New York Times best-selling author David Eagleman just wrote an awesome piece for CNN called Four Ways the Internet could go down.
It is uniquely doomsday-dark, concluding with the idea that we need to build something like a stone monolith with instructions about how to make electricity, computers, and routers. (maybe with Vyatta‘s open source network software code chisled on it?) Here is a thoughtful reply to the CNN article.
Based on 15 years of working at companies that helped to build the Internet and cloud, including 5 years running the web and Internet engineering program for the University of California, 5 years at Exodus Communications, and 5 more years working at cloud security companies like Trend Micro, here’s another take.
Eagleman’s list of the top 4 things that could bring the Internet down:
1. Space weather
Solar flares could bring down satellites or even terrestrial networks – they have before. Yep.
2. Cyber warfare
The idea here is that cyber warfare targets will include domestic network infrastructure. Maybe.
3. Political mandate
Given that China, Iran, and Egypt have cut off Internet to their populations at various times, and the US Senate approved a bill giving the president authority to use an “Internet Kill Switch”, this cat is already out of the bag. (but the Internet didn’t go down)
4. Cable cutting
We are vulnerable because the vast majority of Internet traffic – about 99% – runs over deep-sea fiber-optic cable instead of satellite. In early February 2008, many fiber-optic cables running to Muslim nations were cut, far too many to have been an accident. You can imagine that every government with the military plan knows which lines to cut to affect which countries. (but the internet didn’t go down)
These are things that could bring the Internet itself down, which raises the question of how we separate the Internet from the web, from mobile devices, and from the cloud itself. This matters because we care about uptime and we care about security. If the network is down, does it mean the cloud itself is down? Will your data be there when the network comes back? Here we focus on data availability and network availability.
All of these threats share two things in common: centralization of infrastructure and centralization of control. Here are things we can – and should – do today to address these core weaknesses.
A small number of satellites concentrates enormous amounts of traffic, and satellites are controlled from a few ground stations at most. if you hack a ground station controller or space weather knocks out a satellite, a network outage happens. What few people understand is that satellites are truly awful at delivering the Internet unless you have no other choice. The reason for this is that satellites are far away so the amount of time it takes to go from the ground to a satellite and back to the ground means that application performance over satellite will always suck compared to fiber optic networks. This is why only 1% of Internet traffic runs on satellite in the 1st place. Solar flares can take out the satellites, which will make life really tough for some people in remote regions, but the Internet itself will be largely unaffected and certainly not “down.”
A stronger solar flare could fry all electronics on the planet conceivably, Including network infrastructure. Something that strong would probably also cook our electrical grid, so I’m less worried about the Internet in such a disaster. Read on to hear how ambient clouds can fix the data networking problem as long as we have power.
Domestic network infrastructure suffers from concentrated ownership (in many countries) and centralized management. When a foreign government takes out a key control system in a domestic network, it takes out the entire network. No need to cut cables in every neighborhood. Even worse, the recent DNS changer virus showed how vulnerable systems that run on top of the network are. DNS itself suffers from concentration in key root servers that have been the target of attacks from the very early days of the Internet.
As a computer security professional, I believe the type of cyber attacks that are most damaging do not take network infrastructure down. Networks are useful to cyber attackers. If a cyber attacker takes out your network, that’s bad news, because it means they’re already done using your network to take out your power plants, traffic control systems, and any other large breakable systems, and they’re not even interested in monitoring what happens.
What’s most precious is information. In warfare, cyber attackers need information first so they go after your data. They breach the network and listen. Once they have the info they need, the real fun begins. Instead of deleting your files, a clever cyber attack will modify them so that the information you get over the internet may be trustworthy but may not be. Subtle changes to information – data poisoning – will do more to slow down a government than a lack of data altogether. This is how Stuxnet worked – it made minor changes to the control system of nuclear infrastructure. It did not delete data.
This is why cyber warfare will end the Internet. It will reduce reliability, slow networks, break most things with control systems connected to the Internet, and muck up data, but core internet infrastructure will still work. We won’t need a stone monolith to tell us how to build routers after even the most intense cyber warfare. Your iphone may be useless for a few weeks though.
