The security solution revolution, continued

Default authentication is cheap; the cost of not improving Internet security is high

I've just figured out that I'm a guy who needs two or three columns to communicate my big ideas, or at least argue them out.

In my last column, I proposed rebuilding computing devices and the Internet from the ground up to create a new, more secure, default authenticated Internet to replace our wholly insecure, default anonymous, current Internet. As expected, dozens of readers completely disagreed with me.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Several told me that "the Internet needs to be free!" What exactly does that mean? Is it free for you today? If you’re not paying access fees, you either live in one of those cool cities where the Internet is free, you're stealing access from a neighbor, or you're just not paying Mom the money you owe her.

I assume that "free" in this case must mean "free from The Man!" Free from governmental regulation. Free to do anything you want, however you want. 

My solution doesn’t get rid of your "free" Internet; you're free to stay on the current version as long as you like. I'm just saying that if you want a more secure version, we can do a lot better. And I'm betting that if we build a truly secure Internet, the business world will move to that more secure version and pay more for the privilege. When most business moves to the more secure version, any Web site hoping to make more money will need to move to the more secure version, too. They can create two versions of their site: one for the free Internet, another for the safer channel.

Several readers said my idea was too expensive to implement. That's a fair statement. However, it's my contention that the better question is: What's the cost of not doing anything?

All sorts of services, including those that are mission-critical and basic to society, are going online: banking, purchasing goods, billing and payment systems, reservation systems, travel planning, paying taxes, ordering city services, buying concert tickets, voting, VoIP, and so on. It's a predictable pattern. First, it starts as a new whiz-bang convenience, but pretty soon you'll be charged to do things offline. Eventually, the only option for some tasks will be online communication — you won't be able to visit a brick-and-mortar store, and there won't be 1-800 numbers to call or mailing addresses to write to. Your only option will be online commerce. Soon, a lot of our world will solely be available online. Tell me if I'm wrong.

So our commerce infrastructure will move online, but our transport pipes will still be the same old technology with the same crappy problems that we have today. Will we ever get authenticated ARP (Address Resolution Protocol) to put down man-in-the-middle attacks? Will we ever be able to stop DDoS attacks? Will we ever be able to trust our e-mail? Will spam or phishing ever go away?

Online crime is high value and extremely low risk. We catch only the idiots and the perpetually greedy. Since we aren’t nabbing the vast majority of online criminals, the problem is bound to get worse.

So do the math. Our world is going online; it's a wave that can't be stopped. The current Internet is overrun by criminals and malware. One-third of the population had their identity stolen last year alone. One-fourth of all PCs connected to the Internet are infected by remote control bots. Hundreds of thousand of Web sites are infected by malware. Spam accounts for more e-mail than legitimate messages. Anti-virus scanning accuracy is at an all-time low. There is almost no hope that any of the current defensive measures will be able to make the problem better. It’s not a pretty equation.

I'm fairly certain that our Internet a decade from now will be one where default anonymity is gone, or at least relegated to a less secure twin. Businesses will flock to the new, more secure version, as will their business partners. Your grandmother and less computer-savvy folks will pay more to be "safe." In the end, we will all be on a more secure Internet — it's just a question of whether we do it in a planned, methodical manner or the haphazard, reactive way we do most computer things.

If my vision is off track, what is the alternative?