While DDOS attacks understandably get the most attention – they’re the cyber-attack version of a bomb – there are other, more subtle ways of undermining internet infrastructure. And these happen because of a commodity the internet depends on, but does not necessarily enjoy in abundance: trust.
“The proper functioning of the internet relies on trust – and that trust is unfortunately easily abused,” says Sean Sullivan of cyber security company F-Secure. Sullivan points to the Border Gateway Protocol (BGP) as an example of where trust is vital, and where problems can occur.
Bogdan Botezatu of Bitdefender told us why BGP is important. “Routing takes place when our information is leaving our home network and heads to its destination,” he explains. “In passing, it goes through multiple service providers that use the Border Gateway Protocol to determine what path our information should take, until it reaches the destination.
“By manipulating the BGP, hostile parties (governments and large cybercrime groups) can actually force your data on a different route, which allows them to intercept and modify traffic.”
And this has happened before: in 2008, when when Pakistan accidentally took down YouTube for the whole world, when it was simply trying to ban the site in its own territory. This happened because the BGP routing system uses a ‘transitive trust’ model, which (to cut a long story short) enables changes to cascade around the world, meaning that when Pakistan Telecom changed its settings for YouTube, the rest of the world briefly followed suit.
A number of more secure alternatives to the current BGP system have been proposed – and with increased urgency following the Pakistan incident – but none of these seem to have taken off as yet.
Another big risk that relates to trust is cryptography – the practice of writing and testing computer code – and how the internet spots and handles vulnerabilities. For example, in 2014 the software OpenSSL – a key component of the security of countless pieces of software – was found to have a major vulnerability. Nicknamed ‘Heartbleed’, the bug was found to have been introduced into the open-source software on New Year’s Eve 2011, meaning that for three years every website, app and service that relied on OpenSSL was vulnerable.
“Cryptography is a mission-critical component to communication, integrity and authentication, and yet the bulk of internet users are taking it for granted,” Botezatu explains. “Cryptographic algorithms are transposed into code by a handful of programmers doing pro-bono work. When their efforts can’t meet the complexity of implementing, testing and auditing code, the whole world learns about it.” In essence, the argument is that relying on the goodwill of a handful of coders to maintain the software that’s a major part of the internet’s backbone is probably a bad idea.
And if that doesn’t have you worried, consider this. Internet security is predicated on complex cryptographic algorithms that, in theory, keep us secure because doing the maths to crack the encryption keys would take far too long. But, Bogdan warns, if the quantum computing breakthrough is ever made, current crypto-algorithms will be rendered useless.
The legal threats
So we know the internet is perhaps more fragile than we had assumed. But could the internet – in its role as a tool of liberation – also be broken not with DDOS attacks or hacks, but by laws?
It’s a philosophical question: but what is it that makes the internet the internet? Perhaps it’s the fact that it’s an expression of freedom – we can communicate relatively freely, without restriction, and in that sense it has liberated us. However, right now there are trends in both technology and politics that threaten to undermine this core.
For example, some ISPs are lobbying hard for the right to charge companies for bandwidth – the implication being that, for example, an established video streaming service could fork over cash to enable HD streaming, while newer players wouldn’t have access to the bandwidth to compete. This has given rise to the net neutrality debate, which has yet to be resolved.
There are also increasing moves to legitimise bulk surveillance of the kind that Edward Snowden and others have exposed. In Britain, MPs recently voted to explicitly legalise this sort of data collection, meaning your every action online can now, legally, be logged and looked at by the government.
In countries less fortunate than our own, internet censorship is commonplace – and even in the UK there have been calls for the government to have powers to, for example, block messaging services during riots.
Given that such moves would fundamentally change what we can do with the internet, and what it can do for us, would this count as breaking the internet? If so, then regardless of whether or not the internet could ever be broken in one massive, catastrophic attack, we could be already breaking it ourselves in less dramatic but more insidious ways.