A tale of two Internets

One third of all U.S. adults had their identity and financial information stolen or lost in 2006 alone. Bogus messages make up 90 percent of the e-mail traffic on the Internet. Ninety-nine percent of all malware exists to steal your money. Tens of millions of dollars are being stolen off the Internet every day from bank fraud, phishing attacks, bogus stock trades, extortion, etc. A large percentage of the Internet is owned and operated by the criminals, and they almost never get caught.

No, the sky isn’t falling. It fell a long time ago.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

In the future, there will be a huge Internet crime theft. The loss will total in the billions of dollars after a single hour. When it is through, it will interrupt the Internet, the banking system, and business in general for a week or more as we struggle to find out how it happened. Our resolve and trust in our money being stored in electronic bits will be tested.

Why am I so sure it will happen? Because we've got human greed on one side and passive indifference on the other.

The techniques that would allow hackers to steal billions of dollars are absolutely no different than the ones they already use to steal millions of dollars today. Most criminals are content to steal hundreds of thousands to millions of dollars. They understand the phrase “staying under the radar.” But one day, an online Lucky Luciano (recognized as the father of organized syndicated crime) will rise up and go for the big one.

These are the facts. Internet criminals almost never get caught. They are successfully stealing tens of millions of dollars every day. Which is more likely to happen in the future: criminals will steal more, or criminals will steal less? We all know the answer. And while everyone reading this column cares, society in general doesn’t.

There is a way to stop it, of course, but it isn’t a particular device, software product, or even a process. It’s universal authentication and the loss of default anonymity on a new Internet. How would the nature of online attacks change if the attacker knew we could identify them every time?

Start with the Trusted Computing Group’s specifications and build the authentication into all participating computers, the software, and the data communications pathway. Build authenticated hardware with the Trusted Platform Module chip. You can then authenticate the OS and authenticate the applications running on the OS. This gives us an authenticated computing platform. Without this none of the other parts work.

Next, you build in two-factor or biometric authentication to verify the user. Each end-point network would be responsible -- and held accountable -- for verification of their users. Finally, and most importantly, we give up our right to default anonymity on the Internet. Every packet can be traced from original source to final destination.