The early hackers who planted the seeds of the Internet imposed a culture of openness, where problems and their solutions were shared among a broader community. Despite growing secrecy around cybersecurity, a free and fair Internet should go back to the roots to combat online risk.
In the beginning, there was nothing. A few monster computers heated up the basements of prestigious universities, crunching numbers for mathematicians and physicists.
But one day in the late 1950s, a handful of tinkerers pushed their curiosity and skills out of their usual playground (the Tech Model Railroad Club at MIT) to collectively explore and hack these monster machines for the sheer pleasure of learning-by-doing. The rest is history.
These early hackers demonstrated the importance of openness to enhance complicated technologies. And, for a large part, they managed to impose a lasting and open culture in which problems and their solutions are shared among a broader community.“Without ethical culture, there is no salvation for humanity.” Albert Einstein
Internet: The early years
Ten years later, the research division of the Pentagon called ARPA (now DARPA), launched ARPANET. It was a project to establish reliable communication protocols between computers—a network that would become the Internet.
ARPANET was initially tested and deployed across universities and research centers starting in 1969 with the University of California in Los Angeles (UCLA) and Santa Barbara (UCSB), at Stanford University (via the Stanford Research Institute now SRI International), and at the University of Utah. In 1970, ARPANET reached the East Coast (Cambridge, Massachusetts) and grew all over the United States, finally crossing the Atlantic towards Norway in 1973.
With a culture of community-based open software development, and with the technology to let information travel freely and instantly over large distances, the basic building blocks for uncontrolled evolution and growth were in place.
ARPANET expanded worldwide as an academic network, and in 1988 there were already concerns about the number of connected computers.
Robert Tappan Morris, a graduate student at Cornell University, decided to gauge the size of this new Internet with a computer program that would replicate and spread across it. But an error made the program execute over and over again on a given computer, leading to processing overload and ultimately to the crash of thousands of machines across the network.
While unintentional, the Morris Worm was the first ever recorded instance of a damaging virus spreading across a computer network. Ironically, since computers crashed following their infection, the Morris Worm also failed in its measurement goals. (And, by the way, measuring the exact size Internet has become an increasingly complicated problem of great scientific interest, with no definitive answer.)
Freedom for all meets concerns about cybersecurity
In 1994, with The Gore Bill (after former Senator and Vice-President Al Gore), ARPANET began to operate as a commercial network and was renamed the Internet. Exponential growth followed: companies and consumers connected their computers and started interacting at an unprecedented pace.
More than ever before, the human factor became a critical dimension of security and privacy in this new connected and networked (cyber) space, ?while also unleashing the power of massive online collaboration. This spirit was evident in things like Usenix forums and IRC channels (chats) and was followed by open source software development and collaborative Wikipedia editing, for example.
Later, mass collaboration reached a mature consumer industry with modern social networks such as YouTube, Facebook, and Twitter. And today, the Internet has expanded into the physical world.
Smartphones are geo-located and allow contactless payments; self-driving cars cruise California Highways 101 and 280 (between Palo Alto and San Francisco); smart-meters regulate the power grid and follow our energy consumption at home; and ubiquitous biosensors record a number of intimate physiological signals. For the latter example, the technology holds promising applications for tracking personal health almost in real time, and for sharing emotions seamlessly on social networks.
Since its beginnings, the purpose of the Internet was to let information flow as fast and freely as possible. This openness was crafted by hackers for their own advantage, following from their techno-hippie ideology—sharing ideas, problems, and solutions was both the purpose and the means of achieving a smarter world with more freedom for everyone.
In many ways, the collaborative approach at the roots of the Internet is also successful for ensuring cybersecurity and combating cyber threat. Take the disclosure of software vulnerabilities, for example, which are submitted to software editors by those who discover them, but fully disclosed after a predefined period of time (regardless whether the software editor has taken any action yet or not).
Yet cybersecurity itself has been deeply impregnated by secrecy, perhaps inherited from its inception in the defense industry.
For security, go back to the beginning
The Internet security industry has largely failed to recognize that cybersecurity should be designed on the very same fundamental rules that govern the Internet—openness.
Unwillingness to publicly acknowledge and discuss security problems has left cybersecurity behind. Many cybersecurity practitioners have been insufficiently challenged on their capabilities to adapt to ever changing threats. Lack of accountability has led some security experts to consider themselves as the sole holders of knowledge.
Meanwhile, insufficient disclosure of security problems such as software vulnerabilities and data breaches has left most Internet users with a false sense of security, which in turn has undermined concerns.
As cyber attacks turn out to be increasingly massive, disruptive, and somewhat scary, more people (even large organizations) realize that they are insufficiently protected and don’t have the tools to remedy their security and privacy problems on their own.
How do people reasonably avoid leaving digital traces in retail stores (e.g., Target) or banks (e.g., J.P. Morgan), which are likely to fail at protecting their personal information? What can people do to prevent governmental agencies from breaking into their favorite email or chat services for unclear purposes?
Trust in cybersecurity could not be more broken than it is today—at the very moment when cyber attacks are increasingly carried out against individuals, large organizations, and governments.
We—you, me, security practitioners, scientists, industry, everyone—need to recognize that cybersecurity is made more efficient by complying with the very rules of the Internet: Everyone shall have the opportunity to be empowered with the necessary tools to protect her or his own information assets at the desired level.
Trust must be restored. To do this, security should be challenged from a variety of viewpoints in a constructive way, possibly publicly or at least by a community with a strong sense of the founding Internet (hacker) ethics.
This requires collective intelligence through cooperation, primarily between large companies and governments in charge of our most critical assets: power-grids, transportation systems, business and financial systems, communication networks, and personal data.
In February 2015, President Obama signed an executive order to promote sharing of security data between large organizations and the Federal government. This is a first step towards a cybersecurity policy that aligns with the culture of openness to restore trust and build more effective collective intelligence among the security community.
It remains however unclear how a policy promoting data sharing may actually change a deeply ingrained culture of secrecy, since the very process of disclosing information about security incidents may be used for the purposes of spying or surveillance.
Another future policy may include the promotion of bottom-up innovation. Disruptive startups have been the landmark of Internet innovation, and cybersecurity may be disrupted in similar ways. However, because cybersecurity is highly technical and sensitive, entry barriers remain high: designing cutting-edge security products requires significant and specialized expertise.
It comes down to this: Better and broader education on cybersecurity is required, which again involves spreading knowledge in a more open way to enable more learning-by-doing, and to enhance collective intelligence through collaboration—just as the first hackers did to begin the computer revolution.
Text adapted from Thomas Maillart’s recent post on Medium. During the entire month of May 2015, swissnex San Francisco explores topics of early computer viruses, hackers, cybersecurity, and encryption during the series Project Cyber Virus.