Friday’s Internet Outage Is the Future

On Fri­day, huge swaths of the inter­net went either offline or was severe­ly throt­tled through a mas­sive Dis­trib­uted Denial of Ser­vice (DDoS) attack on an unprece­dent­ed scale. While the infor­ma­tion secu­ri­ty experts work on foren­si­cal­ly exam­in­ing the attack to ful­ly ana­lyze it, here are a few inchoate thoughts about what this could rep­re­sent:

  • This is the future. InfoS­ec types have known for years that, at a fun­da­men­tal lev­el, the World Wide Web is either impos­si­ble or incred­i­bly dif­fi­cult to secure. Hack­ers and secu­ri­ty researchers have dis­cov­ered this and are locked into a high­ly tech­ni­cal arms race to fig­ure out how to exploit and patch new vul­ner­a­bil­i­ties as they crop up. The struc­ture of the web rests on servers that tell com­put­ers how to asso­ciate a domain name (such as joshuafoust.com) with a serv­er IP address; the attack on Fri­day shut down a whole net­work of those servers, called Domain Name Servers, or DNS. And there were hints for a while that “some­one” was prob­ing the defens­es of DNS and “back­bone” ser­vices that make up the foun­da­tion of the inter­net. They found a weak­ness this time, and will find more in the future.
  • It could have been a lot worse. The DNS that was tar­get­ed on Fri­day, Dyn, serves pri­mar­i­ly news and tech web­sites, and it focused on the East Coast of the Unit­ed States. It did not focus on, say, ener­gy com­pa­nies on the Gulf Coast (which would mas­sive­ly dis­rupt ener­gy mar­kets) or finan­cial com­pa­nies in New York. It did not tar­get any gov­ern­ment ser­vice, and it did not tar­get tele­vi­sion or radio broad­cast­ers. This prob­a­bly caused a few hun­dred mil­lion dol­lars’ worth of lost income, but the actu­al sub­stan­tial dam­age will be rel­a­tive­ly light.
  • Attri­bu­tion will be key. As the foren­sics researchers try to fig­ure out who launched this attack, their iden­ti­ty will take on sig­nif­i­cant mean­ing. There are whis­pers about a state (like Rus­sia or Chi­na) being behind it; or even a few states work­ing togeth­er. It could also be a col­lec­tive (such as peo­ple act­ing on behalf of Anony­mous or LulzSec), or a lon­er who found a neat attack vec­tor and want­ed to see what would hap­pen. But each of those groups car­ries with it a dra­mat­i­cal­ly dif­fer­ent response, rang­ing from “prob­a­bly noth­ing” in the case of a lone scripter up to “full-spec­trum coun­ter­at­tack” if it is a state like Rus­sia.
  • Your Smart Home Is a Threat. So far it looks like the mas­sive attack came from com­pro­mised inter­net appli­ances like DVRs and CCTV cam­eras. These are part of a class of device called Inter­net of Things, or IoT: “smart” gad­gets like light­bulbs, ther­mostats, refrig­er­a­tors, pic­ture frames, TVs, and so on, that are con­nect­ed to the inter­net. Because they are man­u­fac­tured to be easy to set up and use quick­ly, they are man­u­fac­tured with very weak secu­ri­ty. On aver­age, an IoT device is com­pro­mised with­in six min­utes of being con­nect­ed to the inter­net. That means all of your smart home appli­ances are prob­a­bly infect­ed with mal­ware and wait­ing to be deployed in a future bot­net.
  • Man­u­fac­tur­ers Will not Help. Sup­ply chains aren’t quite what you think. That smart light­bulb that was built by a Euro­pean com­pa­ny and sold in the U.S. is actu­al­ly made up of cheap inter­nals man­u­fac­tured at mas­sive scale in some­where like Chi­na (just like how Fox­conn real­ly builds your iPhone, not Apple). Fri­day’s DDoS attack was vec­tored through one of those Chi­nese sub­com­po­nent man­u­fac­tur­ers, Xiong­Mai Tech­nolo­gies, because they build cheap devices with an unfix­able secu­ri­ty hole (tech­ni­cal details here). There is no real way to address this sort of behav­ior with­out a sub­stan­tial set of laws and reg­u­la­tions — moves which are resist­ed fierce­ly by the indus­try because of how they dri­ve up costs and prob­a­bly won’t fix the prob­lem any­way.
  • Lia­bil­i­ty Isn’t Very Mean­ing­ful Here. In the­o­ry, a chain of lia­bil­i­ty could be built into how IoT devices are secured: if a com­pa­ny sells prod­ucts with defec­tive secu­ri­ty in place, they could be sued (which would estab­lish mon­e­tary pres­sure to cre­ate more secure devices lat­er on). But it’s not that straight­for­ward, in part because of the sub­com­po­nent mar­ket, and in part because of the fun­da­men­tal nature of con­nect­ed com­po­nents. Prod­ucts ship with a default user­name and pass­word; they have to, in order to be usable by a nor­mal per­son (there are oth­er schemes that might work, like man­u­fac­tur­ing unique prod­uct keys the way Microsoft does with Win­dows, but again those are very expen­sive and giv­en how easy it is to “crack” those prod­uct keys it prob­a­bly would­n’t work any­way). Rea­son­able peo­ple using devices rea­son­ably can­not require tech­ni­cal exper­tise, such as mak­ing fire­wall excep­tions or fid­dling with port num­bers, so any real mar­ket for these devices can­not have very strict secu­ri­ty require­ments. Don’t expect help from the gov­ern­ment, either: from a legal per­spec­tive, requir­ing more secu­ri­ty pos­es all kinds of unin­tend­ed con­se­quences, from inflex­i­ble stan­dards to vague lan­guage about what “secure” means. So there prob­a­bly won’t ever be a way to lit­i­gate stan­dards, even if there might be a mar­ket for more expen­sive prod­ucts that tout secu­ri­ty as one of their lux­u­ry fea­tures.
  • This Will Hap­pen Again. Unlike nor­mal com­put­ing devices like tablets, phones, and com­put­ers, there is no straight­for­ward way to upgrade the soft­ware on an IoT device. Most of the devices already built and shipped sim­ply don’t have that abil­i­ty — and if they do, because of how inse­cure they are already, they can be fur­ther com­pro­mised any­way. That means that there are thou­sands, pos­si­bly mil­lions of IoT devices sit­ting on the Inter­net wait­ing to be deployed in future DDoS attacks. Short of lit­er­al­ly pulling the plug on every­thing built and shipped before a cer­tain date (or issu­ing manda­to­ry prod­uct recalls), there is no real fix for it. So plan on see­ing your ser­vices tak­en offline again and again until more fun­da­men­tal secu­ri­ty is able to come online, and until the old­er, inse­cure devices break and need replace­ment.

That’s my first run of thoughts. What else do you have to add?

joshua.foust
Joshua Foust used to be a foreign policy maven. Now he helps organizations communicate strategically and build audiences.