Viruses, Security Issues Undermine Internet
Experts Contemplate New Version
By Ariana Eunjung Cha
Washington Post Staff Writer
Sunday, June 26, 2005; A01
DENVER -- E-mails were flooding in from all over the country. Something
strange was going on with the Internet, alarmed computer users wrote.
Google, eBay and other big sites had suddenly disappeared. Kyle Haugsness
scanned the reports and entered crisis mode.
Part of the Internet was broken. For the 76th time that week.
Haugsness was on duty for the Internet Storm Center, the closest thing to a
911 emergency-response system for the global network. He and a few
colleagues began investigating and discovered that a hacker had taken
advantage of yet another security hole. As many as 1,000 companies had
effectively had their connections "poisoned," so when their employees typed
in legitimate addresses they were taken to bogus Web destinations.
Haugsness wrote up an alert and a suggested solution, and posted it on the Web.
Then, Haugsness turned back to his inbox. In the few hours he had spent
sleuthing that March day, several dozen e-mails detailing other suspected
issues had piled up.
Built by academics when everyone online was assumed to be a "good citizen,"
the Internet today is buckling under the weight of what is estimated to be
nearly a billion diverse users surfing, racing, and tripping all over the
Hackers, viruses, worms, spam, spyware and phishing sites have proliferated
to the point where it's nearly impossible for most computer users to go
online without falling victim to them. Last year, the Carnegie Mellon
University CERT Coordination Center logged 3,780 new computer security
vulnerabilities, compared with 1,090 in 2000 and 171 in 1995. Computer
security firm Symantec Corp. over the past decade has catalogued 11,000
vulnerabilities in 20,000 technologies, affecting 2,000 vendors.
"I'm very pessimistic about it all," said Haugsness, who has worked for the
storm center for two years. "There are huge problems and outages all the
time, and I see things getting worse."
Originally developed by the Defense Department, the Internet is now a
global electronic communications network made up of hundreds of millions of
computers, servers and other devices run by various governments, academic
institutions, companies and individuals. Because no one entity owns it, the
network depends on goodwill to function smoothly.
The Internet has become so huge -- and so misused -- that some worry that
its power to improve society has been undermined. Now a movement is
gathering steam to upgrade the network, to create an Internet 2.0. How, or
even if, that could be done is a subject of much debate. But experts are
increasingly convinced that the Internet's potential will never be met
unless it's reinvented.
"The Internet is stuck in the flower-power days of the '60s during which
people thought the world would be beautiful if you are just nice," said
Karl Auerbach, a former Cisco Systems Inc. computer scientist who
volunteers with several engineering groups trying to improve the Internet.
Many of the bugs in the Internet are part of its top layers of software,
the jazzy, graphics-heavy, shrink-wrapped programs that come loaded on new
computers or sold in retail stores. But some of the most critical issues
were built into the network's core design, written decades ago and
invisible to the average user.
For example, a way to verify the identity of a sender of e-mail or other
communications is just beginning to become available, meaning that many
criminals roam the network with relative anonymity. And the system that
matches addresses to Web sites is vulnerable to hackers, redirecting users
to sites they never wanted to visit.
Technological solutions for many of those problems have existed for years,
but it's been difficult to build a consensus to implement them. Arguments
about global politics, potential profits and ownership of intellectual
property have plagued groups trying to fix things.
"The problem with the Internet is that anything you do with it now is worth
a lot of money. It's not just about science anymore. It's about who gets to
reap the rewards to bringing safe technologies to people," said Daniel C.
Lynch, 63, who as an engineer at the Stanford Research Institute and at the
University of Southern California in the 1970s helped develop the
As the number of users exploded to more than 429 million in 2000 from 45
million in 1995, Lynch remembered watching in horror as hackers defaced
popular Web sites and shady marketers began to bombard people's e-mail
inboxes with so much spam that real messages couldn't get through.
When the Internet's founding fathers were designing the network in the
1960s and 1970s, they thought a lot about how the network would survive
attacks from the outside -- threats like tornados, hurricanes, even nuclear
war. What they didn't spend much time thinking about was internal sabotage.
Only several hundred people had access to the first version of the Internet
and most knew each other well. "We were all pals," Lynch said. "So we just
built it without security. And the darn thing got out of the barn."
