In this edition of the Controversial Question series, we asked our panel of experts how they might go about building an entire new internet, learning from all the mistakes made in the construction and maintenance of the one we have right now. This is the question we posed:
We all know that the original design of the Internet assumed everyone was friendly and there was no expectation of malicious activity. However, once the Internet was opened to the big wide world, that became a major problem as security had to be shoe-horned into a structure that was never designed to be secure. Further, the Internet has grown far beyond anything anticipated by the original designers. The obvious choke-points are IPv4 and DNS (yes, I know we're moving to IPv6!).
So, here's the question: Given a totally clean slate, how would you design a new Internet that was more efficient, more secure and was more attuned to further significant growth? Oh, and any other useful new attributes you might consider would make your submission stand out.
"The internet was originally created, almost as an experiment, by academics for simple communication" said Martin Holzworth, head of cybersecurity (Asia Pacific), Fujitsu. "Over time, this 'experiment' has morphed into something larger that now connects us all via a single network."
According to Garrett O'Hara, Principal Technical Consultant at Mimecast ANZ, "Back in 1999, David Bowie nailed it: 'I think the potential of what the internet is going to do - both good and bad - is unimaginable. I think we're on the cusp of something exhilarating and terrifying.' It's funny that a rock star saw an unimaginable future in a world of dial up connections, not always-on internet. We were too busy innovating at speed -- we didn't consider the long-term impact."
Oliver Cantor, Associate Director of Product Strategy, Verizon adds, "Tim Berners-Lee, the inventor of the World Wide Web, once told CNBC. 'If you'd asked me 10 years ago, I would have said humanity is going to do a good job with this. If we connect all these people together, they are such wonderful people they will get along. I was wrong.' Ultimately, we all want the internet to be ubiquitous, affordable, safe and open. And the positive developments brought about by the Internet should not be overlooked. Nonetheless, as it grows so do its related challenges.
"Take internet security, it raises a complex mix of technical, economic and political issues. Early attempts to introduce any form of data security were challenged by various government agencies whose preferred modus operandi was adopting a wait and see attitude."
O'Hara continues, "In hindsight we now know that much of the Internet's back-end infrastructure would be built differently. Protocols would have security baked in - DMARC, DNSSec and IPSec all point to the problem of retrofitting security after the design. It all works, and it's full of clever fixes and enablers (just look at the magic of PKI) but it's not at all how we'd do it if we could start over.
"It's important to note that one thing we're not good at as a species is rolling the clock forward to understand the impact of today's decisions and approaches on tomorrow's world. Nearly every physical design, software approach and protocol were designed first and foremost to work and be an enabler, with security as a secondary thought - if we're lucky. When it all goes wrong we produce mitigating technologies and protocols to fix the security, at greater cost and hassle than it would have been if included at the start. Everything from DMARC, IPSec, TLS, and DNSSec to how we secure communications via mobile devices… we wouldn't have security protocols we would have secure protocols and never again would need to tack on "Sec" to something that would have been secure from its inception.
Holzworth points out that, "The internet has no single owner, or chief designer. In fact, the platform hosts billions of designers who are simultaneously implementing features as they desire. In an effort to provide some form of governance, ICANN attempts to provide organisational control around IP addresses and domain names. However, apart from that, it is mostly ungoverned.
"Like many modern inventions, the internet can be used for both good and bad. In a similar way that a car can get someone from A to B quickly, the internet can help people connect instantly with one another over long distances. On the other hand, the anonymity which the internet offers could be used for dishonest activities such as false news, identity theft, or malware, just to name a few."
Theoretical basis for a new internet
Casey Ellis Founder, Chairman and CTO of Bugcrowd described three elements he would leverage to make a more efficient, secure and prepared internet.
"Organic: The Internet grew out of ARPANET, which was the introduction of TCP/IP as a resilient and flexible communication protocol, designed specifically around resilience to nuclear attack. When you combine this combination of self-preservation and flexibility with a "desire to grow" you end up with a machine that looks and behaves very much like a living organism. I strongly believe that this is an evolutionary reflection of what humans want, and as the primary users of the Internet (either directly, or by building things which use it) I think any updated version would need to preserve this capacity for organic growth.
