How Not to Build a More Secure Internet
Eli Dourado, a policy wonk at the Mercatus Center at George Mason University, wrote an intriguing op-ed for the New York Times Tuesday, Let’s Build a More Secure Internet. Dourado’s argument is that network hardware design is closed and mysterious instead of open and obvious the way software design is, and this mystery makes networks insecure. So he wants to open up hardware design by embracing something called “open hardware” that will presumably prevent the NSA from spying on us. He wants Internet switches and routers to embrace Wikipedia principles of openness, to build on a perceived strength and overcome a perceived shortcoming:
Perhaps the greatest open-source success story is the Internet itself — at least its “soft” parts. The Internet’s communications protocols and the software that implements them are collaboratively engineered by loose networks of programmers working outside the control of any single person, company or government. The Internet Engineering Task Force, which develops core Internet protocols, does not even have formal membership and seeks contributions from developers all over the world.
But the problem is that the physical layer of the Internet’s infrastructure — the hardware that transmits, directs and relays traffic online, as well as its closely knit software (or “firmware”) — is not open-source. It is made by commercial computing companies like Cisco, Hewlett-Packard and Juniper Networks according to proprietary designs, and then sold to governments, universities, private companies and anyone else who wants to set up a network.
This analysis is way off the mark at many levels, and simply misleading at others. If we followed Dourado’s advice, we would actually get an Internet that’s many times less secure than the one we have. Let me explain.
In the first place, Dourado confuses the open standards produced by IETF with the software and devices that implement them. TCP, for example, is a protocol, not a program. There is one and only one formal specification for TCP (actually there are several variants, but they stem from a common specification) but there are many implementations: Microsoft has its versions of TCP for the various forms of Windows, Apple has their own versions for Macs and iPhones, Google has its for Android and YouTube, etc.
The process that produces the standard is open to everyone (although some engineers have more influence than others) but the products that implement this open standard are only as open as the companies want them to be. IETF writes the rules for the Internet, not the code.
Hardware is not fundamentally different: Standards bodies like IEEE 802, ITU-T, and IETF produce standards (formal specifications) for Ethernet, Wi-Fi, and MPLS, and then companies develop products that implement the standards. Modern hardware design is a lot like software design: hardware designers create chips by specifying their logic in a programming language (like Verilog or System C) and then simulating, testing, and debugging until the chip does what they want.
Verilog and System C are called “hardware description languages” to distinguish them from regular programming languages like C and C++, but the basic work is the same. If you wander around an office where chips are being designed, you’ll have a hard time telling when you’ve left the section where the hardware designers work and entered the one where the software people work. You’re going to see people writing code in both places.
Outside the realms of Linux and the free open source software movement, software is no more open than hardware, and there’s a lot more to making the Internet work than the formal specifications for TCP and IP. A great deal of the logic that’s required to make an Internet router work has less to do with protocol specifications than it does with questions of system design.
The rules for IP don’t say how fast it has to run, how many addresses a router has to cache, how the router gets routing information for each packet, and what sort of logic a router uses to when handling common options vs. uncommon ones. All of these questions factor into the cost, performance, reliability, and “security” of an Internet router, but they’re legitimately proprietary. So no, it does not make any sense to force hardware design to be more “open” than software design is for today’s Internet.
Open hardware also has nothing to do with NSA’s ability to snoop. All they need to do that is access to the wires that carry Internet traffic; with such access they can divert traffic to their own systems without touching the internal logic of Cisco, Huawei, and Juniper routers. They’ve been doing this for a long time, and the hardware involved is no more complicated than a mirror: one packet goes in, and two packets come out, one for the Internet and the other for NSA. No router logic needs to be changed for this to happen.
So Dourado is completely confused about the relationship of “openness” in hardware and software to both product development and privacy. What’s more important is that he’s confused about the meaning of the word “security.” The dirty secret about security is that we have seemingly endless discussions about it in the policy world while lacking a coherent definition. Of form of insecurity is the attacks that drive servers off-line for hours or days every time a few kids launch a Denial of Service attack. This insecurity demonstrates just how fragile the Internet is, and just how poorly designed its basic protocols are. Denial of Service attacks aren’t possible on most networks.
The Internet’s problem in this instance is its assumption – baked into TCP and IP – that all users are presumptively trustworthy. It’s rare for humans to make such an assumption in any sphere of life, especially where things of financial value are involved. The local branches of the banks that hold our money are not managed on the assumption that everyone who pulls into the parking lot is trustworthy, they require us to prove our trustworthiness in an escalating series of security challenges before we get access to money. In most instances, it would be worthwhile for the Internet to adopt this approach. It does so in a limited sense for e-mail now that anti-spam blacklists are universal, but these could be a more robust. Text messaging is more clean and less spammy than email because it denies service, by design, to anyone who can’t authenticate as a trustworthy user and who isn’t willing to pay for message delivery.
There is an openness issue in what the NSA has been doing, but it’s not anything as small or as whimsical as Dourado’s imaginings about “open hardware.” The Internet is a fundamentally open system, and that means it’s a fundamentally opposed to privacy by design. You don’t have to be on-board with latest quirky tech policy movement to see this. The Internet was designed to be a research network, so all of its operational details are open to the well-situated observer with the ability to clamp a monitor on a wire.
The first network engineering tool most engineers ever use is a packet sniffer that exposes all the details of every packet traversing the network. This was the case in the 1960s when ARPANET was built and it’s the case today. The Internet runs on packet switched networks, shared resource systems in which multiple uses transmit and receive on party lines and address information and etiquette determine what each one sees. Monitors relax the etiquette and expose everything. And guess what – open source monitors are everywhere.
So adding security – and especially privacy – to this system is nearly impossible. It can be done, but only at the expense of fundamental design principles. It’s much, much more difficult to redesign the Internet than to hop on the latest pseudo-technical bandwagon.