What if a hacker caused a large-scale Internet outage?

Rod Beckstrom on what would happen if the Internet “went dark” – and how to avoid it. The interview is part of the Risk Response Network’s “What if?” series.

What is your main field of expertise and current research?
I’m President and CEO of ICANN, Internet Corporation for Assigned Names and Numbers. My areas of expertise are the Internet, cybersecurity and organizational leadership.

Given your research, what would you say is the most under-appreciated risk?
One under-appreciated risk is the threat to the security of the Internet itself. The Internet system was designed to be open and flexible, not secure, so steps have to be taken to provide appropriate security at regional, national and international levels. This “what if” question is one that ICANN already takes very seriously. We coordinate with a number of technical, policy and security organizations to guard against worst-case scenarios. We need to ensure security for each of the three major Internet functions: domain names, network addresses and the routing of packets of information between network addresses. It almost goes without saying that a broad-based outage of the Internet would have drastic effects on global communications, commerce, jobs, social discourse and innovation. It would be quite a blow to the world economy.

What would a large-scale failure look like?
It could look like what we have seen recently in countries where repressive governments have turned off the Internet in the face of civil unrest, or where regions of the world have “gone dark” when undersea cables have been cut or damaged. Because the Internet system is highly decentralized, with many servers and devices in different places, it is actually quite resilient, however many of the protocols and standards are centralized and some of the same technologies are used all over the world. This means that there are some common areas of vulnerability.  We are not even sure what all the implications of an outage might be because so many things, from automobiles and household appliances to public utility grids and the like are becoming Internet-reliant.  We do know that we need to make investments to upgrade the infrastructure to avoid any large-scale failure.

How might this scenario unfold?
One way the scenario could unfold is a cyber attack on the infrastructure or on some of the key parts of the system, or it could be the result of exploiting the existing protocols.  For example, several years ago Dan Kaminsky, an Internet security researcher, managed a very elegant hack of the protocols and standards of the domain name system. This really shook the global Internet community because it showed that someone could disrupt the domain name system and allow parties to serve up information that seemed to come from the source a user was seeking but would be, in fact, from an illegitimate source. The industry has since worked out a solution called Domain Name System Security Extensions (DNSSEC), which I encourage any organization with an Internet presence to invest in. At this stage we are probably not even 1% into the rollout phase of this important security tool. Governments and global corporations need to support the initiative, and turn on the new capabilities.

What about the use of cyber attacks by governments? Is that also a concern?
Books like Richard A. Clarke’s Cyber War provide an insight into the sorts of scenarios that might take place when states become involved in cyber warfare. Warfare, intelligence, trade, collaboration and communication have all been layers of society for thousands of years, but they have been transformed by the Internet. More than two billion of us are now linked, and actions by governments can have far-reaching consequences. That is why efforts are being made to encourage diplomacy in this area. We have to define terms, develop norms, policies and best practices. We need to establish treaties and agreements to manage the risk of cyber war in the same way that we have treaties and agreements like the Geneva Convention to manage conventional warfare.

How have you been involved in tackling this risk?
I have had great opportunities to serve in a number of different roles, and I hope to continue to be a catalyst for positive change. I ran the United States’ National Cybersecurity Center, which coordinates cyber operations in the US and am now running ICANN, the global Internet coordination body for domain names and addresses.

I’m very excited about the new Cyber Resiliency Principles that the World Economic Forum have developed, and pleased to be involved as an advisor.  I am delighted to see that some major corporations are coming onboard. The power of the World Economic Forum’s network and community will raise awareness in boardrooms and among CEOs of the need for cyber security measures and for greater cyber resilience. It’s a first step and a confidence-building measure. With more people onboard we can take positive steps in the future.

Another development has been the richness of dialogue about the role of governments, companies, NGOs and multi-stakeholder organisations like ICANN to help to coordinate the Internet. The time has come for corporate and government leaders to deal with the issue of cyber security.

Is there anything you would like to add?
I would like to add a call to action for security. I would like to ask everyone – whether in large corporations or small, non-profit or government, please, do the basics to enhance the security of your computers and your networks. To anyone who has a website, please turn on the Domain Name System Security Extensions (DNSSEC) because they will better secure the Internet for you and for your customers, and deter pernicious ‘man in the middle’ attacks. It is a low cost technology and we need your help to roll it out around the world. Please also look at adopting IPv6 – the new Internet Protocol standard for Internet addressing. Upgrades such as these will help protect the infrastructure of the Internet from any damaging large-scale outage.

Pictured: A computer screen displays the blocked government web page belonging to Poland’s Parliament on January 22, 2012 (Reuters)

Rod Beckstrom is President and CEO of the Internet Corporation for Assigned Names and Numbers (ICANN).