"Flat: The Internet was really the thing that exposed the notion that "the world is flat" - That state and national boundaries aren't an absolute inhibitor of the pursuit of opportunity and learning. Bugcrowd's model pretty clearly reflects my belief in this idea, and I do think that the future of work contains substantial lift from unfettered global connectedness. That said, COVID has highlighted the nature of nation and state politics and political boundaries, and the invariable temptation for states is to try and Balkanize the internet to reflect national boundaries and priorities. This is unavoidable in a lot of ways, but I also believe that transnational barriers radically dilute the value of the Internet. So, I'd want to see a V2 that is designed to preserve a "world is flat" model as much as possible.
"Resilient: The early days of the Internet were a bit like the Wild West. I think that the power should still largely reside with the people, but we've already seen what happens as a result of unmitigated free rein, e.g. the Morris Worm. There are inevitably going to be unplanned actors in any setting that you create, including things like squirrels and shipping anchors, but establishing an environment that is resilient to these variations and attacks is going to be the most effective strategy for properly securing the system as a whole, including it's availability. Taking an active approach to security and creating an environment that factors in users' malicious, evolving behaviour into its design will much more effectively thwart cybercrime. In order to do that, protocols must be established from the onset to help strengthen the network's ability to absorb, deflect and altogether eliminate attacks."
What are the problems?
"Over 20 years has passed since it was introduced, yet the adoption of IPv6 is not 100 percent," says Kamalakannan Subramani, IT Manager at ManageEngine. "Hence, we must try to design an IP addressing version which will be interoperable with IPv4 and easier to handle. With respect to DNS, we need to simplify the way DNSSEC works and its PKI flow. We need to make its PKI like Web SSL, in which certificate handling is simple. Even though the internet depends on BGP, its security has many loopholes and considered to be slow. So, new and faster protocols with RPKI kind of security will need to be made mandatory."
Building from scratch
"Given a clean slate and with the benefit of hindsight, you'd make personal data sovereignty front and centre on the web," offered Nathan Connors, Head of Product - EngagementHQ, Bang the Table. "Every internet user should own their personal information from day one and have full rights over how that data could be used by online (and by all) services."
Connors continues, "Data sovereignty measures would seek to avoid the consolidation of power amongst big tech giants who have benefited from the original open internet. These monoliths have developed private networks and established huge financial and data war chests to use for their benefit.
"By now, the downsides of social media and big tech are widely known and trust in these platforms is declining. Pervasive data collection and monetisation of personal information, inability to rein in the spread of misinformation, and poor performance in moderating hate speech and vitriol have all helped in tarnishing their image.
"Perhaps though, the even bigger risk is how business and government have become reliant on these platforms. Facebook's recent (albeit brief) banning of news and content from not only publishers including the ABC, but also some government agencies and non-profit organisations in Australia is just one example of how consolidated power negatively affects the fairness of the internet. It became clear that smaller businesses who have built on top of the APIs and private networks of these companies are at the behest of rule changes driven by big tech's self-interest.
"Whilst legislators across the globe have sought to regulate these giants, more barriers to growth have sprung up for other businesses in a playing field which is already unfavourably skewed towards these monopolies.
"Perhaps a global internet where a person's ID is decentralised and transparently used is a good start. If each individual controls their own ID, they can be handed the steering wheel to direct how - and if - it is used in every context. Hindsight is a beautiful thing, but maybe we should have been given the keys to our ID in the beginning, instead of either being reluctant to give our info away or thinking that privacy has gone the way of the dodo."
Alex Lyons, Solutions Engineer, DekkoSecure is also eyeing off that 'clean slate.' "Starting with a clean slate - with the benefit of hindsight - is a truly amazing thought. There are millions of far-flung places we could go with this concept of the New Internet, but for me it really boils down to two key things (well, probably a lot more than two, but these two are pretty important).
