Future of the Internet Symposium: Do We Know the Future of the Internet?

The Future of the Internet rests on the combination of an empirical claim and a predictive claim.  The empirical claim is about the characteristics of “open” versus “closed” systems: “Open” is better for us than “closed.”  The predictive claim is that “the pieces are in place for a wholesale shift” from open to closed.  The argument of the book is therefore about a coming future we want to avoid: Instead of allowing the shift from open to closed, we should work to ensure that we maintain an open system.

Is Zittrain right?  My answer is to say something you’re not supposed to say on the Internet: I don’t know.   Whether open or closed is better strikes me as a complicated empirical question.  It may depend on the circumstances, and it certainly depends on your values. Either way, I’m not in a position to know in which circumstances each approach is likely to be helpful.

Similarly, I don’t know if we’re likely to see a wholesale shift in the balance between open and closed systems.   I’m generally skeptical about Zittrain’s claim in Chapter 3 about the direction of cybersecurity — a claim that underlies Zittrain’s predictions about where we’re headed.   My vague sense is that cybersecurity is generally improving over time, not getting worse.   Of course, my impression is only anecdotal.  But here are two anecdotes to give you an idea of why I’m skeptical that the problem is getting worse.

Back around 1995 to 2000, the Internet was regularly threatened by global viruses like the Melissa virus and the I Love You virus that threatened to shut down the Internet.   We don’t generally see those same global threats today, however.    By and large, virus threats have become an inconvenience dealt with through updating anti-virus software rather than  the huge threat to the Net they were a decade ago.  That’s a big shift.  And it’s a shift towards better security rather than worse security.

Another sign is the annual CSI/FBI Computer Crime and Security Survey, which publishes information about how much of a security threat major companies are seeing online.  From around 200o to 2005, the numbers went up every year — to a great deal of media attention and consternation.  But since 2005, the numbers generally have dropped.   Companies seem to be seeing less of a threat, and they’re reporting fewer losses than before.  That doesn’t mean the problem is “solved” — no security problem is ever “solved” — but it does suggest that the cybersecurity picture is improving on the whole compared to where it was a few years ago.

Of course, none of this means Zittrain’s hypothesis is wrong.   (And it’s a marvelously engaging and fun book either way.)  Rather, I’m just unsure that the empirical and predictive claims are right.   I don’t have enough of a sense of the empirical benefits of open and closed, or enough certainty about what the future holds, to really know.

You may also like...

4 Responses

  1. Steven Bellovin says:

    Orin, I think that the absence of global worms like Melissa and I Love You is in fact a bad sign. People have stopped writing them because they’re bad for business. The bad guys have learned that they can make money from malware, by stealing bank account credentials, sending spam, and engaging in extortion. There is now profit from hacking, and the market has worked its magic: we’re seeing very sophisticated, high-quality worms, worms that don’t call attention to themselves, but instead quietly go about their business. Shut down the Internet? No, of course not; if you can’t deliver the spam, you won’t get paid.

    I hadn’t noticed the drop in the CSI/FBI numbers, but I’ve always felt they were quite suspect. The methodology in their surveys is extremely suspect; they rely on self-reporting. Besides, companies can only report attacks that they notice; most attacks are never noticed.

  2. Orin Kerr says:

    Thanks for the interesting response, Steve.

    Two thoughts. First, I’m curious how you draw the comparison. The I Love You virus caused an estimated $5 billion to $10 billion in losses: It shut down offices around the world. All things considered, isn’t it better to have more spam than that kind of loss?

    Second, I’m not sure if your argument cuts in favor of Zittrain’s argument or against it. I believe Zittrain’s argument is that security is getting so bad that users will eventually demand a closed network: Users will give up and reject the open Internet because they’re fed up with the security threat. To the extent the security threat has thrived by becoming invisible to the user, doesn’t that make it unlikely that users will respond by demanding a switch to a more closed system?

  3. Steven Bellovin says:

    I’m not arguing about the total world-wide economic loss; if the numbers you cite are accurate (and I have considerable doubts, but that’s another matter), we had serious problems, but they reflect the overall insecurity of the net against a more or less random attack. What we have now are targeted attacks. These are much harder to defend against, because they can be arbitrarily clever — the profit motive (and yes, the national security motive, for other people’s nations) has led to some very sophisticated attacks. It’s easy to defend against email that says “click here to see naked pictures of Britney Spears” when that’s really pointing to a well-known exploit for which a patch exists and which anti-virus software will pick up in any event. It’s a lot harder if you receive a PDF that is apparently from a colleague, asking you to comment on a draft of her latest paper — but the PDF really has a so-called “0-day exploit”, one never seen before, and the email is really a forged note from a foreign intelligence agency. The societal and legal responses (to say nothing of the technical responses) have to be different; the former is more or less a statistical phenomenon, while the latter is someone out to get you.

    An interesting case is the so-called Stuxnet worm, which received far too little attention outside of the security communit. I wrote about it (http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-16.html); briefly, it was a very sophisticated attack aimed at critical infrastructure systems.

    I’m not arguing for or against Zittrain’s proposition right now, though I do think that the demand for closed systems will come more from the server side than from consumer demand. If nothing else, current laws and policies have largely shielded consumers from losses. At most, it will make consumers more willing to accept such systems, but only if they aren’t inconvenienced too much. The first bank to mandate an appliance runs a serious risk of losing customers, I suspect.

  4. Daithi Mac Sithigh says:

    Orin, some very interesting points above. I too find it difficult to figure out precise criteria for judging the benefits of openness – and I’m struck by how we can see different social networking sites, to take one example, doing well in one part of the world but not another. Certainly, there can be differences in the basic model behind Facebook as opposed to MySpace (choose your own examples), but it’s very hard to figure out why X does well in one place and Y in another. But it could mean that you have ‘open’ in one nation and ‘closed’ in another, even though they share fundamental features of culture or government. (There’s even the class-based argument that danah boyd and others have made about SNS use within the US). This strikes me as an experiment waiting to happen, if one could control for the appropriate variables. The problem with comparing an open and a closed system within a single environment is – taking social networking again – is the lack of ‘real choice’ when one site is already dominant – can a user really opt for a more open place if the people they want to talk to are happy in closed-world?