"The biggest problem I see is that a lot of protocols we use were developed in the 1970s," said Hancock, the Chief Security Officer at Cable and Wireless. "The bottom line is that all those protocols need to be redone. Until we start improving those protocols, we'll continue to see problems."
Hancock, a veteran executive who's written more than 30 books on computer networking and security, doesn't suggest such changes lightly. He oversees global security for C&W, which operates a substantial portion of the Internet backbone, and also sits on numerous IT security bodies and standards committees. He realizes the enormity of a ground-up reworking of network protocols. But after having spent the last two years preaching best practices, Hancock believes it's time to get started.
"What needs to happen is a profound change in protocols and in implementation," Hancock said in an interview last week. "Getting people to talk about it isn't hard. I've talked to the geeks, I've talked to the executives, I've talked to everyone. It's a total issue of money. The realistic approach is to look at the economic impetus."
Defining the cost of security events is an inexact science, in which huge numbers have been put forth by vendors. The 2003 CSI/FBI Computer Crime and Security Survey of 530 companies reported overall financial losses from Internet security issues for the previous year of $201.7 million, down significantly from $455.8 million in 2002. That data didn't include the August events featuring Blaster and the latest SoBig variant. Richard Pethia, Director of the CERT Coordination Center, said last week in Congressional testimony that damage estimates for each of those events have exceeded $500 million.
In the wake of SoBig.F, a discussion emerged about whether to rewrite SMTP (Simple Mail Transfer Protocol), the protocol governing e-mail delivery. Protocol overhauls will have to go even further to provide long-term security improvements, according to Hancock.
"SMTP is an application protocol that needs to be tightened up as part of the overall issue," said Hancock. "It will only help address spam as a major issue and will not solve routing and transport layer security. If you can kill network packet arrivals, it doesn't matter if spam is an issue or not. But if you can cut out a lot of the fake addressing and spoofing, you stop the bulk of DDoS (Distributed Denial of Service) attacks. The network has be to secure and reliable as a transport, first and foremost. Current network and transport protocols are not secure and need a heavy-lift upgrade.
"The bulk of work needs to happen from the session layer and down, as there has been little or no activity in security improvements," said Hancock. "At the application layers, we have seen traction in security with protocols such as XML, which now has serious security controls when compared to HTML. Application protocols have improved overall; lower layer protocols on wired networks have not. Even wireless networks have evolved from the WEP of 802.11a to WPA for 802.11g, which are network-layer framing security methods that do not have equivalents on wired networks such as Ethernet/802.3."
The IP, TCP and UDP protocols were developed in the 1970s and early 1980s, at a time of substantial trust among Internet participants, and as a result weren't engineered to address the level of IP spoofing and "zombie" DDoS attacks seen today. Writing new protocols would provide an opportunity to weave authentication, security controls and cryptography into the fabric of the network.
"There's got to be some good basic research done," concluded Hancock. "We need some strong, highly-secure protocols, and they've got to be able to last a long time. The problem is that we have 655 million or so users of the Internet right now. Deploying security enhancements to that many users at once is a non-trivial matter. The problem is complex, big and will take a while to solve."