"Currently the internet is a patchwork quilt of operating systems, code, standards, security measures and more, leading to a system that for most is not trusted by default. How can we start to address this? Take payment systems for example. We could hold a global competition to define an open standard for handling payment data, and once a standard was awarded (or won), it would then be adopted as the required methodology for all payment handling. This open standard, alongside the many other standards winners, which would be governed by an appointed, apolitical entity. Let's call it the Internet UN.
"In the New Internet, any website, application, shop, device, etc., which handles payment information must utilise the defined payment mechanism. As a result, people will have more confidence that their data will be safe. Having this Internet UN standard payment gateway will take away that feeling of nervousness that people can get when entering payment details into a new or less-than-professional looking website. You know the ones, where you think, "Who am I actually giving this info to and do I need to call my bank as soon as I submit my payment?"
"The same approach to standardisation and governance will also be applied to file sharing, video communication, cloud-based collaboration and any other interaction or transfer of data that could be seen as a target for malicious activity. Holding a competition to determine an online standard isn't as far-fetched as it sounds. In 2015 the Password Hashing Competition was held, with Argon2 being the winner.
"Rebuilding the net like this will do away with the dozens of logos you currently see across websites that talk to payment gateways, security certificates and more, all screaming, "We're a good site. Really. Trust us!" I'll take a guess that these logos really don't mean a lot to most people who are just looking to make a purchase, gather information, submit a query or carry out some other sort of online activity as quickly as possible. These logos have been around for so long they've likely become invisible in plain sight. With the Internet UN approach and a standard for payments, they won't be necessary.
"Identity is a much more complex beast to tackle. Sometimes you need to verify your identity, but at other times you want to protect it. New Zealand has an online ID system called Realme which can be used for lots of different services, but a centralised, country-bound system is not necessarily ideal. Anonymity should be the default in the interests of protecting privacy, and if you need to prove who you are then the mechanism for doing so should be highly secure and universally acceptable (hello Internet UN!). The closest thing to this currently is PGP (Pretty Good Privacy) and GPG (GNU Privacy Guard, but using them is extremely technical and an exhausting process for most users. Just ask Moxie Marlinspike, co-founder of the Signal Foundation.
"So, one of the first tasks for this Internet UN will be to crack a better way giving all internet users the keys to their identity, ensuring identity can be credibly proven when needed and only when needed. People are making inroads here, but we aren't there yet.
"This task is made even tougher by the fact that striking the balance between safety and security is also difficult. This is proven time and time again. For instance, we have moderated platforms like Twitter, and unmoderated platforms like Parler, where the lack of moderation leads to an environment considered problematic by many. A social platform that is truly end-to-end encrypted can't really be effectively moderated and the last 12 months or so have shown what that could lead to. Homomorphic encryption is touted as a solution to challenges such as moderating encrypted data privately, but it is yet to be developed far enough to be proved as the key to solving the problems to come (or even some of the ones that exist now).
"Another layer of complexity to consider is that currently commercial entities are policing and regulating the most popular platforms, which they also own. This is another job for Internet UN, but we really will have to ensure it's an unbiased, uncommercial, independent body that cannot be influenced for commercial or political gain. Perfect privacy in the New Internet could spell the end of some forms of advertising so new business models would be needed. Also, think of the individuals who actually want to see tailored ads!
"The solutions to the problems that the New Internet will solve aren't simple because the internet was originally built by tech people for tech people; running inside a closed network that wasn't exposed to outside forces, commercial interests or bad actors. Unexpected traffic of all shapes, sizes, weights, speed and owner have piled on it since that first connection was made leading to the incredibly valuable patchwork of solutions that we see today. Starting from scratch should take all of the above into account, with a trust-by-default mindset. This Internet UN is really going to be busy during its probation period, that's for sure!"
O'Hara continues this thread, "In terms of a new Internet, there are at least two areas we could overhaul that would achieve a more efficient and more secure internet: globally and homogenous policy and secure-by-design technology.