Years passed before the Internet's founders realized what they had created.
"All this was an experiment. We were trying to figure out whether this
technology would work. We weren't anticipating this would become the
telecommunications network of the 21st century," said Vinton G. Cerf, 62,
who with fellow scientist Robert T. Kahn, 66, helped draft the blueprints
for the network while it was still a Defense Department research project.
Even as he marveled at the wonders of instant messaging, Napster and other
revolutionary tools that would not have been possible without the Internet,
Leonard Kleinrock, 71, a professor at the University of California at Los
Angeles who is credited with sending the first message -- "lo," for "log
on" -- from one computer to another in 1969, began to see the Internet's
dark side. "Right now the Internet is running amok and we are in a very
difficult period," Kleinrock said.
Some technologists have said the Internet or parts of it are so far gone
that it should be rebuilt from scratch, and over the past decade there have
been several attempts to do so. But most now agree that the network has
become too big and unruly for a complete overhaul.
For now groups are working on what are essentially bandages for the network.
Today, a complicated bureaucracy of groups known by their abbreviations
help govern the network: the IETF (the Internet Engineering Task Force,
which comes up with the technical standards), ICANN (the Internet
Corporation for Assigned Names and Numbers, which manages the naming system
for Web sites) and the W3C (the World Wide Web Consortium, which develops
technologies for the Web). But their power is limited and their legal
standing murky. Some have recently argued that the United Nations should
take over some regulatory functions. Firms have set up their own standards
groups to suit their own interests.
The one thing everyone seems to agree on is that security must be the
priority when it comes to the next generation Internet. Major companies are
promoting technology that will give recipients of e-mail "return
addresses," or a better way of ensuring that senders are who they say they
are, though the companies disagree on whose technology should be used. A
group of scientists from the Internet Engineering Task Force, perhaps the
most important standards-making body for the network, are working on a way
to better collect and share information on computer intrusions.
Internet2, a consortium of mostly academic institutions that has built a
screaming-fast network separate from the public Internet, is testing a
technology that allows users to identify themselves as belonging to some
sort of group. Douglas E. Van Houweling, president of Internet2 and a
professor at the University of Michigan, thinks the system could be used to
limit access without using passwords to, say, chat rooms for women with
children on a certain soccer team, or to subscribers of certain magazines
"You've heard the saying that on the Internet nobody knows you're a dog,
and that's of course the problem," Van Houweling said. "Authentication will
allow communities to form where people are known and therefore can be trusted."
But there's a trade-off for such security. The network becomes balkanized,
with more parts of it closed to most people. Auerbach, who has been
involved with ICANN and the IETF, said more security raises the "specter of
Lynch believes the Internet will never truly be secure, though, because of
the diversity of software and devices that run on it. If one has a flaw,
others are vulnerable.
For years computer designers have tried to build a machine that lives up to
the "orange book," a specification written by technologists at the
predecessor to the National Institute of Standards and Technology. It
describes a bug-free, completely secure computer that has to be built in a
clean room with designers who have gone through extensive background checks
and are not allowed to communicate with anyone.
"There have been a few computer systems built like this for the military
and they vanish, just vanish. Nobody talks about them anymore," Lynch said.
"They have been created, but for the average person they may as well not
Until that perfect machine is built for consumers, it will be up to people
like Haugsness at the Internet Storm Center to keep the network up and
running. The center is operated by the SANS Institute, a Bethesda-based
nonprofit dedicated to computer security. But most of its work is done by
an eclectic group of volunteers who sign on remotely from around the world,
including a former National Security Council staff member and a grandmother
in Iowa. Haugsness is in his late twenties and is an avid snowboarder and
One Sunday afternoon this month, Haugsness was at his company's office
checking the storm center reports. One person said he had found a new
variant of a program that allowed hackers to take over a computer by
creating a "back door" through holes in its security system. There were
also complaints about a few phishing e-mails that tried to trick people
into giving up their personal information. Internet traffic patterns
worldwide seemed fine -- only a few sections had congestion that would
qualify as serious, or "red."
Nothing "super bad" so far, Haugsness concluded. All in all, only about a
half-dozen documented problems. That might have been considered a disaster
a decade ago. But it was a pretty good day for the Internet in 2005.