The real reason we can’t secure the internet

Last week I speculated that the current horrible state of internet security may well be as good as we’re ever going to get. I focused on the technical and historical reasons why I believe that to be true. Today, I’ll tell you why I’m convinced that, even if we were able to solve the technical issues, we’ll still end up running in place.

Global agreement is tough

Have you ever gotten total agreement on a single issue with your immediate family? If so, then your family is nothing like mine. Heck, I have a hard time getting my wife to agree with 50 percent of what I say. At best I get eye rolls from my kids. Let’s just say I’m not cut out to be a career politician.

Now think about trying to get the entire world to agree on how to fix internet security, particularly when most of the internet was created and deployed before it went global.

Over the last two decades, just about every major update to the internet we’ve proposed to the world has been shot down. We get small fixes, but nothing big. We’ve seen moderate, incremental improvement in a few places, such as better authentication or digital certificate revocation, but even that requires leadership by a giant like Google or Microsoft. Those updates only apply to those who choose to participate — and they still take years to implement.

Most of the internet’s underlying protocols and participants are completely voluntary. That’s its beauty and its curse. These protocols have become so widely popular, they’re de facto standards. Think about using the Internet without DNS. Can you imagine having to remember specific IP addresses to go online shopping?

A handful of international bodies review and approve the major protocols and rules that allow the internet to function as it does today (here’s a great summary article on who “runs” the internet). To that list you should add vendors who make the software and devices that run on and connect to the Internet; vendor consortiums, such as the FIDO Alliance; and many other groups that exert influence and control.

That diversity makes any global agreement to improve Internet security almost impossible. Instead, changes tend to happen through majority rule that drags the rest of the world along. So in one sense, we can get things done even when everyone doesn’t agree. Unfortunately, that doesn’t solve an even bigger problem.

Governments don’t want the internet to be more secure

If there is one thing all governments agree on, it’s that they want the ability to bypass people’s privacy whenever and wherever the need arises. Even with laws in place to limit privacy breaches, governments routinely and without fear of punishment violate protective statutes.

To really improve internet security, we’d have to make every communication stream encrypted and signed by default. But they would be invisible to governments, too. That’s just not going to happen. Governments want to continue to have unfettered access to your private communications.

Democratic governments are supposedly run by the people for the people. But even in countries where that’s the rule of law, it isn’t true. All governments invade privacy in the name of protection. That genie will never be put back in the bottle. The people lost. We need to get over it.

The only way it might happen

I’ve said it before and I’ll say it again: The only way I can imagine internet security improving dramatically is if a global tipping-point disaster occurs — and allows us to obtain shared, broad agreement. Citizen outrage and agreement would have to be so strong, it would override the objections of government. Nothing else is likely to work.

I’ve been waiting for this all to happen for nearly three decades, the most recent marked by unimaginably huge data breaches. I’m not getting my hopes up any time soon.