Re: Future Impact of Viruses on Internet

[Gary Flynn <flynngn () JMU EDU>]

Tim Lane wrote:

> Hi All,
>
> just as a topic of interest for academic discussion, does anyone have a
> viewpoint on the potential likely future of the impacts of worms and
> viruses etc on the future of the Internet and its use?  As an example, I
> consider future scenarios could potentially be:
>
> 1) A continual and escalating situation of attack and defend (as is the
> case now);
> 2) An future implementation of technology that largely mitigates the
> seriousness of attacks rendering them of little concern;
> 3) A substantial and slow degradation of the Internet such that it
> becomes
> largely unusable;
> 4) A sudden enormous impact on the Internet that forces an almost total
> rebuild/re architecturing.
>
> If anyone has any thoughts I would be interested.  I am sure someone out
> there is involved in the development of a more robust Internet and is
> aware
> of likely future scenarios.


Worms and viruses get the press and make life uncomfortable. The
same exploits, targeted quietly at individuals, institutions, or
infrastructures may be of much greater consequence.

We're at #4. The "sudden enormous impact" has already happened.
 It was the  period of commercial and governmental adoption
 (take-over?) of the Internet.

#1 and #3 are ongoing and will be for the next several years. To start
 off with, there is a big installed base out there. And I believe the
 changes that would  be needed to reign in anarchy would be so
 radical that a lot of inertia would  have to be overcome. Even if the
 Internet melted tomorrow, nothing could  be done overnight.

#2 Not likely. Our situation isn't a technical problem. Its an
 architectural/philosophical one - open network, open computers,
 open access. An acceptance of anarchy and the rapid innovation
 and exploitation that accompanies it.

After increasing strife, loss of trust, public outcry, governmental
confusion, much money, failure of  incremental solutions or their
mass market implementations (firewalls, Trusted Computing
Platform, IPSEC) , failure of vendors to take responsibility for
their products and buyers to discriminate accordingly (they tell
you in their licenses when you buy them they don't claim them
to be suitable for any purpose!!!),  and repeated studies with the
same general security recommendations decade after decade,
something core will have to change if we want the results of the
environment to change:

1) The openness of the network
2) The computing platform
3) The operators

So:
http://falcon.jmu.edu/~flynngn/whatnext.htm

More than likely, it will be incremental approaches towards
those major architectural/philosophical changes. Accelerated
by incidents. Decelerated by awareness of what is being lost
and more responsible behavior on the part of everyone
(vendors, buyers, operators, implementers).

Depending upon TCPA implementation and legislation, parts of
this may be closer than I think My very limited reading tends to
make me think it depends on who is allowed to be the TPM
Owner. The individual? The organization? The ISP? Software
agents? Maybe only TCPA machines with delegated
Ownership will be allowed on the "secure" network.

Similarly, access control and policy enforcement (av
software checks) are being pushed into the heretofore
dumb network. 802.1x. Cisco's Network Admission
Control.

The price we'll pay is in speed of innovation, lowest common
denominator functionality and access, loss of choice, and
loss (ha) of privacy.

On the other hand, or perhaps in the short term to stave
off more radical measures:

1) Maybe vendors will finally figure out that shipping
   computers with open ports is socially irresponsible and
   act accordingly.
2) Maybe governments (or contracts) will force recalls of
   products  with defects that result in a system compromise
  without user interaction with mandatory shipments of CD
  fixes to all registered  users and 60 minutes of free telephone
  support. Might motivate #1 and  put increased emphasis
  on software testing and better cost/benefit decision making
  about including questionable functionality. If somebody
  could open and start our cars without a key, would we
  stand for this? Not sure how this would work with free
  software though.
3) Maybe users will accept running day to day activities
   using an unprivileged account.
4) Maybe users will become discriminating about  what
   software authors they allow to control their machine no
   matter the gee-whiz functionality they're offered. (Or
   maybe the ISPs will demand to hold the TCPA
   Ownership rights on their customer's computers.)
5) Maybe ISPs will be required to offer some standardized
   training and testing to prospective network node
  operators.
6) Maybe an Internet connection will be a privilege, not a
   right and behavior will change accordingly.

Then again, maybe not. :)

Until a major change happens, we'll have to sleep in the bed
we've made. Attack and defend. Innovate and exploit.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.