When AOL updates its software, the new version bears a number: 7.0, 8.0, 9.0. The most recent version is called AOL 9.0 Security Edition. These days, improving the utility of the Internet is not so much about delivering the latest cool application; it’s about survival.
In August, IBM released a study reporting that “virus-laden e-mails and criminal driven security attacks” leapt by 50 percent in the first half of 2005, with government and the financial-services, manufacturing, and health-care industries in the crosshairs. In July, the Pew Internet and American Life Project reported that 43 percent of U.S. Internet users – 59 million adults – reported having spyware or adware on their computers, thanks merely to visiting websites. (In many cases, they learned this from the sudden proliferation of error messages or freeze-ups.) Fully 91 percent had adopted some defensive behavior – avoiding certain kinds of websites, say, or not downloading software. “Go to a neighborhood bar, and people are talking about firewalls. That was just not true three years ago,” says Susannah Fox, associate director of the Pew project.
Then there is spam. One leading online security company, Symantec, says that between July 1 and December 31, 2004, spam surged 77 percent at companies that Symantec monitored. The raw numbers are staggering: weekly spam totals on average rose from 800 million to more than 1.2 billion messages, and 60 percent of all e-mail was spam, according to Symantec.
But perhaps most menacing of all are “botnets” – collections of computers hijacked by hackers to do remote-control tasks like sending spam or attacking websites. This kind of wholesale hijacking – made more potent by wide adoption of always-on broadband connections – has spawned hard-core crime: digital extortion. Hackers are threatening destructive attacks against companies that don’t meet their financial demands. According to a study by a Carnegie Mellon University researcher, 17 of 100 companies surveyed had been threatened with such attacks.
Simply put, the Internet has no inherent security architecture – nothing to stop viruses or spam or anything else. Protections like firewalls and antispam software are add-ons, security patches in a digital arms race.
The President’s Information Technology Advisory Committee, a group stocked with a who’s who of infotech CEOs and academic researchers, says the situation is bad and getting worse. “Today, the threat clearly is growing,” the council wrote in a report issued in early 2005. “Most indicators and studies of the frequency, impact, scope, and cost of cyber security incidents – among both organizations and individuals – point to continuously increasing levels and varieties of attacks.”
And we haven’t even seen a real act of cyberterror, the “digital Pearl Harbor” memorably predicted by former White House counterterrorism czar Richard Clarke in 2000 (see “A Tangle of Wires”). Consider the nation’s electrical grid: it relies on continuous network-based communications between power plants and grid managers to maintain a balance between production and demand. A well-placed attack could trigger a costly blackout that would cripple part of the country.
The conclusion of the advisory council’s report could not have been starker: “The IT infrastructure is highly vulnerable to premeditated attacks with potentially catastrophic effects.”
The system functions as well as it does only because of “the forbearance of the virus authors themselves,” says Jonathan Zittrain, who cofounded the Berkman Center for Internet and Society at Harvard Law School and holds the Chair in Internet Governance and Regulation at the University of Oxford. “With one or two additional lines of code…the viruses could wipe their hosts’ hard drives clean or quietly insinuate false data into spreadsheets or documents. Take any of the top ten viruses and add a bit of poison to them, and most of the world wakes up on a Tuesday morning unable to surf the Net – or finding much less there if it can.”