The Day The Internet Goes Down

This hasn't happened—yet.  But Bruce Schneier, an experienced Internet security expert with a track record of calling attention to little problems before they become big ones, is saying he's seeing signs that somebody may be considering an all-out attack on the Internet.  In an essay he posted last month called "Someone Is Learning How to Take Down the Internet," he tells us that several Internet-related companies which perform essential functions such as running domain-name servers (DNS) have come to him recently to report a peculiar kind of distributed denial-of-service (DDOS) attack.

For those who may not have read last week's blog about ICANN, let's back up and do a little Internet 101.  The URLs you use to find various websites end in domain names—for example, .com or .org.  One company that has gone public on its own with some limited information about the attacks is Verisign, a Virginia-based firm whose involvement with the Internet goes back to the 1990s, when they served as the kind of Internet telephone book for every domain ending in .com for a while, before the ICANN, now an internationally-governed nonprofit organization, took over that job.  Without domain-name servers, networked computers can't figure out how to find websites, and the whole Internet communication process pretty much grinds to a halt.  So the DNS function is pretty important.

As Schneier explains in his essay, companies such as Verisign have been experiencing DDOS attacks that start small and ramp up over a period of time.  He likens them to the way the old Soviet Union used to play tag with American air defenses and radar sites in order to see how good they were, in case they ever had to mount an all-out attack.  From the victim's point of view, a DDOS attack would be like if you were an old-fashioned telephone switchboard operator, and all your incoming-call lights lit up at once—for hours, or however long the attack lasts.  It's a battle of bandwidths, and if the attacker generates enough dummy requests over a wide enough bandwidth (meaning more servers and more high-speed Internet connections), the attack overwhelms the victim's ability to keep answering the phone, so to speak.  Legitimate users of the attacked site are blocked out and simply can't connect as long as the attack is effective.  If a critical DNS is attacked, it's a good chance that most of the domain names served will also disappear for the duration.  That hasn't happened yet on a large scale, but some small incidents have occurred along these lines recently, and Schneier thinks that somebody is rehearsing for a large-scale attack.

The Internet was designed from the start to be robust against attack, but back in the 1970s and 1980s, the primary fear was an attack on the physical network, not one using the Internet itself.  Nobody goes around chopping up fiber cables in hopes of bringing down the Internet, because it's simply not that vulnerable physically.  But it's likely that few if any of the originators thought of the possibility that the Internet's strengths—universal access, global reach—would be turned against it by malevolent actors.  It's also likely that few of them may have believed in original sin, but that's another matter.

Who would want to take down the Internet?  For the rest of the space here I'm going to engage in a little dismal speculation, starting with e-commerce.  Whatever else happens if the Internet goes down, you're not going to be able to buy stuff that way.  Schneier isn't sure, but he thinks these suspicious probing attacks may be the work of a "state actor," namely Russia or China.  Independent hackers, or even criminal rings, seldom have access to entire city blocks of server farms, and high-bandwidth attacks like these generally require such resources.

If one asks the simple question, "What percent of retail sales are transacted over the Internet for these three countries:  China, the U. S., and Russia?" one gets an interesting answer.  It turns out that as of 2015, China transacted about 12.9% of all retail sales online.  The U. S. was next, at about 8.1%.  Bringing up the rear is Russia, at around 2%, which is where the U. S. was in 2004.  Depending on how it's done, a massive attack on DNS sites could be designed to damage some geographic areas more than others, and without knowing more details about China's Internet setup I can't say whether China could manage to cripple the Internet in the U. S. without messing up its own part.  But there is so much U. S.-China trade that Chinese exports would start to suffer pretty fast anyway.  So there are a couple of reasons that if China did anything along these lines, they would be shooting themselves in the foot, so to speak.

Russia, on the other hand, has much less in the way of direct U. S. trade, and while it would be inconvenient for them to lose the use of the Internet for a while, their economy, such as it is, would suffer a much smaller hit.  So based purely on economic considerations, my guess is that Russia would have more to gain and less to lose in an all-out Internet war than China would.

A total shutdown of the Internet is unlikely, but even a partial shutdown could have dire consequences.  Banks use the Internet.  Lots of essential utility services, ranging from electric power to water and natural gas, use the Internet for what's called SCADA (supervisory control and data acquisition) functions.  The Internet has gradually become critical piece of infrastructure whose vulnerabilities have never been fully tested in an all-out attack.  It's not a comfortable place for a country to be in, and in these days of political uncertainty and the waning of dull, expert competence in the upper reaches of government, you hope that someone, somewhere has both considered these possibilities in detail, and figured out some kind of contingency plan to act on in case it happens. 

If there is such a plan, I don't know about it.  Maybe it's secret and we shouldn't know.  But if it's there, I'd at least like to know that we have it.  And if we don't, maybe we should make plans on our own for the Day The Internet Goes Down.

