Viewpoint: The internet is broken - we need to start over

By Prof Alan Woodward
Department of Computing, University of Surrey

image captionSecurity flaws prove that the way the internet works needs a complete re-think, Professor Alan Woodward argues

Last year, the level and ferocity of cyber-attacks on the internet reached such a horrendous level that some are now thinking the unthinkable: to let the internet wither on the vine and start up a new more robust one instead.

On being asked if we should start again, many - maybe most - immediately argue that the internet is such an integral part of our social and economic fabric that even considering a change in its fundamental structure is inconceivable and rather frivolous.

I was one of those. However, recently the evidence suggests that our efforts to secure the internet are becoming less and less effective, and so the idea of a radical alternative suddenly starts to look less laughable.

One example of struggling security comes from Neira Jones, head of payment security at Barclaycard. She told me that in the UK alone, identity fraud costs more than £2.7bn every year and affects over 1.8 million people.

We also increasingly have other forms of cyber-attacks from political activists (so called 'hacktivists'), and cyber-espionage and warfare, where the internet has become another stage for global conflict between nations.

image captionProf Alan Woodward is a cybersecurity expert at the University of Surrey

We need to understand the root of the problem.

In essence, the internet was never intended to be a secure network. The concept was developed by the Defense Advanced Research Projects Agency (Darpa) as a means of allowing a distributed computer system to survive a nuclear attack on the US.

Those who designed the Internet Protocol (IP) did not expect that someone might try to intercept or manipulate information sent across it.

As we expanded our use of the internet from large, centralised computers to personal computers and mobile devices, its underlying technology stayed the same.

The internet is no longer a single entity but a collection of 'things' unified by only one item - IP - which is now so pervasive that it is used to connect devices as wide-ranging as cars and medical devices.

Many technologies were then built upon this foundation. The best known was HyperText Mark-up Language (HTML) which is what allows web pages such as this to be displayed in the way you view it now.

And, yes, many of these technologies included the ability to secure the data that is being transmitted over the internet. All will have used one of these 'secure' technologies, most usually when buying something over the internet.

Technology to serve

But, stop and ask yourself this, if it is 'secure', why are there so many successful attacks?

Some argue that humans are the weak link and hence changing the internet's underlying technology would not really solve the problem. I take issue with that. Technology serves people not vice versa.

It is unreasonable to expect users in general to understand complex technologies to the degree necessary to ensure they operate securely over the internet.

It's analogous to a house. By default a house should be built to allow it to be occupied safely.

If you chose to start knocking down walls then it is your fault if the house collapses. But if the foundations of any structure are unsound, no matter how strong or unmodified the building on top, there is always a significant risk of safety being undermined through no fault of yours.

Of course, some argue that you can simply underpin structures with shaky foundations. There are other, more secure technologies that could be substituted for the current 'IP'.

This June sees the launch of what many consider to be the next generation of IP (known as IPv6 and IPSec) which is capable of securing all data transmitted over the internet.

image captionHacktivists have helped create a new stage for global conflict, ProfWoodward says

However, availability of a better technology does not automatically lead to its adoption. Secure alternatives to IP have existed for a long time and yet none have been adopted widely.

In fact, the launch in June is more of a relaunch intended to reinvigorate interest in the next generation of IP which was developed in 1998.

I have my doubts as to its success as the internet has a momentum of its own: without someone mandating its use, or more specifically how it should be used, it is unlikely that it will be deployed to make up for the current shortcomings.

Security afterthought

Ever since the internet first changed from an academics' toy to become a commercial tool in the 1990s, security has always been an afterthought.

Only in an environment where the providers of the underlying networks insist upon the use of a single, secure technology, can one have a set of firm foundations.

Sadly, a key characteristic of our current internet is that it is a lawless, unregulated environment. Even governmental attempts at governance have failed as the internet is global and no truly global governance body exists.

Neira Jones summed it up nicely when she said to me that while regulations are trying to address the security void, success will depend on collective responsibility and accountability as well as extensive awareness and education at all levels.

While not a popular view, I think that the current internet can only survive if adequate global governance is applied and that single, secure technology is mandated. This is obviously fraught with the much rehashed arguments about control of the internet, free speech, and so on.

Then there is the Herculean task of achieving international agreement and a recognised and empowered governance body.

However, this exists for other shared infrastructures, from aviation to telephony, so it is not impossible.

I think the answer lies somewhere in the middle.

We can have areas of the internet that are governed by a global body and run on technologies which are inherently secure, and we can have areas which are known to be uncontrolled.

They can coexist using the same physical networks, personal computers and user interface to access both but they would be clearly segregated such that a user would have to make a clear choice to leave the default safe zone and enter what has been described as "the seediest place on the planet".

More on this story

Related Internet Links

The BBC is not responsible for the content of external sites.