"So what would I do differently? With a clean slate a new Internet would be even more decentralised for availability, built for trust (with end users having more visibility and control by technical design not because of policy e.g. GDPR) and with each layer from physical through to application built with security at the centre.
Holzworth also offers some thoughts on improvement. "Firstly, Implement security by design. By embedding good security in the framework of the network, and not just at applications, the internet could provide a secure platform for all businesses.
"Secondly, Implement zero trust. Anonymity provides a cover for bad actors such as trolls, bullies, stalkers and criminals. Removing this could help control them. In practice, although this may be impossible to implement, it is worth considering how it could be done in conjunction with maintaining the privacy of the individual.
"And thirdly, Implement an Internet Bill of Rights. This would underpin the design and include elements such as the right to privacy, opt-in consent, access to individuals' own datasets, data collection ethics, fair practices, and more.
"With all these controls in place, the internet would be a much safer place, at least initially. However, this would mean handing control of the internet over to the government, compromising the space of its original independence and openness."
Security and Identity
Ass some of the contributors have already pointed out, security and privacy are not well embedded into the current internet; in addition, we lack robust methods for the identification of people (should that prove legally necessary).
"We grapple with a range of security challenges such as Identity i.e., how do you know the person is who they say they are? This is being tackled with approaches like Zero-Trust Architecture," offered Cantor. He continues, "Then there is the issue of who is responsible and liable for Internet security? A retail merchant who has your credit detail or your internet service provider? As the internet matures, so does the realm of geopolitical control, in other words, there are no globally consistent rules that apply to the internet. As the internet knows no borders, whatever technical measures you put in place, countries may decide what they do and don't accept for example data localisation requirements?
"Having said that, there are experts who continue to argue strongly that security is not any more important than performance and reliability. For example, Linus Torvalds, who wrote and 'controls' Linux (the biggest operating system on the Internet) has often been a critic of over-zealous security professionals. The public internet is the network of networks and is decentralised. It is the building block upon which all networks will eventually evolve and it continues to serve its primary purpose which is maximum connectivity for best-effort performance and reliability. Those fundamentals should not change and are essential for the growth of the digital economy.
"The need for more effective internet security is proportional to its growing use so now when we think about security and improved performance (hindsight is a lovely thing), then it is fairly easy to say that the "new and improved" Internet can include an embedded 'MPLS-type' routing mechanism so all providers can offer a tiered performance and segmentation services. Encryption should be a basic building block, along with larger IP address space. However overall security should be best served as an overlay technology/discipline that is best designed and implemented by large trusted organisations as the internet continues to evolve."
"For years now, protecting the anonymity of Internet users has been a huge issue," says Tushar Kothari, CEO, Attivo Networks. "As a result, it is used by nefarious actors to perpetrate crimes with impunity - often "masking" themselves behind proxy servers in countries where [relevant] laws don't exist.
"If we want to visit a country, it may require a passport or visa before entry. No one can enter a country anonymously. However, through the Internet, you can enter a country and wreak havoc without revealing your identity.
"Internet service providers (ISPs) should be required to maintain and monitor digital identities once they've been established. In addition, IP addresses need to be traceable in case malicious activity occurs. If these controls are established, the internet can become crime free."
Andrew Slavkovic, Solutions Engineering Manager, CyberArk echoes these thoughts. "At the heart of the new internet would be a greater emphasis on security by design, factoring in the multitude of lessons learnt from our past failings and using identity as a way to securely authenticate and authorise users.
"We need to be mindful to balance these security considerations with the usability, openness and privacy that has made the internet so powerful and accessible to everyone.