Sources:  Bruce Schneier's essay "Someone Is Learning How to Take Down the Internet" can be found at https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html.  I obtained statistics on the percent of U. S. retail e-commerce sales from the website https://ycharts.com/indicators/ecommerce_sales_as_percent_retail_sales, the China data from https://www.internetretailer.com/2016/01/27/chinas-online-retail-sales-grow-third-589-billion-2015, and the Russia data from https://www.internetretailer.com/commentary/2016/02/08/russian-e-commerce-domestic-sales-slump-chinese-imports-soar.  I also referred to the Wikipedia article on Verisign.

Rolling Back Mass Surveillance

Bruce Schneier is a man worth listening to.  In 1993, just as the Internet was gaining speed, he wrote one of the earliest books on applying cryptography to network communications, and has since become a well-known security specialist and author of about a dozen books on Internet security and related matters.  So when someone like Schneier says we're in big trouble and we need to do something fast to keep it from getting worse, we should at least pay attention.

The trouble is mass surveillance.  In his latest book, Data and Goliath, he explains that mass surveillance is the practice of indiscriminately collecting giant data banks of information on people first, and then deciding what you can do with it.  One of the best-known and most controversial examples of this is the practice of the U. S. National Security Agency (NSA) of grabbing telecommunications metadata (basically, who called whom when) covering the entire U. S., which was revealed when Edward Snowden made his stolen NSA files public in 2013.  Advocates of the NSA defend the call database by saying the content of the calls is not monitored, only the fact that they were made.  But Schneier makes short work of that argument in a few well-chosen examples showing that such metadata can easily reveal extremely private facts about a person:  medical conditions or sexual orientation, for example. 

It's not only government overreaching that Schneier is concerned about. Businesses come in for criticism too.  With data storage getting cheaper all the time, many Internet firms and network giants such as Google and Yahoo find that it's easier simply to collect all the data they can on their customers, and then pick through it to see what useful information they can extract—or sell to others.  This happens all the time.  Maybe the most visible evidence of it happens when you go online and look for, say, a barbecue grill at a hardware-store website.  Then, maybe several days later, you will be on a completely different site.  Say a vegetarian friend is coming over and you're looking up how to make vegan stew.  Lo and behold, right next to the vegan recipe, there's an ad for that barbecue grill you were looking at a few days ago.  How did they know?  With "cookies" (bits of data retained by your browser) and behind-the-scenes trading of information about you and your browsing habits.

But Schneier reserves his greatest concern for something that is perhaps hardest to define:  the loss of privacy.  The right to privacy is a vital if poorly defined right whose absence makes normal life almost impossible.  Schneier says, "Privacy is an inherent human right. . . . It is about choice, and having the power to control how you present yourself to the world."  Mass surveillance tramples over the right to privacy and trains millions subtly to alter their ways of living to avoid the pain of secrets revealed.  This way of living was familiar to those whose lives were monitored by totalitarian regimes such as the old East Germany or the Soviet Union.  True, Google isn't going to send a jackbooted corporal to your door if you say something nasty about Sergey Brin, Google's co-founder.  Brin himself was born behind the Iron Curtain, though his family emigrated when he was six, and he probably remembers little or nothing about the USSR.  Nevertheless, Google and other firms that collect massive amounts of private data from their customers have set up a situation in which the privacy rights of millions, even billions, depend solely on the good intentions of a few powerful decision-makers in private companies. 

So what do we do about this?  Schneier has lots of suggestions, and points to Europe as a place where privacy is more respected in law and custom.  Changing laws is a necessary first step.  Whenever anyone moves to restrict the mass-surveillance habits of government entities such as the NSA or the Federal Bureau of Investigation, their defenders threaten us with a terrorist apocalypse, saying if we don't give up this or that privacy right, we'll tie the government's hands and be helpless before terrorist assaults.  Schneier spends a lot of time taking apart this argument, to my mind pretty convincingly.  For one thing, mass-surveillance data has not proved that useful in uncovering terrorist plots, compared to old-fashioned detective work focused intensely on a few known troublemakers. In general, government should abandon most mass-surveillance practices in favor of concentrating on specific investigations, with permission granted by courts whose workings are made public to the extent possible.

As for massive snooping by private enterprises, Schneier thinks regulations are the best option.  These regulations would impose a kind of "opt-in" system.  Currently, if you have a privacy-related choice at all in dealing with Internet firms, you have to go to a lot of trouble to make them respect your privacy, if they will allow such a thing at all.  Under Schneier's proposed policy, companies could not take away your rights to your data without your explicit permission, and the choice would be explained clearly enough so that you wouldn't need to have your techno-lawyer read the fine print to understand what's going on. 

Neither Schneier nor I are political scientists, so it's hard to say how we would get from the current parlous situation to one in which online privacy is respected, and nobody can snoop on you unless they go to a lot of trouble and get special permission to do it.  But he's told us what the problem is, and now it's up to us to do something about it.

Sources:  Bruce Schneier's book Data and Goliath:  The Hidden Battles to Collect Your Data and Control Your World was published by W. W. Norton in 2015.  The quotation from it above is from p. 126.  I also referred to Wikipedia articles on Edward Snowden, MAINWAY (the NSA call databse), and Sergey Brin.