I recently had the pleasure of attending the ninth annual Workshop on Internet Economics (WIE) at the University of California, San Diego. It might not seem a likely place to discuss English castles after the Norman Conquest, but that turned out to be a strong analogy for the security challenges of our modern Internet.
Explaining why takes a little bit of context. The Internet's early history is a great example of a runaway experiment escaping from the lab that went on to conquer the world. The intent was a network for exchange of scientific and technical data among a select few institutions. It was so good at information exchange that it grew far beyond that.
The Internet began with a great deal of optimism — open communication and a belief that connecting people would lead to wonderful things. While some wonderful things did happen, so did some unfortunate things. The Internet has become an important tool for those keen to manipulate elections and public opinion as well as a breeding ground for extremism.
Every new technology begins with a rush of optimism, followed by coming to terms with the downsides and limitations it has; the Internet is no different. The WIE conference gathered experts from many disciplines — Internet measurement, public policy, economics, security, and more — to look at what we know, what we don't know, and how we can close the gap through measurement. The perspective that emerged was not optimistic.
Today, a new computer will be attacked within minutes of getting on the Internet. Bad guys are relentless. They use automation on a seriously large scale looking for weaknesses to exploit. They often don't know exactly what they are looking for, so they go into any computer they can. They either find something valuable on it, use it as an anonymous base for future attacks, or even add it to a network of enslaved devices — see, for example, the Mirai botnet. It's like a neighborhood where any packages left on the porch or mail in mailboxes are immediately taken, and every door and window are repeatedly tested to see if anything was left open — a scary and untrusting place.
It's in this context that Norman castles came up. After the Normans conquered England in 1066, they needed to hold on to the power they won. They built castles — first of wood, then of stone. These classic castles combined a raised, fortified area (the "motte") with a much larger walled courtyard (called the "bailey") where people and livestock could shelter. Life in the bailey was crowded, smelly, and restrictive, but it beat living in the countryside, which was full of bandits who would attack anyone passing by. Travel by road was a very dangerous affair, undertaken only when necessary, and ideally with guards.
How does this aromatically challenging environment compare to the modern Internet? Well, consider what we call "the cloud." For businesses that have been around for a while, the cloud isn't an abstract notion of "computers somewhere else" — it's a concrete proposition, just like a motte and bailey castle. A few cloud service providers have built serious walls around their courtyards. If you set up shop inside one of these spaces, you can benefit from the protection against the brigands who will constantly test you if you strike out on your own. The consensus of the discussion at the workshop was that today's Internet is like that medieval countryside — far too dangerous a place to live. Adopting cloud technology may not be about price or productivity — it's about protection.
This picture of the Internet as a dangerous wilderness dotted with forts and enclaves where people can huddle in relative safety is a long way from its optimistic beginning with the free flow of information.
Does this dismal view mean the Internet is broken beyond repair? Certainly not. Our world is far more peaceful, productive, and pleasant to live in than Norman England ever was. To emerge from the confines of the few castle enclosures dotted around, we need either the rule of law or better ways to defend ourselves. A new international system for policing the online world doesn't seem imminent — the global political winds are currently fanning flames of nationalism and isolation, exactly the wrong direction for Internet safety. We need to get better at defending ourselves — finding our defensive weaknesses before the bad guys do. Relying on the castle makers to protect us in our confining compounds isn't a long-term strategy. Businesses run the risk of "vendor lock-in," the modern-day equivalent of being stuck as a feudal vassal of the guy who can muster a fighting force and build a wooden wall around you and your compatriots.
What Can Be Done
The takeaway from all this is actually good news. These problems can be managed, first by realizing that the situation is serious, and then using modern automation to build digital resilience. Resilience means understanding that attacks are inevitable, but planning to survive them, rather than hoping to just get lucky and stay out of harm's way. The Internet has become a quite dangerous place, and it requires strong defenses, as well as recovery plans.
If you're not sure where to start, the best place to begin is mapping — map your defenses so you can find defensive gaps, map your business processes so that you can recover from compromise, and map out your recovery steps. The wandering marauders are out there. What you need to do is plan ahead, find protected places to hide your valuables online, and know what to do when they do breach your defenses.
- 8 Tips for Monitoring Cloud Security
- The 12 Worst Serverless Security Risks
- Security Pros Agree: Cloud Adoption Outpaces Security
- A 'Cloudy' Future for OSSEC
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.