What if there was a large-scale Internet failure?

Mustaque Ahamad, Computing Professor at the Georgia Institute of Technology, says that the IT industry puts functionality above security at its peril. The interview is part of the Risk Response Network’s “What if?” series.

Why is this on your radar at the moment?
What keeps me awake at night is the fact that we don’t have a good understanding of the risks we face, now that more and more people and things are connected to the Internet. Cyber attacks have become very easy to mount, but they are still hard to defend against.

How would the situation unfold?
We could see something like a large-scale Denial of Service attack, an attempt to make the Internet unavailable to people who rely on it. This sort of attack would involve someone, or a group of people, who is successful in compromising key Internet infrastructure services or who bombards Web servers with a flood of requests, so that they are unable to respond to legitimate queries. When a regular person tries to access the Internet, you would simply see an error message. Another common form of attack uses malware, which is basically software that you don’t want. By exploiting a vulnerability, an attacker finds a way to send code to your machine, where it starts to run on its own. It could be waiting for a command to steal data, or to send spam. Such compromised machines can also be used to send bogus requests and launch a Denial of Service attack.

What would the consequences be?
It is not just a question of being unable to check the weather or go on Facebook. It would have huge effects on essential services on which we rely in our daily lives. These could be communication, transportation or the supply of essentials like food, energy and healthcare – everything. On a simplified level, if the Internet is down and you can’t access electronic medical records in an emergency, people die as a result. There has been a huge convergence between virtual life and the real, physical world: we work, live and play on the Internet, so the consequences of an outage are across the board. And we no longer count on phone lines as a backup: they are increasingly moving to networks that enable the Internet.

Who would be most likely to mount such an attack?
What we have seen recently is that cyber attacks are not irrational; there is always some kind of motivation, whether it is malicious folk, groups with an agenda like Anonymous, criminal gangs who want to monetize their activities, or nation states acting in their interests, as we saw with the Stuxnet attack on Iran’s nuclear facilities. The problem is that when it comes to cyber attacks, there is a lower barrier to launch than a real, physical attack, so we don’t treat it with the same kind of seriousness. More and more countries are looking at cyber arms and they are not hesitant about trying things out, even though these actions could precede a real war.

How likely is an attack of the scale that could take out Internet access?
The Internet is a highly decentralized system, so many experts believe that the risk of an attack taking it down entirely is very, very low, but cyber threats should still be taken seriously.

How well prepared are we?
Unfortunately, we are not really well prepared. With security, the basic axiom is that you build it into your system, so risk is already mitigated, whereas the IT industry hasn’t done that. We value functionality over security. And the threat landscape keeps shifting all the time: take, for example, the rise of cloud computing, which changes the nature of our reliance on connectivity and the way we depend on data. Then there are mobile apps, which people happily download without thinking about any problems. It is hard to know what resources to put into security when technologies evolve so rapidly and the threat is always changing, and hard to quantify.

Who is responsible for tackling this?
The simple answer is all of us: businesses, governments and individuals.

What can we do to mitigate the risks?
We have been largely reactive in the past, whereas now we need to be more proactive in terms of designing more secure systems, and improving awareness and education. This is not just a technology problem; there is a large policy component as well. We need more safeguards. We need more networks of people coming together to anticipate threats and dismantle the infrastructure that will be used in mounting large-scale attacks.