The construction of a vulnerable Internet
David D. Clark, an MIT scientist whose air of genial wisdom earned him the nickname “Albus Dumbledore,” can remember exactly when he grasped the Internet’s dark side. He was presiding over a meeting of network engineers when news broke that a dangerous computer worm — the first to spread widely — was slithering across the wires.
One of the engineers, working for a leading computer company, piped up with a claim of responsibility for the security flaw that the worm was exploiting. “I thought I had fixed that bug,” he said.
But as the attack raged in November 1988, crashing thousands of machines and causing millions of dollars in damage, it became clear that the failure went beyond a single man. The worm was using the Internet’s essential nature — fast, open and frictionless — to deliver malicious code along computer
lines designed to carry harmless files or e-mails.
Decades later, after hundreds of billions of dollars spent on computer security, the threat posed by the Internet seems to grow worse each year. Where hackers once attacked only computers, the penchant for destruction now has leapt beyond the virtual realm to threaten banks, retailers, government agencies, a Hollywood studio and, experts worry, critical mechanical systems in dams, power plants and aircraft.
These developments have shocked many of those whose work brought the network to life, they now say.
“It’s not that we didn’t think about security,” Clark recalled. “We knew that there were untrustworthy people out there, and we thought we could exclude them.”
How wrong they were. What began as an online community for a few dozen researchers now is accessible to an estimated 3 billion people. That’s roughly the population of the entire planet in the early 1960s, when talk began of building a revolutionary new computer network.
Those who helped design the network over subsequent decades focused on the technical challenges of moving information quickly and reliably. They foresaw the need to protect the network against intruders or military threats, but they didn’t anticipate that the Internet’s own users someday would use the network to attack one another.
“We didn’t focus on how you could wreck this system intentionally,” said Vinton Cerf, a dapper, ebullient Google vice president who in the 1970s and ’80s designed key building blocks of the Internet.
Those involved from the early days bristle at the notion that they somehow could have prevented today’s insecurity, as if road designers are responsible for highway robbery or urban planners for muggings. These pioneers often say online crime and aggression are the inevitable manifestation of basic human failings.
“I believe that we don’t know how to solve these problems today, so the idea that we could have solved them 30, 40 years ago is silly,” said David Crocker, who started work on computer networking in the 1970s and helped develop modern e-mail systems.
Yet 1988’s attack by the “Morris Worm” — named for Robert Morris, the Cornell University graduate student who created it — was a wake-up call for the Internet’s architects, who had done their original work in an era before smartphones, before cybercafes, before even the widespread adoption of the personal computer. The attack sparked both rage that a member of their community would harm the Internet and alarm that the network was so vulnerable to misdeeds by an insider.
When NBC’s “Today” aired an urgent report on the worm’s rampage, it became clear that the Internet and its problems were destined to outgrow the idealistic world of scientists and engineers — what Cerf fondly recalled as “a bunch of geeks who didn’t have any intention of destroying the network.”
But the realization came too late. The Internet’s founding generation was no longer in charge. Nobody really was.
The Internet was born of a big idea: Messages could be chopped into chunks, sent through a network, then reassembled by destination computers. Historians credit seminal insights to Welsh scientist Donald W. Davies and American engineer Paul Baran — a man determined to brace his nation for the possibility of nuclear war.
Baran described his bleak vision in an influential paper in 1960 when he was working for the Rand Corp. “The cloud-of-doom attitude that nuclear war spells the end of the earth is slowly lifting,” Baran wrote, endorsing the view that “the possibility of war exists but there is much that can be done to minimize the consequences.”
Among those was a rugged communication system with redundant links so it could still function after a Soviet strike. This, Baran wrote, would help “the survivors of the holocaust to shuck their ashes and reconstruct the economy swiftly.”
Davies had a more placid vision. Computers in that era were huge, costly behemoths that could fill a room and needed to serve multiple users at the same time. But logging on to them often required keeping expensive telephone lines open continuously, even though there were long periods of silence between transmissions.
Davies began proposing in the mid-1960s that it would be better to slice data into pieces that could be sent back and forth almost continuously, allowing several users to share the same telephone line while gaining access to a remote computer. Davies also set up a small network in Britain, demonstrating the viability of the idea.
These two visions, for war and for peace, worked in tandem as the Internet moved from concept to prototype to reality.
The most important institutional force behind the development was the Pentagon’s Advanced Research Projects Agency (ARPA), created in 1958 during the aftermath of the Soviet Union’s launch of the Sputnik satellite.
A decade later, as ARPA began work on a groundbreaking computer network, the agency recruited scientists affiliated with the nation’s top universities. This group — including several who during the Vietnam War and its polarizing aftermath would have been uneasy working on a strictly military project — formed the collegial core of the Internet’s founding generation.
When the network made its first connections in 1969, among three universities in California and one in Utah, the goals were modest: It was a research project with a strongly academic character. Those on the ARPANET, the most important predecessor to the Internet, would use it to trade messages, exchange files and gain remote access to computers.
It would have taken enormous foresight, said Virginia Tech historian Janet Abbate, for them to envision the security consequences years later, when the Internet would take a central place in the world’s economy, culture and conflicts. Not only were there few obvious threats during the ARPANET era of the 1970s and early 1980s, but there also was little on that network worth stealing or even spying on.
“People don’t break into banks because they’re not secure. They break into banks because that’s where the money is,” said Abbate, author of “Inventing the Internet.” “They thought they were building a classroom, and it turned into a bank.”
It’s not that we didn’t think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them.”
David D. Clark, MIT scientist