How fragile is the internet?
With everything on the cloud, transmitted through transient beams of wi-fi from one device to another, the internet can often feel like an ethereal, intanglible thing. But, of course, it’s not: it's cables and servers and a lot of infrastructure. And maybe that infrastructure itself isn’t as solid as we like to think. Adam Murphy spoke to Vasileios Giotsas, from Lancaster University, about the Internet's weak spots...
Vasileios - So the internet can be really fragile. It has been designed to withstand a nuclear disaster. But when it was designed it was assumed that everyone who is connected on the internet, would not have any interest in harming the internet. So everybody is automatically trusted. Which makes it very susceptible to poisoning, from bogus or intentionally erroneous information. And when this information is propagated in the core of the Internet it can cause widespread disruptions that are very hard to mitigate.
Adam - So how can the internet malfunction?
Vasileios - So the internet, think of it as a really large and complex road network. Right. And traffic can take many different paths, and it needs a G.P.S. systems, a navigation system, and this navigation system is called the routing protocol. So the routing protocol is the protocol that decides how traffic would travel from your computer, to let's say the BBC website, or to the Lancaster University website. Right? Now, if this information is accurate then everything works as expected. If this information for any reason becomes poisoned, then traffic can go through unpredictable ways. It can never reach its destination. And this can cascade to many different destinations. And at the end you have millions of users being unable to access their desired destinations or services. So essentially what happens is that the Internet has this routing system, this navigation system, that is really sensitive to any sort of small change. These small changes, if they are either intentionally or unintentionally wrong can cause the whole network to crumble.
Adam - And this isn't just a hypothetical. Whenever there are large outages of several websites this problem is often to blame. In July 2019 this happened to one company, CloudFlare, and the outage took out 10 percent of all web traffic in the U.K. It happens to Google. It happens to Facebook. So why haven't we fixed it?
Vasileios - The ownership of the internet infrastructure is distributed across tens of thousands of organisations. Imagine the internet as a network of individual networks, right? So if any of these individual networks decides to deploy new technology, the other networks have no obligation to follow suit. So all the security solutions that exist out there, it is important to have a global cooperation between all of these organisations. Now these organisations essentially are competitors. So the internet is based on cooperation and competition at the same time.
So they try to cooperate as little as possible, only as much as required in order to achieve end to end usability, and deploying any new protocol, deploying any new technological solution incurs some sort of risk both operational, and also financial. It has overheads, it requires manpower. And basically there are very few organisations that are willing today to take this risk. And as a result, if these security solutions are not deployed by everyone, they are meaningless.
Imagining a building for instance, that has 100 doors and you decide to lock just a couple of them, it's still insecure. It boils down to incentives, how we incentivise these different organisations to deploy the security protocols, how we incentivise them to cooperate and to take security into consideration.
Adam - What can we do then?
Vasileios - Well the solutions are quite simple. And essentially they are cryptographic solutions. Now the problem is that the routing protocol, that today operates in the tens of thousands of backbone routers, and these others are you know very large industrial machines not the routers we have at home, and changing the protocols in these routers requires to switch them off, you know, do the setup of the new protocols, test them and so on. So they require the downtime that most operators cannot afford. Imagine the problem like you are flying a plane, and at some point you have to change the engines of the plane while in mid-flight, you cannot land the plane, change the engines, and then continue the journey. You cannot switch off the Internet and just update the protocol and then, you know, start it back again. That’s the problem really, how to change the engines of the Internet in mid-flight.
So essentially the solutions are simple, we know them. How to develop them, and they have been discussed in many different operational and research venues. They have been agreed upon, there are standards but, you know, deploying these protocols requires this level of cooperation and coordination that is almost hard to imagine. How to do it without having an entity that would enforce these changes.