continuation of the short-term profits dynamic that has afflicted the internet since the 1990s.