Return to Video

The Internet could crash. We need a Plan B

  • 0:01 - 0:04
    So, this book that I have in my hand
  • 0:04 - 0:08
    is a directory of everybody who had an email address
  • 0:08 - 0:11
    in 1982. (Laughter)
  • 0:11 - 0:15
    Actually, it's deceptively large.
  • 0:15 - 0:18
    There's actually only about 20 people on each page,
  • 0:18 - 0:20
    because we have the name, address
  • 0:20 - 0:23
    and telephone number of every single person.
  • 0:23 - 0:25
    And, in fact, everybody's listed twice,
  • 0:25 - 0:30
    because it's sorted once by name and once by email address.
  • 0:30 - 0:33
    Obviously a very small community.
  • 0:33 - 0:36
    There were only two other Dannys on the Internet then.
  • 0:36 - 0:38
    I knew them both.
  • 0:38 - 0:40
    We didn't all know each other,
  • 0:40 - 0:43
    but we all kind of trusted each other,
  • 0:43 - 0:47
    and that basic feeling of trust
  • 0:47 - 0:49
    permeated the whole network,
  • 0:49 - 0:52
    and there was a real sense that
  • 0:52 - 0:55
    we could depend on each other to do things.
  • 0:55 - 0:58
    So just to give you an idea of the level of trust in this community,
  • 0:58 - 1:00
    let me tell you what it was like
  • 1:00 - 1:04
    to register a domain name in the early days.
  • 1:04 - 1:06
    Now, it just so happened that I got to register
  • 1:06 - 1:09
    the third domain name on the Internet.
  • 1:09 - 1:11
    So I could have anything I wanted
  • 1:11 - 1:15
    other than bbn.com and symbolics.com.
  • 1:15 - 1:18
    So I picked think.com, but then I thought,
  • 1:18 - 1:21
    you know, there's a lot of really interesting names out there.
  • 1:21 - 1:26
    Maybe I should register a few extras just in case.
  • 1:26 - 1:29
    And then I thought, "Nah, that wouldn't be very nice."
  • 1:29 - 1:35
    (Laughter)
  • 1:35 - 1:38
    That attitude of only taking what you need
  • 1:38 - 1:42
    was really what everybody had on the network in those days,
  • 1:42 - 1:46
    and in fact, it wasn't just the people on the network,
  • 1:46 - 1:48
    but it was actually kind of built into the protocols
  • 1:48 - 1:50
    of the Internet itself.
  • 1:50 - 1:54
    So the basic idea of I.P., or Internet protocol,
  • 1:54 - 1:58
    and the way that the -- the routing algorithm that used it,
  • 1:58 - 2:02
    were fundamentally "from each according to their ability,
  • 2:02 - 2:04
    to each according to their need."
  • 2:04 - 2:07
    And so, if you had some extra bandwidth,
  • 2:07 - 2:09
    you'd deliver a message for someone.
  • 2:09 - 2:12
    If they had some extra bandwidth, they would deliver a message for you.
  • 2:12 - 2:14
    You'd kind of depend on people to do that,
  • 2:14 - 2:16
    and that was the building block.
  • 2:16 - 2:19
    It was actually interesting that such a communist principle
  • 2:19 - 2:21
    was the basis of a system developed during the Cold War
  • 2:21 - 2:24
    by the Defense Department,
  • 2:24 - 2:27
    but it obviously worked really well,
  • 2:27 - 2:30
    and we all saw what happened with the Internet.
  • 2:30 - 2:32
    It was incredibly successful.
  • 2:32 - 2:36
    In fact, it was so successful that there's no way
  • 2:36 - 2:39
    that these days you could make a book like this.
  • 2:39 - 2:46
    My rough calculation is it would be about 25 miles thick.
  • 2:46 - 2:47
    But, of course, you couldn't do it,
  • 2:47 - 2:48
    because we don't know the names of all the people
  • 2:48 - 2:52
    with Internet or email addresses,
  • 2:52 - 2:53
    and even if we did know their names,
  • 2:53 - 2:56
    I'm pretty sure that they would not want their name,
  • 2:56 - 3:00
    address and telephone number published to everyone.
  • 3:00 - 3:04
    So the fact is that there's a lot of bad guys on the Internet these days,
  • 3:04 - 3:08
    and so we dealt with that by making
  • 3:08 - 3:10
    walled communities,
  • 3:10 - 3:14
    secure subnetworks, VPNs,
  • 3:14 - 3:16
    little things that aren't really the Internet
  • 3:16 - 3:18
    but are made out of the same building blocks,
  • 3:18 - 3:20
    but we're still basically building it out of those
  • 3:20 - 3:24
    same building blocks with those same assumptions of trust.
