Fixing the Internet would be easy — if we tried

There’s no escaping the fact that the Internet is a dangerous place, rife with malware and security holes that expose individuals and businesses to millions of dollars in losses to cyber criminals every day. Making the Internet safer should be a high priority throughout the world. Moreover, it wouldn’t even be all that difficult, if the right people were to gather in a room to tackle the problem.

Just how might that be accomplished? It’s a question I frequently get after giving presentations on the current state of Internet malware, during which we share all sorts of frightening facts and scary statistics that leave some audience members too scared to touch their computers. Among those facts: More unique malware programs were created last year than legitimate ones; online crime would barely drop even if all software could be engineered to have zero security defects; and 91 percent of cyber crime is conducted by organized syndicates.

[ The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this Web Browser Security Deep Dive PDF guide. ]

I’ve written a white paper titled “Fixing the Internet” with ideas on how to make the Internet a safer place to compute — but if you’d like the abridged version, it comes down to this: All it would take is a global group of security technologists from the private sector and government to agree on what values to put in a few different tables. That’s it. We already have the technology and protocols to do it. We all know what we need to do. We just need to do it.

In a nutshell, the paper promotes the following ideas:

• A new Internet infrastructure must promote default identity, authentication, and attribution.
• Every computer and network packet should be assigned a trust rating, which would indicate a level of trustworthiness generally agreed upon.
• It would be all voluntary. You can join if you don’t like the current state of your Internet today.
• The new, safer Internet would inter-operate with the old Internet model just fine, but all legacy traffic would be treated as highly “untrusted” (which is similar to how it is handled today).
• A new DNS-like security service would track malicious networks and compromised legitimate companies and report their reputation to any asking receivers. When the bad guys move their networks, we could all know immediately. Were a legitimate Website to be compromised, we would all know immediately — as we would know when it was safe to visit again.

The solutions to fixing the Internet also must use open standards; be vendor- and platform-neutral; use an open and transparent process; be performance neutral; and not disrupt users and services.

As difficult and complex as this seems at first, it can be accomplished. Contrary to established, knowledgeable critics, this goal is readily achievable, today, using already existing open standards. All we have to do is to decide how we want to do it, decide what values mean what, and implement them using existing protocols. Vendors and end-users would then be free to start developing devices and software based around the new open standards.

Unfortunately, it’s unlikely that we’ll get the right people in the right room until an Internet tipping-point event happens. We didn’t, after all, make people take off shoes and pour out their water bottles at the airport until some bad guys did some very bad things. That is the biggest disappointment of all. We could prevent a whole lot of pain for a whole lot of people.

This story, “Fixing the Internet would be easy — if we tried,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.