One third of all U.S. adults had their identity and financial information stolen or lost in 2006 alone. Bogus messages make up 90 percent of the e-mail traffic on the Internet. Ninety-nine percent of all malware exists to steal your money. Tens of millions of dollars are being stolen off the Internet every day from bank fraud, phishing attacks, bogus stock trades, extortion, etc. A large percentage of the Internet is owned and operated by the criminals, and they almost never get caught.
No, the sky isn’t falling. It fell a long time ago.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
In the future, there will be a huge Internet crime theft. The loss will total in the billions of dollars after a single hour. When it is through, it will interrupt the Internet, the banking system, and business in general for a week or more as we struggle to find out how it happened. Our resolve and trust in our money being stored in electronic bits will be tested.
Why am I so sure it will happen? Because we've got human greed on one side and passive indifference on the other.
The techniques that would allow hackers to steal billions of dollars are absolutely no different than the ones they already use to steal millions of dollars today. Most criminals are content to steal hundreds of thousands to millions of dollars. They understand the phrase “staying under the radar.” But one day, an online Lucky Luciano (recognized as the father of organized syndicated crime) will rise up and go for the big one.
These are the facts. Internet criminals almost never get caught. They are successfully stealing tens of millions of dollars every day. Which is more likely to happen in the future: criminals will steal more, or criminals will steal less? We all know the answer. And while everyone reading this column cares, society in general doesn’t.
There is a way to stop it, of course, but it isn’t a particular device, software product, or even a process. It’s universal authentication and the loss of default anonymity on a new Internet. How would the nature of online attacks change if the attacker knew we could identify them every time?
Start with the Trusted Computing Group’s specifications and build the authentication into all participating computers, the software, and the data communications pathway. Build authenticated hardware with the Trusted Platform Module chip. You can then authenticate the OS and authenticate the applications running on the OS. This gives us an authenticated computing platform. Without this none of the other parts work.
Next, you build in two-factor or biometric authentication to verify the user. Each end-point network would be responsible -- and held accountable -- for verification of their users. Finally, and most importantly, we give up our right to default anonymity on the Internet. Every packet can be traced from original source to final destination.
This last idea might sound crazy, even unwelcome, but all the parts to make it happen are probably already in place. Our governments, for good or bad, are already requiring most ISPs and telecom providers to store our online history and/or data packets for a certain period of time. What the ISPs don’t store our governments are probably sifting through anyway. I bet all it would take to be more inclusive is more hard drive space -- and hard drive space is pretty cheap.
Take all of this and build another Internet, one that's secure by default. Charge people extra to join it. I’ll call it Internet/S.
Would I join? Heck yeah, and I think most of the business world would pay extra to join, too. Right now, my e-mail and Web servers get attacked thousands of times each day. My firewall, anti-spam, anti-spyware, and anti-malware defenses are blocking about 90 percent of the traffic that hits my network endpoint. How much faster would my network connection be if I didn’t have to deal with malicious network packets? How much money would we all save if we didn’t have to focus so much on poor security solutions that never work? How much more productive would employees be if we didn’t have to re-ghost their machines all the time or send them to end-user security classes?
Those who absolutely need anonymity can stay on the old Internet. There are lots of valid reasons why someone may want to remain anonymous on the Web (e.g. AIDS support groups, rape counseling, whistleblower reporting, political discourse, civil disobedience, etc.). I just don’t want you to connect to my business server, and I’m willing to pay extra for it.
Many Internet services, like instant messaging, already have untrusted and trusted versions. The trusted versions require authentication and cost more. We just need to expand the notion to the entire Internet, and provide secure and authenticated endpoints.
When so much of the traffic on the current Internet is malicious and criminal, and we can’t do anything about it, isn’t it time for an Internet/S?