The Current State of Internet Security From A Technical Perspective
The Current State of Internet Security From A Technical Perspective
by Jonne Soininen, Internet Engineering Task Force
The recent revelations of the pervasive monitoring by security agencies including the NSA and GCHQ sent shockwaves through the Internet technical community. Though it was hardly surprising that organizations whose main purpose is to monitor and analyze communication were actually performing their task, the scale and tactics of those activities did surprise the technical community. The revelations served as a wake up call to the technical Internet community to focus more time and work on Internet security.
As a reaction to the revelations on pervasive Internet monitoring, the Internet Engineering Task Force (IETF) held a session about pervasive monitoring in the technical plenary in Vancouver in November 2013. There was clear consensus among the participants that more could and had to be done in the Internet protocols to increase security in the Internet protocols. However, the topic of Internet security is by no means a new topic in the Internet technical community. Though it is often stated that the Internet was not originally designed with security in mind, the IETF has had a significant focus on security and privacy for decades. A testament to it is the RFC1984 published as early as 1996, in which the Internet Architecture board and the Internet Engineering Steering Group state that the IETF will work on securing its technologies with encryption regardless of government restrictions on encryption technologies. Over the years, the IETF has specified technologies, such as IPSec and Transport Layer Security, to secure communications over the Internet. These technologies are widely deployed and used routinely on the Internet. In addition, the IETF and the IAB increased the focus on privacy in Internet protocols even before the Snowden revelations. The IAB published guidance on privacy considerations for Internet protocols in RFC6973 in July 2013. Hence, the IETF did not start to work on Internet security and privacy in the aftermath of the Snowden revelations. However, the focus on security was further increased.
An old proverb says you can lead a horse to water, but you cannot make it drink. The same is true of Internet security. Though extensive tools for Internet security have been available for a long time, many people have not been using them. Sometimes the privacy and security aspects have not been considered important enough in the tradeoff, for instance, between increased security and increased computing power needs. However, over recent years major Internet service providers have started to use technologies such as TLS by default to secure their services. This development is very encouraging and there is hope that others will increasingly follow this trend as well. These available security mechanisms do effectively secure communication over the Internet between the service and its users. In light of the Snowden revelations and the Heartbleed bug, it might seem counterintuitive to state that the Internet is more secure than ever, and continues to become more secure as new technologies are developed and those technologies already developed are deployed. However, looking purely from an Internet communications angle, this statement is true. In addition, the new increased focus on security in the Internet will only strengthen this development.
In addition, in the discussion about pervasive surveillance, questions have arisen about the security of Internet routing and what traffic flows through countries that perform pervasive monitoring of Internet traffic. There has been a general call for enhancing routing security, which Peter Schaar mentions in his article. There has even been a call from certain European political leaders for a European Internet with greater security envisioned. Although in the early days of the commercial Internet much of the traffic did actually go via the US, today local traffic does stay local. The introduction of local Internet Exchange Points in countries and peering agreements between local operators have assured this in Europe for over a decade already. The same trend is seen all over the world, including more recently in developing countries. Today, there is no technical reason why local Internet traffic from any European country should or would pass through any other country.
As these statements about the technical state of Internet security and routing are both positive about the current situation and hopeful about the future, the question may arise as to how it was possible for the NSA, for instance, to perform extensive surveillance even on foreign citizens. The answer is in the popular services we use. These services are provided mainly by US-based companies. These organizations fall under local legislation and have had to hand over information to local agencies. The Internet does not inherently leak this information but the information is obtained directly from the service provider. Hence, the issue is that we the users provide the information to these organizations by using their services. In his article, Peter Schaar also raises the issue of the significant market power of some of these Internet players. Commercially, these players are very strong and they may have significant market power, at least in the western hemisphere. However, the reasons these companies have become significant are not rooted in Internet technology. As a matter of fact, Internet technology enables a level playing field for competition and local alternatives exist and are widely used in many regions. Therefore, the users can choose between services and service providers. We have to ask why users, regardless of privacy implications, continue to use the currently popular services and why there is a lack of viable alternatives in Europe.
The Internet is international in nature. The packets pass over national borders as easily as they do within a country or a region. This also causes legal friction between countries and regions when services are provided outside a jurisdiction. Despite the issues, the international nature of the Internet is inherently a good thing. It is one of the key reasons the Internet has become the universal data network. As Peter Schaar states in his text, the reactions to pervasive surveillance may try to start restricting the international nature of the Internet. In addition, there is a risk that the example of pervasive surveillance increases the interest of other nations to start similar programs themselves. These are real risks to the Internet.
The increase in computer processing power and storage capacity has revolutionized data processing over the last decade. Currently, there seems to be little technical restriction on storing data in an always-available format over extended periods and processing it almost in real time for different purposes. The data stored for a certain purpose can be used for a completely different purpose than originally intended as business models or political climates change. As Peter Schaar points out in his text, the right to privacy is an extremely important human right. This includes the right to privacy on the Internet. Taking the current technical capabilities into account, the right to privacy is perhaps more important today than it was ever before. Therefore, it is absolutely vital for the trustworthiness of the Internet that progress in developing new security technologies and deploying those already specified continues and even accelerates. In addition, users need to be aware of the implications of their actions for their privacy online. The Internet technical community continues to develop the technologies for increased security and improved privacy. In addition, the public focus on the Snowden revelations has created more awareness of privacy on the Internet. This technical progress and increased awareness can lead the horse to the water. We can only hope it will also drink.
|
MIND-Multistakeholder Internet Dialog |
