The Internet has a trust problem.
With the recent revelations of government surveillance, traffic interception and modification, compromised products, and suspect algorithms, we have serious problems. Greg and Ethan spoke to this briefly on Show 175 regarding the pwning of several firewall products by the NSA, but the issue goes much further than just compromised products. The major issue is one of trust.
We in the industry have long known that the “public Internet” is a wild and dangerous place. But, we’ve done a good job educating average users of the dangers and providing protection while isolating them from the nitty gritty details. Firewalls and anti-virus products are fairly accessible for everyone and vendors have done a great job of making them easier to use. Are they perfect? No. But they’ve certainly become much better in the years at providing pretty good security without needing an IT background. We’ve educated against phishing attacks and tell people how to protect their online activities (think HTTPS/SSL). While we have more progress to make, the average user has a reasonable amount of protection and ability to stay secure given what they can control.
In short, we’ve focused on educating users about the “front door” attacks. And with good reason. The average user shouldn’t need to know how easy it is to redirect traffic with BGP, how DNS cache poisoning works, nor how cross-site scripting attacks can be used against them. Frankly, as IT professionals, it is our job to make sure our applications, protocols, and infrastructure are as secure as possible. Users puts a great deal of trust in us to do so, even if they don’t recognize it. Much the same way we trust our civil engineers to build safe and reliable road systems.
Just as users trust us to do our jobs, we trust others to do theirs. We place trust in our carriers, service providers, and vendors. We trust our vendors to produce secure products. We understand that products have vulnerabilities, but we push our vendors to fix them quickly and make improvements to prevent similar issues in the future. We also trust our vendors to not create backdoors or otherwise knowingly weaken products. We trust our carriers to provide private connections to support our business and not give access to those circuits without due legal process. We store a great deal of personal and confidential data in cloud services and trust those providers to protect our data. Just like our carriers, we trust them not to disclose our data without due legal process.
We even go one step further and realize that for certain data we need to take extra precautions. So we use encryption to secure data at rest and in transit. In some cases we even encrypt our private WAN or LAN circuits. Sensitive data is heavily protected at rest in our databases and only transmitted via secure channels. We trust our encryption products are implemented correctly and we trust the open standards we use in part because they are researched and peer reviewed. We don’t expect government agencies to purposely weaken those standards and products.
Trust is essential because individually we have neither the time, money, nor expertise to build secure end-to-end systems which are usable by others. At some point we simply have to trust at least one link in the chain. Even if everything is open source, unless we review the source and compile our own binaries we have to trust others. And even if we did compile our own binaries, is the compiler trusted? How about the hardware? You could take this paranoid approach all the way down to the point where you just pull the plug and call it quits.
But calling it quits isn’t necessary because as long as there are ways to protect against untrusted links in the chain, and as long as not too many links are broken, we can still have assurances our data is safe. We do this with VPNs today. We know better than to trust our data in the clear on the “public Internet” so we use encryption and VPN products. While the underlying “transport” link in that chain is untrusted (the public Internet), we have enough trust in our VPN to mitigate the risk. The question today becomes, do you still trust your firewall or VPN products? How can you be sure?
In short, trust is required to make the whole system operate. We’ve accepted this trust model because on the macro level we’ve assumed that attacks were relatively small and isolated in nature. That is to say that while someone may have an advantage on our data by intercepting it, we are still secure because it is encrypted. Or perhaps our encryption software has a backdoor, but we are using a private circuit and thus our data is not easily intercepted. Even if both were compromised, the entity who knows the weaknesses in our encryption software isn’t the one who can intercept our data. The effort required to launch such a successful attack would require a great deal of coordination and expertise, and likely be targeted in nature.
But we’ve made a mistake in our assumption. What has been revealed are large scale attacks on our infrastructure which are well funded, extremely technical, and coordinated. The attacker is no longer a group out for financial gain or even political activism, but an entity focused on total surveillance and data gathering with little regard for the law. Further, not all of it is accomplished via purely technical means. They use their power over companies and standards processes to achieve their objective.
I started by saying the Internet has a trust problem. Unfortunately, that trust problem has expanded to vendors, standards bodies, carriers, service providers and possibly beyond. Even if they are 100% innocent, which no doubt some are, it becomes difficult to prove and reassure customers of this. Restoring trust in the Internet is essential as its impact on our society and economy is ever increasing. Fortunately, I’m not the only one coming to this conclusion.
In light of all the recent spying, have you reevaluated what products and services you use, how and what data you store online, and how you communicate? I know I have. In my next post I will talk about some of the steps I think we, as IT professionals, need to take to restore trust. But what do you think? Let’s start the discussion.
The good news is that if we can restore trust and improve security on the whole, we benefit by hardening our infrastructure against malicious attackers and overreaching governments just the same.