Boiling the ocean
Before Niles in the TV series Frasier, David Hyde Pierce less famously played a deeply depressed congressman on The Powers That Be. In one scene he counts off suicide methods in Final Exit: "Tried it. Tried it. Oh, as if *that* would ever work. Tried it..."
This is what it felt like at last weekend's STRINT workshop, a cross-the-streams effort of W3C and IETF to put a bunch of really smart minds to the task of figuring out how to harden the Internet against passive pervasive monitoring. It's a tricky assignment: the point isn't to try to close every hole by which someone might spy on you, because doing that would involve shutting off all communications. Instead, the key word is "passive". Active pervasive monitoring, the kind of thing where you have to hire people to watch hotel lobbies and sift through everyone's mail rapidly becomes very expensive, though it's what you have to do if you really want to target someone. It doesn't scale: monitoring more people requires more monitors. Passive monitoring, where you turn on an automated system and leave it alone to slurp data, is cheap once you've paid for installation; you only deploy a human if you need analysis. It's the standard physical/digital inversion: in the physical world more information always meant higher cost; in the digital world it's selecting and analyzing information that's expensive.
Surveillance, in other words, works the same as business models: active surveillance is like making more hardware, which can't scale up without adding more people. The business everyone wants to be in these days is one where adding a million customers - or people to surveille - requires no extra staff. Fit and forget until there's something you want to check out.
So the question the STRINT folks were trying to answer is how to raise costs for attackers, like slowing down burglars enough that they'll go on to the next house. In some cases - spy agencies from democratic nations, for example - merely making the attack visible may be enough. In others - advertising agencies, for example, which are primarily responsive to hits to the bottom line - making their job harder and therefore more expensive is the key. But how?
This is where it gets really difficult: finding a consensus on what the priorities are. What's achievable? In a discussion of how standards get made, it came out that not infrequently someone will want to add an explicit user identifier to a protocol and will respond to objections by saying that there's already so much information exposed by the protocol or applications using it that one more field won't matter. Reversing that has to be done field by field and argument by argument. The really depressing moment came when a few of those assembled said it didn't make sense to increase the operational overheads for everyone when it's only a small minority who really need protection. Didn't we already settle this?
"The thing is," responded Leslie Daigle, "you never know when you're one of those souls who has issues."
There are other things that make the job particularly hard;
- The attackers are well-funded, powerful, and determined;
- As noted above, many seemingly promising approaches have already been tried (for example, Phil Zimmermann commented that PKI is a "spectacular failure" (see also Diginotar, Comodo);
- There is a huge legacy network that can't realistically be re-engineered in ways that require millions of users and businesses to replace all their hardware and software;
- There has to be some effective way of conveying to users with tiny screens when and whether something can be trusted;
- Whatever is built has to work for refrigerators, the go-to stand-ins for the Internet of Things. As someone put it, this is a ten-year project, and the goal is to invent a future that isn't ten years in the past.
Ten years: 2024.
A couple of days later, Martin Sadler, director of the cloud and security lab at Bristol's HP Labs, chats about future trends. By 2020 spreading broadband will pull - probably - another billion people online, most from less-developed countries or regions in China, India, Africa, South America. Many will be very poor. Some will see stealing from rich Westerners as social justice.
"Do a back-of-the-envelope calculation," he said, "and you can get to 100 million hackers by 2020."
The last time I heard something like this was in about 1999, when a smart, forward-thinking security person saw a big, new threat in the arrival of broadband connecting up millions of insecure PCs 24/7. He was, of course right.
The 100 million figure was almost immediately challenged: hackers aren't 10 percent of the population of *anywhere*. Conceded. Drop it by two orders of magnitude and say 0.1 percent. That's still 1 million new hackers with global reach. So on top of all the other hard problems facing the STRINT folks is a likely jump cut in the size of the threat. Taken together, this seems to me like a harder job than building the Internet in the first place.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.