  • 3:24 - 3:27
    And that means that it's vulnerable
  • 3:27 - 3:30
    to certain kinds of mistakes that can happen,
  • 3:30 - 3:31
    or certain kinds of deliberate attacks,
  • 3:31 - 3:34
    but even the mistakes can be bad.
  • 3:34 - 3:37
    So, for instance,
  • 3:37 - 3:39
    in all of Asia recently,
  • 3:39 - 3:43
    it was impossible to get YouTube for a little while
  • 3:43 - 3:45
    because Pakistan made some mistakes
  • 3:45 - 3:49
    in how it was censoring YouTube in its internal network.
  • 3:49 - 3:52
    They didn't intend to screw up Asia, but they did
  • 3:52 - 3:55
    because of the way that the protocols work.
  • 3:55 - 3:58
    Another example that may have affected many of you in this audience is,
  • 3:58 - 4:01
    you may remember a couple of years ago,
  • 4:01 - 4:03
    all the planes west of the Mississippi were grounded
  • 4:03 - 4:06
    because a single routing card in Salt Lake City
  • 4:06 - 4:09
    had a bug in it.
  • 4:09 - 4:11
    Now, you don't really think
  • 4:11 - 4:14
    that our airplane system depends on the Internet,
  • 4:14 - 4:15
    and in some sense it doesn't.
  • 4:15 - 4:17
    I'll come back to that later.
  • 4:17 - 4:19
    But the fact is that people couldn't take off
  • 4:19 - 4:21
    because something was going wrong on the Internet,
  • 4:21 - 4:24
    and the router card was down.
  • 4:24 - 4:28
    And so, there are many of those things that start to happen.
  • 4:28 - 4:31
    Now, there was an interesting thing that happened last April.
  • 4:31 - 4:32
    All of a sudden,
  • 4:32 - 4:36
    a very large percentage of the traffic on the whole Internet,
  • 4:36 - 4:40
    including a lot of the traffic between U.S. military installations,
  • 4:40 - 4:42
    started getting re-routed through China.
  • 4:42 - 4:45
    So for a few hours, it all passed through China.
  • 4:45 - 4:50
    Now, China Telecom says it was just an honest mistake,
  • 4:50 - 4:54
    and it is actually possible that it was, the way things work,
  • 4:54 - 4:56
    but certainly somebody could make
  • 4:56 - 4:59
    a dishonest mistake of that sort if they wanted to,
  • 4:59 - 5:02
    and it shows you how vulnerable the system is even to mistakes.
  • 5:02 - 5:07
    Imagine how vulnerable the system is to deliberate attacks.
  • 5:07 - 5:11
    So if somebody really wanted to attack the United States
  • 5:11 - 5:13
    or Western civilization these days,
  • 5:13 - 5:15
    they're not going to do it with tanks.
  • 5:15 - 5:17
    That will not succeed.
  • 5:17 - 5:19
    What they'll probably do is something
  • 5:19 - 5:23
    very much like the attack that happened
  • 5:23 - 5:25
    on the Iranian nuclear facility.
  • 5:25 - 5:28
    Nobody has claimed credit for that.
  • 5:28 - 5:31
    There was basically a factory of industrial machines.
  • 5:31 - 5:34
    It didn't think of itself as being on the Internet.
  • 5:34 - 5:36
    It thought of itself as being disconnected from the Internet,
  • 5:36 - 5:38
    but it was possible for somebody to smuggle
  • 5:38 - 5:41
    a USB drive in there, or something like that,
  • 5:41 - 5:44
    and software got in there that causes the centrifuges,
  • 5:44 - 5:47
    in that case, to actually destroy themselves.
  • 5:47 - 5:50
    Now that same kind of software could destroy an oil refinery
  • 5:50 - 5:54
    or a pharmaceutical factory or a semiconductor plant.
  • 5:54 - 5:57
    And so there's a lot of -- I'm sure you've read a lot in papers,
  • 5:57 - 6:00
    about worries about cyberattacks
  • 6:00 - 6:02
    and defenses against those.
  • 6:02 - 6:04
    But the fact is, people are mostly focused on
  • 6:04 - 6:06
    defending the computers on the Internet,
  • 6:06 - 6:09
    and there's been surprisingly little attention
  • 6:09 - 6:13
    to defending the Internet itself as a communications medium.
