At a recent South By Southwest Interactive conference in Austin, Edward Snowden said the NSA is "setting fire to the future of the Internet." In light of this, the World Wide Web Consortium (W3C) and the Internet Architecture Board (IAB) are trying to get a handle on rampant monitoring.
On Feb. 28 and March 1, they hosted a joint workshop, STRINT: Strengthening the Internet Against Pervasive Monitoring, to identify possible solutions. As the meeting minutes for the two-day workshop show, much discussion centered on the inappropriate relationships among Internet service providers, security vendors, and other Internet-focused companies that created easy tap-in points to collect massive amounts of data.
Though interesting, this type of conversation has little to do with private businesses. But mixed in with the discussion of Prism and other NSA-type programs on pervasive monitoring, there were several key useful items proposed on how businesses can position themselves to prevent future pervasive Internet monitoring. Here are a few that I found to be most interesting.
For one thing, it's time to start encrypting all types of data transmissions -- not just the ones containing what is deemed sensitive information. So much of the traffic sent in clear text these days still contains a great deal of information that can be used to gain further access into a company's infrastructure. Encryption of all data should be considered a sound, low-hanging-fruit technique used to plug a gaping security hole. Forget about the fact that many encryption methods should no longer be considered safe. The idea right now is to get into the habit of encrypting all transmissions. More advanced encryption techniques will soon follow.
Another point made at the workshop: Pervasive monitoring is made much easier because security patches are applied far too slowly. When developers release OS and application patches, most recipients wait days, weeks, or even months before applying them on production systems. This delay often occurs so that IT staff members can perform patch testing in development environments to ensure the patches don't break application functionality when rolled out into production systems. However, this tactic is becoming a luxury that many enterprises can no longer afford if security is critical.
Lastly, a generally recurring theme at the workshop was that end users simply don't understand IT security and can't be counted on to protect themselves within an enterprise. Therefore, security protections must be separated from the user and placed on the shoulders of application developers and system administrators to implement behind the scenes. The idea when creating authentication and encryption systems should be to make them invisible to the end user. Password requirements are becoming harder for users to maintain, so other authentication methods that don't require users to remember dozens of complex passwords should be investigated.
Every enterprise leverages the Internet today in one way or another. Because of our reliance on the public Internet, we all have an interest in protecting against pervasive Internet monitoring to maintain the level of trust needed to conduct business. And though much of the work needed involves decoupling governments from their grip on encryption and Internet infrastructure backdoors, there are steps that can be made in each of our organizations today to get us closer to a more private Internet experience tomorrow.