It is now understood by most that the Internet has become critical infrastructure. That is critical to national security functions and critical to the fabric of modern civilization.
And we have a huge problem: Nobody can trust that the critical infrastructure they depend upon has not been sabotaged.
This is not a concern unique to equipment manufactured in China. Many countries banned government use of US designed equipment in the wake of the Snowden disclosures. This is a problem inherent in the technology itself which we have thus far been able to ignore because there has been sufficient trust in the system that the major powers will not employ these capabilities against each other.
We are now at a point where reserves of goodwill are exhausted. There are those who believe that chaos is a ladder and they wish to climb. There is a real risk that the current wave of bad faith accusations will spark real retaliation. If progress in technology stalls, the global economy stalls and should that happen there will be fewer resources available to address the real ecological and material challenges we face.
So here is the challenge: We must start building technologies that are verifiably trustworthy even if they are compromised during manufacture.
That may seem like an impossible challenge and of course it is impossible if we insist on the criteria that no system ever be vulnerable under any circumstance. But what we need here is resilience, not a perfect guarantee that no system is ever compromised.
Achieving resilience will require us to develop at least some new technology but there is a vast amount of existing technology that is not being used. We are attempting to meet the security challenges of the 2020s Internet with the security technology of the 1980s. Of course AES is better than DES and SHA2 is better than MD4. But we aren't making use of new principles.
Today we conceive the role of a firewall to be a policy enforcement point blocking unauthorized traffic. It is a role that firewalls are increasingly unable to realize as encryption becomes the default. Perhaps it is time to start thinking in terms of policy verification.
There is no way that we can prevent a device being compromised during manufacture using current technology. But we can mitigate the impact of that compromise so that it affects a single machine rather than the entire network. We can also develop infrastructures that allow the fact that a device has been compromised to be detected with some degree of certainty.
If we don't start thinking in terms of resilience soon, our customers are going to start forcing us to think in those terms because they are the ones caught in the middle of this fight.
