We can surmount the technical and human obstacles to a dramatically more secure internet, but one factor stands in the way Credit: geralt Last week I speculated that the current horrible state of internet security may well be as good as we’re ever going to get. I focused on the technical and historical reasons why I believe that to be true. Today, I’ll tell you why I’m convinced that, even if we were able to solve the technical issues, we’ll still end up running in place.Global agreement is toughHave you ever gotten total agreement on a single issue with your immediate family? If so, then your family is nothing like mine. Heck, I have a hard time getting my wife to agree with 50 percent of what I say. At best I get eye rolls from my kids. Let’s just say I’m not cut out to be a career politician.Now think about trying to get the entire world to agree on how to fix internet security, particularly when most of the internet was created and deployed before it went global. Over the last two decades, just about every major update to the internet we’ve proposed to the world has been shot down. We get small fixes, but nothing big. We’ve seen moderate, incremental improvement in a few places, such as better authentication or digital certificate revocation, but even that requires leadership by a giant like Google or Microsoft. Those updates only apply to those who choose to participate — and they still take years to implement. Most of the internet’s underlying protocols and participants are completely voluntary. That’s its beauty and its curse. These protocols have become so widely popular, they’re de facto standards. Think about using the Internet without DNS. Can you imagine having to remember specific IP addresses to go online shopping?A handful of international bodies review and approve the major protocols and rules that allow the internet to function as it does today (here’s a great summary article on who “runs” the internet). To that list you should add vendors who make the software and devices that run on and connect to the Internet; vendor consortiums, such as the FIDO Alliance; and many other groups that exert influence and control. That diversity makes any global agreement to improve Internet security almost impossible. Instead, changes tend to happen through majority rule that drags the rest of the world along. So in one sense, we can get things done even when everyone doesn’t agree. Unfortunately, that doesn’t solve an even bigger problem.Governments don’t want the internet to be more secureIf there is one thing all governments agree on, it’s that they want the ability to bypass people’s privacy whenever and wherever the need arises. Even with laws in place to limit privacy breaches, governments routinely and without fear of punishment violate protective statutes.To really improve internet security, we’d have to make every communication stream encrypted and signed by default. But they would be invisible to governments, too. That’s just not going to happen. Governments want to continue to have unfettered access to your private communications. Democratic governments are supposedly run by the people for the people. But even in countries where that’s the rule of law, it isn’t true. All governments invade privacy in the name of protection. That genie will never be put back in the bottle. The people lost. We need to get over it.The only way it might happenI’ve said it before and I’ll say it again: The only way I can imagine internet security improving dramatically is if a global tipping-point disaster occurs — and allows us to obtain shared, broad agreement. Citizen outrage and agreement would have to be so strong, it would override the objections of government. Nothing else is likely to work.I’ve been waiting for this all to happen for nearly three decades, the most recent marked by unimaginably huge data breaches. I’m not getting my hopes up any time soon. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe