Fixing The Internet May Mean Building A New One
As hackers expose widespread cybersecurity lapses and heighten fears about defending critical infrastructure from attack, one proposed solution has started gaining traction: Rather than attempt to tighten security on the modern Internet, it suggests creating an entirely new one.
Earlier this month, former CIA Director Michael Hayden became the latest figure in Washington to call for a separate, secure Internet to shield vital systems like the power grid from cyber-attacks. The new commander of the military's cyberwar operations, Gen. Keith Alexander, has also endorsed the idea.
The proposal is an acknowledgement that very little can be done to protect a network connected to the World Wide Web -- a system originally designed for connectivity, not security -- from sophisticated hackers.
"It's an acceptance that the existing Internet is an inherently insecure platform," said Jeffrey Carr, founder of the security consulting firm Taia Global Inc. and author of the book "Inside Cyber Warfare." Computer networks tied to vital industries "can't afford that kind of exposure," he said.
Recently, federal officials acknowledged that a digital upgrade to the power grid, known as the "smart grid," could leave the nation's electricity supply more exposed to a cyber-attack. Meanwhile, a string of recent data breaches at corporations and government contractors by anonymous hackers has elevated concerns about gaps in the nation's high-tech armor.
"I think that's really raised attention as to how insecure everybody is, and how easy it is to retain anonymity and generate chaos and have very little chance of being caught," Carr said.
The new Internet, which could use the domain ".secure" instead of ".com," would enhance cybersecurity by running on a separate channel fenced off from the Web and thus invisible to outside hackers, proponents say. Eventually, private citizens who are concerned about their data being hacked could opt in to the more secure network, Carr said.
The proposal also contains some controversial provisions, however. For one, it would allow the government to monitor traffic for potential cyber-attacks. And it would require users to prove their identity, perhaps by fingerprint, before gaining access, eliminating a fundamental concept of the modern Internet -- anonymity.
But the growing concern for cybersecurity has some defending the idea of asking Internet users for their identity. Lack of anonymity could be a deterrent to hackers; if no one is anonymous, it would be easier for law enforcement to track suspects, Carr said.
Others argue that creating a system to identify Internet users would limit free speech, cost billions of dollars and not actually improve security. They say hackers would simply route their attacks through other user's computers.
"What such attempts would do is affect the average user's access to free speech, including those who use the Internet's anonymity to survive: dissidents in Iran, China, and elsewhere," cybersecurity expert Bruce Schneier wrote last year in an essay posted on Forbes.com.
The idea of a private Internet is not new. It hearkens back to a precursor of the modern Internet known as ARPANET, a government-financed network started in the late 1960s that linked universities and research labs.
But now that the Internet underpins nearly every facet of modern life, there is growing consensus that it is not cut out for today's cybersecurity needs.
"It was designed to interconnect supercomputer centers," said Joe Mambretti, director at the International Center for Advanced Internet Research at Northwestern University. "It wasn't meant to be all things to all people."
Proponents say the new Internet would resemble the type of protected communications used by the military and diplomats. But critics argue those networks are still vulnerable to insiders leaking sensitive information to the public.
As an example, they cite the case of Pfc. Bradley Manning, an Army military intelligence analyst who is charged with downloading diplomatic cables and intelligence reports from a military computer system and giving them to the whistle-blower website Wikileaks.
"That's a network of only 1 million users, and it still had a catastrophic security breach," said Chris Palmer, technology director at the Electronic Frontier Foundation.
For years, a wide range of industries have used versions of private Internet networks, from scientists working on particle accelerators to employees handling medical records. Recently, advertising and movie production companies have also started using them because they are faster and more secure, Mambretti said.
As Congress debates cybersecurity legislation, the role of protecting the power grid, transportation network and financial system from cyber-attacks has largely been assigned to the Department of Homeland Security.
But in an interview, Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus, said he planned to introduce legislation that would create a separate Internet domain for critical infrastructure. Langevin's colleague, Sen. Sheldon Whitehouse, (D-R.I.) chairman of the Judiciary Subcommittee on Crime and Terrorism, suggested that creating an entirely secure computer network could save lives.
In a speech last November on the Senate floor, Whitehouse compared a secure Internet to medieval times, when communities located infrastructure such as wells and granaries inside castle walls to protect them from raiders.
"Not everything needs the same level of protection in cyberspace, but we need to sort out what does need that kind of protection," Whitehouse said, adding, "We simply cannot leave that core infrastructure on which the life and death of Americans depends without better security."