"Another major shift in thinking versus Internet 1.0 should be to adopt an 'assume breach' mentality, realising that designing an internet that is completely 'safe' is a pipe dream. Instead, we should look to implement a 'verify first' approach before trusting any activity and incorporate basic security hygiene such as the least privilege operating model. Once the inevitable happens we need a way to limit the impact by working closely with service providers in real time to proactively take action on suspicious and / or malicious activities"
Growth and Scale
Pointing out that the current internet was never designed to scale to the size it is now, Connors notes, "When it comes to making the internet more attuned for significant growth, we should continue to regulate the monopolies and their use of our data and private information. We should also put in place codes and penalties for companies who change the rules of engagement unnecessarily and to the detriment of the developers who build on top of their platforms. Outside of the regulated internet, we should return to the original principles of openness and seek to build a more decentralised internet where the protocols, standards and governance cannot be owned by any one company and personal information is auditable, secure and controlled by the individual."
To a degree, O'Hara is pointing out the obvious in relation to government policy and legislation when he says, "Policy, by necessity, generally lags behind societal change. Arguably, the speed of adoption and interaction with the Internet has meant policy simply hasn't and cannot catch up. If we had realised the importance of the Internet, and speed of adoption at its infancy, and were willing to slow down its development, could we have built out global frameworks for how the internet would work for business, government and the citizenry? Instead, we might have multiple fragmented frameworks and policy sets at national levels, and then further fragmentation at state levels for security and privacy -- imagine for one brief and unrealistic moment the efficiency unleashed."
Innovation doesn't always achieve what is in our best interests
"While it has started to change, innovating Internet companies are not incentivised to do security, adds O'Hara. "Their tenets have been catchy phrases like grow-or-die, or scale and fail fast. Our unicorns all too often have their horns held on with rubber bands. User adoption trumps user safety. Privacy and security costs get spread and externalised to millions of people - until a story big enough breaks. Competition means start-ups must accelerate out of the gate, at a pace that means compromises in design. Without regulation as a leveller the only incentive for good internet security is the potential for reputation damage. Roll back the clock to the genesis of the Internet and we could have a Geneva Convention for our digital age with political tools like tariffs and trade agreements hinging on compliance.
"The Internet reflects on a huge scale the technical debt organisations accrue over their operating lifespans. Technology decisions get made in silos, or by people whose interests don't extend past the next 12 months. We channel our inner MacGyver and we make things work for today. Rinse and repeat - and you end up with a functioning mess."
Joseph Carson, CISSP, Chief Security Scientist & Advisory CISO, Thycotic challenged the premise of this question. "I do not believe we need or must create a new Internet but improve how we use the existing one. Starting from scratch would be like rebuilding all the roads and highways in the world which is not a feasible approach. We have an Internet that works however the way we currently use it and secure it has much room for improvement.
"Just like we build better and safer cars to drive on the same roads we must take the same approach to the Internet and how we build applications and secure privileged access to the services and data. That is where we need to focus our efforts. Let's improve the existing Internet with smarter applications."
After receiving this submission, we asked Carson to reconsider and offer thoughts within the original framework, he declined and instead added to his original thoughts. "The Internet is not just one thing or a single protocol, it is a mass connection of billions of devices using thousands of different protocols for which many things work well. We have so many security protocols all for different things from access, encryption, secure communications, internet browsing, payment transfer and so forth.
"IPv6 is a protocol to fix a problem with the limited Internet addresses. DNS is an address book on how to resolve names to addresses and neither are focused or designed for security. They address very specific Internet challenges. Are we asking to change all of those or can we be more specific about what the term a new secure Internet even envisions? It is like saying we must build new roads without even thinking about the types of vehicles that will be driving on them. Or, for example, a spoon was designed for eating soup, however, some people use it as a musical instrument. Does that mean the original designers should change the spoon to be a better musical instrument?"
We will ask Holzworth to draw this to an end. "In summary, the great power of the internet comes down to society's decisions of what is considered acceptable. And, while there are some downsides to the internet, such as addiction, bullying, malware, violent or explicit images, never being able to disconnect from work, and more, it is a place of opportunity. Individuals with great ideas can leverage the platform to make something great, or even revolutionary, happen. As a result, the cost to improve the internet outweighs the benefits that could be achieved."