Paul Vixie, CEO of Farsight Security and previously president, chairman and founder of Internet Systems Consortium (ISC), agrees that the internet is vulnerable, but always has been. “The threat is old and well known,” he said. “The internet was built in a lab for eggheads who all trusted each other, and so it has no defense against its own users.”
But he said he thinks Schneier needed to be much more precise about what he meant about taking down the internet. “Down for who, and for how long?” he asked. “There's no way to break the internet permanently, since the same activities that gave rise to it and which reinvent it every day will eventually recreate a new infrastructure that works mostly the same way the old one did.”
Gary McGraw, CTO, Cigital
Gary McGraw, CTO of Cigital, sees it much the same way. “The internet was designed to survive a nuclear war,” he said. “It was set up so the network could remain alive, even if parts of it get blown up. Even if the ‘great server in the sky’ got taken down, it would be replaced instantly.”
Schneier said he agrees with much of that. “I’m not convinced it will go down,” he said, “and if it does, it will be temporary. A DDoS attack needs the internet to work. It eventually eats its own tail.”
But even a temporary takedown could cause great damage, Vixie said. “In a thought experiment, a bunch of us got together and brainstormed ways to make the internet unavailable to the G-20 for 72 hours.
“This was because an attack of that kind, had it been pulled off on Sept. 10, 11, and 12 of 2001, would have vastly amplified the terror and confusion of the terrorist attacks on 9/11,” he said.
McGraw agrees that the potential for damage is very real. “If you have a critical system, you need to pay attention,” he said. “I’d hate to be having remote surgery when the internet goes down and there’s a scalpel sticking out of my chest. “
But he said horror stories like planes falling out of the sky, “aren’t going to happen. That’s ridiculous.”
Some comments on Schneier’s blog have suggested that the DDoS attack isn’t the real attack – that it is meant to be the digital version of “covering fire,” so the hackers can get something like an advanced persistent threat (APT) into a system without detection.
“I thought of that,” Schneier said, “but I didn’t write about it because it would be too speculative.”
What to do about it draws even more of a mixed response. Schneier has said he doesn’t know what should be done, but did call for a “national strategy” on DDoS attacks, “because a lot of this is critical infrastructure. The question is what do we do when critical infrastructure is in private hands. We don’t have a good way of dealing with it.”
Sign up for CIO Asia eNewsletters.