Internet and network security are big business for giant tech companies and startups alike. There are security apps and add-ons for your phone. Biometric security for your banking and other sensitive tasks, online and off. We have passwords to protect our passwords, two-step verification for our porn accounts, and Captcha verification to play online flash games. Take a minute to look around, and the web actually looks like a very security-conscious place.
And yet there are regular headlines from events like Yahoo’s massive data breach, cloud-stored credit card data stolen from brick-and-mortar retailers, massive username and password thefts from all sorts of email services and others, and more security concerns than you can shake a memory stick at. The web is security conscious, and it’s because data security is such a big problem.
At least data security is a regularly recognized problem, though. The Internet’s infrastructure security is arguably in a more abysmal state, and while there are probably plenty of computer scientists losing sleep over it the general public probably doesn’t have a clue how close we are to a societal collapse. Like, one wrong line of code close. We’ve already had some hiccups, and some say we’re headed for a lot worse.
Bringing the Cloud Back Down to Earth
In the average user’s mind, the Internet doesn’t even have any infrastructure. It’s this ethereal thing, with websites and info floating around in “the cloud,” eternal and immutable. In reality, the Internet is a shit ton of server farms, cables, satellites, relays, and connections/processes I can’t even begin to understand. The salient point is that there’s a whole lot of physical infrastructure involved; despite the image many “cloud-based solution” companies strive for, the Internet is not infinitely and effortlessly scalable. If you want more Internet, you have to build it.
That’s why an event like last fall’s DynDNS attack was able to bring down some of the web’s biggest and most popular sites for hours. DynDNS is a relatively small company located in New Hampshire of all places, but it maintains one of the gateways that controls a lot of the web’s traffic (I’m oversimplifying, I know; feel free to let me know how inaccurate I am in the comments). A hacker or group of hackers sent tons of traffic to that gateway, causing a blockage so nothing could get through.
Netflix, Reddit, Amazon, and other major websites couldn’t be accessed or conduct business, even though none of their servers or their own infrastructure was touched. All it took was attacking one gateway. There are other gateways and similar bottlenecks in the net’s infrastructure that present the same kind of opportunity to hackers—and are vulnerable to simple human error, as well.
That’s what happened a month ago when a huge chunk of Amazon Web Services’ servers went down. An Amazon team was trying to resolve a simple billing issue, and one coder went to take a few servers offline—something that happens routinely without interrupting things. A typo took out a much bigger number of servers, though, which caused traffic overloads elsewhere as planned redundancies kicked into overdrive, with the result being that a bunch of sites hosted by AWS—one of the largest global providers of Internet infrastructure—were offline for hours.
One attack on one gateway, not to steal information but just to wreak havoc, and a huge chunk of the Internet goes dark. One typo in one line of code by a well-meaning and authorized employee, and there’s a shutdown of similar size and scope. What happens if a few people get the idea to do something really malicious? What if the natural trend towards increasing incompetence puts the kid who spent your high school algebra class sniffing glue in charge of a whole network of server farms?
The problem is already bad, and it’s only getting worse. Thanks to the Internet of Things and the continued susceptibility of physical infrastructure to purposeful attacks and other disruptions, we could be facing a fairly dire Internet shutdown someday soon.
The Bleak Future of Internet Security
There are a few major hurdles when it comes to protecting the Internet’s infrastructure. First, there’s the fact that any physical infrastructure is inherently vulnerable—a municipal water supply can be poisoned, a bridge can be blown up, and fiber optic cables carrying Internet traffic can be cut (as they were in a series of unsolved incidents in California, leaving parts of the state without the web for hours). The location of many important physical “stations” for web traffic are public knowledge, making them easier targets for attack. Ignorance is also a problem, with the very real possibility that a simple construction project could break through necessary cables and cause huge disruptions to Internet service.
Imagine: Reddit down for days due to an ill-informed dig. It’d be worse than a gas main explosion.
Of course, an in-person attack isn’t necessary to exploit a weak spot in the Internet’s infrastructure. The proliferation of low-security, high-connectivity IoT devices we’re welcoming into our homes give online ne’er-do-wells a whole new way to carry out DDOS attacks. That’s what the DynDNS attacker(s) did. An open-source bit of malware for enslaving IoT devices made the rounds in February; someone or someones rounded up a few million dishwashers, light bulbs, and other “smart” devices and used this botnet to send an overload of queries, flooding and thus shutting down the gateway.
IoT isn’t just about household appliances, either. Elevators, hospital equipment, traffic lights, and other life-and-death devices are increasingly interconnected and controlled through ongoing communication; a hack or even non-malicious interference could easily cause isolated deaths and/or widespread mayhem.
Lastly, there’s the fact that there are fewer and fewer people minding the store, right as the Internet is becoming a part of literally everything we interact with. The folks responsible for maintaining the software at the heart of the Internet are “almost entirely aging volunteers…and should be retired, or are retired.” There aren’t many (if any) startups devoted to making sure the boring old Internet keeps being the Internet, for the simple and obvious fact that there isn’t any money in it. That might change if enough big web takedowns point out the market need for the Internet’s core software, but putting a profit motive in play will also drastically change the nature of the net itself.
All told, things aren’t looking too pretty. The Internet might be making things like self-driving cars possible, but it’s making self-destruction more possible, too. It’s like “the cloud” is just a passive form of SkyNet, unconsciously biding its time until our blithe unawareness does us all in.
Better tell Alexa to send me more ammo. The end times are nigh.
