There’s no denying how much productivity and our ability to communicate has improved our lives. But it’s not perfect — Vint Cerf, creator of the TCP/IP protocol and “father of the internet,” has been the first to make that point. He’s spent the past several decades talking about ways to improve internet security to shore up the deficiencies inherent to how networks are secured.
Without these efforts, Cerf states, “at some point, people will decide that [the internet’s] not an environment that they find worthy of trust and will look for a different, better-secured alternative.[1]” Read on to discover how Vint Cerf would improve network security if he could start over today, and how your organization can apply these lessons to improve its security stance.
Jump to a section…
The Need for Robust Identity and Access Checks
Build In Security at the System Level
Work-from-Anywhere & OT Drives Organizations to a New Standard
According to Cerf, the biggest flaw in the original design of the TCP/IP protocol was allowing computers to communicate without verifying trust and authenticity of the users attempting to communicate.
“We didn’t focus on how [users] could wreck this system intentionally,” Cerf stated in a 2015 interview with the Washington Post.[2]
It’s not that Vint Cerf and his team didn’t think about security — it was just a matter of a group of engineers attempting to solve a problem for a specific use case. The US military needed a way to communicate reliably and securely no matter where they were in the world, and the TCP/IP protocol enabled that. Security was a concern, and they developed ways to prevent external military threats from gaining access. But because Cerf built the TCP/IP protocol for a small subset of users — like military officials, researchers, and so on — trust among its users was implied from the start.
“...[W]e were honestly not thinking in the more or less open deployment as much about security as we were about just getting it to work reliably,” Cerf stated in a Stanford Online chat with Neil Daswani.[3]
Then the doors to the internet blew wide open in 1989 when Tim Berners-Lee developed the World Wide Web, along with the first web browser. Suddenly a service initially designed to be used by a few thousand people opened up to millions, and the flaws in a system built on implied trust rapidly made themselves known — flaws like poor password creation, phishing attempts, and improperly secured data. If a malicious actor gains access to sensitive login or account information, the system cannot differentiate between them and an authentic user — so access ends up granted to individuals who should not receive it.
To combat this and increase the overall sense of trustworthiness, organizations should implement robust identity access management policies that only provide access to authorized users. They should also implement tools that enable IT departments to view who is accessing what at all times.
Cerf also believes that organizations “...need to exercise access control over cyber-physical systems (sometimes called the Internet of Things) at the edge of the network in the device” to determine whether an external source can gain access.
“We don't know how to write software that doesn't have bugs,” Cerf stated during a 2017 National Governors Association Winter Meeting. “We've been trying for 70 years since computers have been available. And we've not succeeded in figuring out or in building tools that keep us from making stupid mistakes. Those mistakes get exploited...[I]f you can find a technical solution that prevents the problem [of the lack of Internet security] from happening, use it.[4]”
Cerf suggests implementing “strong authentication mechanisms into the ecosystem,” such as public-key cryptography, to ensure that only designated users can access authorized systems, even if login information is compromised. “We need to be able to assure a device or a person that they have confidence that they're communicating with the thing or the person or the entity,” Cerf says.
Other checkpoints like passwordless authentication and secure certificates provide additional steps to ensure the person logging into a secure system is who they say they are. "There may be an irreducible minimum of inconvenience that we have to experience in order to have a secure system,” Cerf admits.
However, developers should look for ways to offload that inconvenience from users as much as possible. According to Cerf, teams should always be “considering issues of authentication, authorization, security, along with ease-of-use.[5]”
The power of the internet as it exists now is that anyone can use it and benefit from it — additional layers of security should be implemented with this in mind. The Byos Secure Gateway Edge can help you do just that, enabling organizations to reduce the attack surface of their IoT network with plug-and-play implementation. Request a demo today.
Rather than build security after the fact — or worse, assume that current security protocols will be sufficient — security needs to be a primary concern from the beginning of development. Teams must address security needs holistically as well.
“It’s pretty clear that if you look at the history of the development of the internet…[it] absorbed security technologies along the way, as opposed to from the very beginning,” Cerf said. While this helped his team develop additional functionality for TCP/IP protocol, it also led to the current gaps we’re seeing today.
Now, Cerf recommends that organizations “build operating systems that are a lot more paranoid about who they communicate with.” This philosophy can extend to individual programs and networks as well. Instead of building programs with security assumptions baked in, teams should take special care to ensure that software regularly verifies “trust” at multiple stages.
Remote access has become pervasive and the number and variety of devices on our networks are expanding at a rate faster and faster every year. Ensuring trust becomes increasingly critical — and complex. While we wish we could start from scratch and rebuild the internet with what we know now, that just isn’t possible.
Byos developed their Secure Edge family of hardware and virtualized technology to address the flaws that Vint Cerf has talked about continually over the last 20+ years. Byos operates over the Internet and private networks to prevent devices from communicating until trust has been established, prevents unauthorized access to the system level, and removes the security stack from the operating environment.
Secure Gateway Edge protects your mission critical assets — data centers, cloud, IoT (including legacy and otherwise unsecurable devices) — on your existing infrastructure without any changes needing to be made. Byos also secures workstations using the Secure Endpoint Edge. Talk to a Byos specialist or set up a demo now.
[1] “Vint Cerf's Outlook for the Internet He Helped Create,” Bank Info Security
[2] “A Flaw in the Design,” The Washington Post
[3] “Vint Cerf, ‘Father of the Internet,’ Discusses Internet Security,” Stanford Online, YouTube