Written byDan Kaminsky
We could lose this internet. Or we could save it.
I prefer the latter. And speaking to you as somewhat of an outsider – a hacker for decades, based in San Francisco – I need your help. I firmly believe we need something akin to a National Institutes for Health for Cybersecurity.
This Internet has driven the greatest expansion of the global economy since the Industrial Revolution. The promise of information technology is extraordinary. But it is still a promise, and it’s one people are starting to question. The NTIA recently announced that fully half of all Americans are actually backing away from the Internet due to security and privacy fears.
Half! We shouldn’t be surprised. At this point, who hasn’t gotten a disclosure notice, a replacement credit card, or dealt with something worse?
And so I worry. I’m not one to resort to FUD, but how can we expect innovation to thrive under such conditions? To use one example, the Internet of Things is the culmination of a dozen major trends finally reaching maturity. It is amazing to watch people explore what’s suddenly possible, connecting the capabilities of IT to the rest of the engineering landscape.
It’s also the first technology I’ve seen people assume is completely insecure during the critical early adoption phase.
I mean, people are right, but usually a new industry has some time to get its act together. Smartphones weren’t great when they first arrived. (Many still aren’t.) Meanwhile, the largest Internet floods in history just came from an enormous network of hacked cameras. The Internet of Things is already being abused in the real world.
America used to be the leader in a high performance, low reliability technology: Automobiles. Japan innovated, and delivered much more reliable vehicles. Detroit in fact rose to the challenge and our manufacturing quality did improve. Eventually. Not at all painlessly.
The reality is that whomever figures out how to make reliably secure code at scale is going to host the next Silicon Valley. I’d prefer it to be our Silicon Valley, but we’re not the only nation with talented programmers.
Foundational work will be required to address the cybersecurity crisis. Standing in the way are two beliefs: Defending software is impossible, and that even if it we could, that government has no role to play in doing so. Let’s talk about that.
Bugs aren’t random. Vulnerabilities do not exist by simple probabilities, any more than bridges collapse because that’s just what hoisted metal and asphalt does. There are patterns which hackers exploit and defenders manage. I’ve seen and done both, and I can tell you there are places where we’ve seen dramatic improvements in quality. We need more such places. Attackers, many foreign, are holding our hospitals for ransom, probing our electoral systems and disrupting the lives of the entire citizenry.
If government has a role to play – and I believe it does – it’s to do more than blow things up and spy on everyone. There’s work to do, by engineers, for engineers. I advocate a “NIH for Cyber” because we didn’t stop our cities from burning by making fire illegal or heal the ill by making sickness a crime. This is not the first time a new technology has showed up with tremendous potential and a lot of problems.
Hackers talk a lot about snake oil, but we didn’t invent the term. People used to take actual snakes, and press them into actual oil, and sell it as a panacea. Pharmaceutical design needed reliable manufacturing and a test regime. We needed to know what process and technology inputs, reliably led to desired outputs – not theoretically, but experimentally, across actual populations. Cybersecurity is ultimately an engineering problem of human communication – we have programming languages, not programming equations, after all.
This will be expensive, long term, difficult and sometimes boring work, that needs armies of nerds, and funding not threatened by next quarter’s earnings. Government can support that. It has its own risks – Martin Shkreli and the antics of Mylan demonstrate the distortions enabled by regulatory capture. And we’ve seen empirically that agencies that try to both attack and defend, don’t. That’s OK. The NIH is not a branch of the Marines.
We stand at a moment of great opportunity. More people than ever are learning to code for the first time. We can study that process, learn from their mistakes, understand what inputs to a developer lead to secure outputs for our society. We can enable, protect, and encourage the creation and the consumption of innovation: all without fear.
Individuals are doing extraordinary engineering work in cybersecurity, but there’s more than just one guy working to cure cancer. Too much engineering work depends on the spare time of too few. We need institutions,with good and stable funding — and a bureaucratic firewall against those with other motivations.
Technological innovations have become the driving force of our economy, our society, our way of life. Our crisis of cybersecurity is a problem that needs to addressed at a national level. It must be possible to run a small business without having to field a small military unit to fend off foreign aggression.
France’s CIO, Henri Verdier, coined this astonishing term: State-as-a-Platform. He’s recognized that there are services entire societies can build upon, that a legitimate state may very well provide.
From food safety to the original superhighway, from pharmaceuticals to actually stopping our great cities from burning, societal scale problems have attracted a Governmental response. The key is getting the right one. Nobody is impressed with louder threats of legislative penalties, or the distraction the encryption debate has become.
An NIH for Cyber, focused on our genuine engineering challenges, could save this Internet.
Dan Kaminsky is an internationally respected technologist who has spent almost two decades protecting the Internet. He is one of the seven “key shareholders” able to restore the Internet’s Domain Name System if necessary. Dan is known for his work in finding a core flaw in the Internet, and then leading the charge to repair it. An active contributor to the W3C , the guiding organization for the Web, he is co-founder and Chief Scientist of White Ops, a cybersecurity firm. You can follow him on Twitter: @dakami