Cyber warfare preparation requires protecting far more than the Internet. It requires broad encryption of data placed in the cloud, and it requires a focus on protecting control systems for networks and critical infrastructure like the smart grid. It requires protecting all data so that it may not be altered or maliciously deleted. This goes for all data stored in the cloud because cyber attackers would be perfectly willing to disrupt commerce systems with a data poisoning attack as a way to spread chaos and ruin supply chains.
As you may have guessed, there is a way to use decentralization and encryption to make data more available end nearly impossible to alter.
Political mandates to control the Internet only work when there is a central management technology in place. Even China’s great firewall leaks like a sieve. The problem with political instructions to shut the Internet down is that they require centralized systems in place that allow the Internet to be shut down. When you build a kill switch system, not only may it be used by an unethical government attacking you, but it is likely to be used by a competing government’s cyber warfare team or some other cyber criminal. It is simply unethical to make internet kill switches.
One solution here is international treaties like the ones that ban biological and chemical weapons or the mistreatment of prisoners. The other is to embrace decentralized technologies like ambient cloud to “route around” killswitches. More about that in a minute.
Cable cutting works to cause regional outages of the Internet because we put so much traffic over so few cables, creating natural concentration of data flows. More cables over more routes seems like an easy idea, until you read one of Wired Magazine’s greatest articles ever, written by the most talented living author of this century so far (IMO), and inventor of the post cyberpunk genre, Neal Stephenson. His article titled “Mother Earth Mother Board“, published in 1996, explains exactly how we lay international fiber optic cable.
Once you read it, you will understand that chopped cables will forever be a problem of warfare, no matter how many cables there are, and that simply laying more cable is not a simple or cheap proposition. Germans used u-boats to cut undersea telegraph wires in earlier World Wars too.
That said, more cables make for more redundancy, and it’s unlikely that all cables will be cut permanently, which is the only way that the international Internet could go down forever in some locations (Australia and Hawaii come to mind…but they have those crappy satellite connections as backup). Occasional cuts mean regional interconnection outages, but domestic Internet infrastructure continues to work even when it’s hard to get out of your own country’s network.
The other answer is to look at the history of the Internet to see what we did before we had fast fiber everywhere. In the earliest days of the Internet (you know, the days of the original Tron movie) bulletin board systems swapped information from the Internet only once a day using dial-up modems over a system called FidoNet. FidoNet is limited to sending only text messages, and it’s slow. Users connect whenever they get a chance, and they don’t have to be connected at the same time. so network traffic is harder to track. Even if a cable cut (or political mandate) shuts down part of the Internet, any user can act as a FidoNet server. Distributing content this way is slow, but it’s bulletproof. With a bag of high density USB sticks, you could carry a significant amount of the text on the internet on a camel’s back across a border. No voice and video, but the Internet is still available for browsing and passing messages back and forth. Neat.
The grown up version of this system, called caching or content distribution networking, is widely used on the Internet today even though you probably don’t know it. CDN companies like Akamai store significant pieces of the web away from the servers where those pieces originated. Continuing the theme, this is a decentralized architecture that is far more resilient, and uses far less Internet backbone bandwidth, than centralized web servers. I’m fortunate that Akamai, the largest of the CDN companies, spent $600 million to acquire a CDN startup where I worked to create distributed clouds.
Nations concerned about having their fiber cut should focus on having advanced CDN systems in place that are capable of caching the most commonly sought after Internet content. That turns a cable cut from a complete blackout to a disruption in real time communications, but it prevents the Internet itself from “going down.” There is a clear strategic advantage to having data centers and core network functions like DNS servers within national borders, especially data centers that support secure real-time messaging like instant message, VOIP, and email. Countries like Singapore understand this and are making large investments in Cloud computing today. I’ll be there in a few weeks for the second time in a year to deliver a keynote presentation about cloud security at CloudSec 2012.
