The Future of the 'iPatriot Act'

FutureOfTheInternet.org
Aug. 09, 2008

Larry Lessig’s generous review of the Future of the Internet makes an interesting point:

“Whether a single event, or a coordinated event, whether intentional, or accidental, it is simply a matter of time before a catastrophic network event happens. And when it happens — think of it as a kind of i9/11 event, but the bad guys are not Al-Qaeda — will we be prepared for the inevitable iPatriot Act response? Are we better prepared than civil libertarians were when we were hit with the USA Patriot Act? Have we even framed the right debate?”

First, will there be an ‘i9/11′, and second, will it prompt an ‘iPatriot Act’? The actual chances of a catastrophic network failure are pretty slim. But were one to occur, it would probably look a lot like the attacks on the DNS root servers in 2007. Here’s what happened:

The 13 Domain Name System (DNS) root servers record who controls the Top-Level Domains (’.com’, ‘.edu’, ‘.uk’, and so forth) and where. This file of information is quite small, and very few computers actually have to call upon the root servers to find the sites they’re looking for. But without them, the single Internet we’re used to would fracture, and computers would have no easy, reliable way to find the IP addresses they’re looking for.

On February 6, 2007, hackers issued a Distributed Denial of Service (DDoS) attack on the root servers, sending gigabytes of useless requests every minute in order to overload the roots and prevent them from responding to genuine Internet traffic. Such an attack was made possible only by harnessing the power of hundreds or thousands of ‘zombie’ computers infected with malicious bots.

The 2007 DDoS attack failed, however. Because the malicious network traffic was relatively easy to distinguish from genuine network traffic, and because most of the DNS root servers were able to distribute the requests over hundreds of component computers, only two of the 13 servers (each themselves made of dozens of computers) were affected. And this was the most successful such attack against the network. In order to noticeably disable network traffic, hackers would have to (in theory at least) destroy all thirteen servers.

All of this is to say that a catastrophic network failure, while possible, is unlikely. But that’s not to say there won’t be an ‘iPatriot Act’. In fact, we’re already seeing its development in agencies and hearings across the country, as regulators push policies that discourage open, generative products and encourage closed, tethered ones.

Take, for example, the Department of Homeland Security’s list of ‘best practices’ for software developers. Among the suggestions:

Don’t trust users: “Developers should assume that the environment in which their system resides is insecure. Trust, whether it is in external systems, code, people, etc., should always be closely held and never loosely given.”

Secure the end-points: “Attackers are more likely to attack a weak spot in a software system than to penetrate a heavily fortified component. For example, some cryptographic algorithms can take many years to break, so attackers are not likely to attack encrypted information communicated in a network. Instead, the endpoints of communication (e.g., servers) may be much easier to attack.”

In themselves these are not bad pieces of advice. But within DHS’s broader vision of online security, they indicate that the government considers safe technologies to be tethered technologies, and vice versa.

Take as further examples any of the current IP-enforcement laws working their way through Congress. H.R. 4279 would create an IP czar at the Department of Justice; S. 522 would create an entire ‘Intellectual Property Enforcement Network’; and S. 2317 would allow the Department of Justice to sue copyright infringers in civil as well as criminal court.

What’s interesting about these bills is that more often than not, Intellectual Property protection is packaged as consumer protection. In fact, just last month the Senate held a hearing entitled “Protecting Consumers by Protecting Intellectual Property”, in which witnesses and legislators advocated for the very bills discussed above.

What all of this amounts to is that agencies and officials are pushing increasingly closed systems of code and increasingly strict Intellectual Property regulations. Both of these encourage increasingly tethered appliances. We don’t need a catastrophic network failure to have an ‘iPatriot Act’: such an act is already in the works.