Ambient Cloud to the Rescue
There is a new kind of cloud computing emerging called ambient cloud. Given that the Internet is always on and so many mobile devices and PCs are connected to it, you can assemble a cloud of devices that you control even if the devices are all over the place. Ambient clouds are far more cost effective than the centralized clouds that power the web and Internet today. They are far more resilient to attacks, and they have more capacity in terms of bandwidth, storage, and compute capacity than any centralized cloud provider on the Internet today.
Few people realize but the largest cloud computing environment created so far is actually a botnet, or a collection of PCs infected with malware that allows attackers to control millions of distributed PCs that of been infected. Those machines can be used to steal money, copy passwords, store data, or even as listening devices. The DNSchanger malware was so hard to extinguish because it was so decentralized; even a year after we brought down the cyber criminals running it, hundreds of thousands of PCs were still infected. If only our Internet was that resilient. When was the last time you were upset because you could always get an internet connection on your mobile?
What if we harnessed all of this extra ambient compute capacity sitting wasted in our PCs and tablets in order to create a faster, more secure, more resilient Internet? Doing so would radically reduce the risks of “the Internet going down” the ways Eagleman proposes.
The good news is that it’s happening already. I’ve blogged about storage startups like Symform that have affordable, highly available ambient cloud storage available today. Policy based-encryption systems like SecureCloud.com (from my employer Trend Micro) can provide assurance that no one saw or changed your data without your permission. The cool thing about ambient cloud storage is that it’s very hard to legislate data when it is spread into tiny little chunks on tens of thousands of people’s computers in different countries. This addresses one of Eagleman’s primary concerns, political mandates to shut down access to information on the Internet.
But what if a government used an Internet kill switch? What if a cyber attacker successfully penetrates and destroys a country’s Internet networking infrastructure? There are existing ways to deal with these problems, solutions we should embrace because they make the Internet more cost effective and more resilient.
In 2009, the Wi-Fi Alliance issued a new standard to augment Wi-Fi, called Wi-Fi Direct, that turns a Wi-Fi chip into a full blown Wi-Fi access point. It allows Wi-Fi devices to talk to one another without having to get on a network, and it lets anything containing a Wi-Fi chip combine with other WiFi-chip-containing devices to create a wireless hotspot. Using it, you couldn’t connect to the internet at large without some form of backhaul connection to the Internet (although if someone 20 miles away in a large city had an internet connection, you could conceivably use it). You could replace the Internet for an entire city using this new form of ambient cloud networking. Wi-Fi Direct is available as a software upgrade for existing Wi-Fi devices and it was implemented in the One Laptop Per Child program.
We could also use Daihinia , a cheap program that turns your normal Wi-Fi access point into a multihop ad-hoc network. Then you can set up a portal Web page on your network to explain to others how to do it, and (barring solar flares), you can provide Daihinia instructions and a local download link so your neighbors can literally rebuild the Internet from scratch. You can even get real-time communication this way, vital for emergencies, by adding a chat client like Pidgin. In the wake of Egypt’s attempted Internet shut down, media figure Bre Pettis, founder of Makerbot, wrote about the need for these technologies too.
Realistically, very few people have this set up, and once the Internet is down, you won’t have access to the software or information on how to build these things. But it only takes a few people who have this set up before an outage because, once you plant an “internet seed” like this, it can grow virally, just like the Internet already has. The Johnny Appleseed of 2050 may carry a USB drive with mesh networking code on it.
The reason you haven’t heard of this is that the last thing your ISP wants is for you to share your internet access with your neighbors, and they don’t want a mesh network to replace the revenue they get from selling a centralized direct connection to your home. (This is not conspiracy theory – I ran strategic planning for a large ISP.)
The truth is that the Internet is safer and we are all better off when wireless mesh networks augment direct connections to the Internet. There is no technology reason we aren’t doing this today. We owe it to ourselves to build a better Internet.
Ambient cloud and network technologies, combined with better encryption, can address all of Eagleman’s concerns about the Internet going down, except the extreme solar flare case. If that happens , were all going to have a lot more to worry about than fixing the Internet using a stone monolith set of instructions.
Comments welcome. Follow me @daveasprey on twitter for more comments and conversation.