  • 6:13 - 6:15
    And I think we probably do need to pay
  • 6:15 - 6:18
    some more attention to that, because it's actually kind of fragile.
  • 6:18 - 6:21
    So actually, in the early days,
  • 6:21 - 6:23
    back when it was the ARPANET,
  • 6:23 - 6:26
    there were actually times -- there was a particular time it failed completely
  • 6:26 - 6:30
    because one single message processor
  • 6:30 - 6:32
    actually got a bug in it.
  • 6:32 - 6:34
    And the way the Internet works is
  • 6:34 - 6:38
    the routers are basically exchanging information
  • 6:38 - 6:41
    about how they can get messages to places,
  • 6:41 - 6:45
    and this one processor, because of a broken card,
  • 6:45 - 6:47
    decided it could actually get a message
  • 6:47 - 6:49
    to some place in negative time.
  • 6:49 - 6:53
    So, in other words, it claimed it could deliver a message before you sent it.
  • 6:53 - 6:56
    So of course, the fastest way to get a message anywhere
  • 6:56 - 6:58
    was to send it to this guy,
  • 6:58 - 7:02
    who would send it back in time and get it there super early,
  • 7:02 - 7:05
    so every message in the Internet
  • 7:05 - 7:08
    started getting switched through this one node,
  • 7:08 - 7:09
    and of course that clogged everything up.
  • 7:09 - 7:12
    Everything started breaking.
  • 7:12 - 7:14
    The interesting thing was, though,
  • 7:14 - 7:15
    that the sysadmins were able to fix it,
  • 7:15 - 7:20
    but they had to basically turn every single thing on the Internet off.
  • 7:20 - 7:22
    Now, of course you couldn't do that today.
  • 7:22 - 7:24
    I mean, everything off, it's like
  • 7:24 - 7:26
    the service call you get from the cable company,
  • 7:26 - 7:30
    except for the whole world.
  • 7:30 - 7:32
    Now, in fact, they couldn't do it for a lot of reasons today.
  • 7:32 - 7:35
    One of the reasons is a lot of their telephones
  • 7:35 - 7:38
    use IP protocol and use things like Skype and so on
  • 7:38 - 7:40
    that go through the Internet right now,
  • 7:40 - 7:43
    and so in fact we're becoming dependent on it
  • 7:43 - 7:45
    for more and more different things,
  • 7:45 - 7:48
    like when you take off from LAX,
  • 7:48 - 7:50
    you're really not thinking you're using the Internet.
  • 7:50 - 7:54
    When you pump gas, you really don't think you're using the Internet.
  • 7:54 - 7:56
    What's happening increasingly, though, is these systems
  • 7:56 - 7:58
    are beginning to use the Internet.
  • 7:58 - 8:01
    Most of them aren't based on the Internet yet,
  • 8:01 - 8:03
    but they're starting to use the Internet for service functions,
  • 8:03 - 8:05
    for administrative functions,
  • 8:05 - 8:08
    and so if you take something like the cell phone system,
  • 8:08 - 8:13
    which is still relatively independent of the Internet for the most part,
  • 8:13 - 8:16
    Internet pieces are beginning to sneak into it
  • 8:16 - 8:19
    in terms of some of the control and administrative functions,
  • 8:19 - 8:22
    and it's so tempting to use these same building blocks
  • 8:22 - 8:24
    because they work so well, they're cheap,
  • 8:24 - 8:25
    they're repeated, and so on.
  • 8:25 - 8:28
    So all of our systems, more and more,
  • 8:28 - 8:30
    are starting to use the same technology
  • 8:30 - 8:32
    and starting to depend on this technology.
  • 8:32 - 8:34
    And so even a modern rocket ship these days
  • 8:34 - 8:37
    actually uses Internet protocol to talk
  • 8:37 - 8:39
    from one end of the rocket ship to the other.
  • 8:39 - 8:42
    That's crazy. It was never designed to do things like that.
  • 8:42 - 8:45
    So we've built this system
  • 8:45 - 8:48
    where we understand all the parts of it,
  • 8:48 - 8:52
    but we're using it in a very, very different way than we expected to use it,
  • 8:52 - 8:54
    and it's gotten a very, very different scale
  • 8:54 - 8:56
    than it was designed for.
  • 8:56 - 8:59
    And in fact, nobody really exactly understands
  • 8:59 - 9:01
    all the things it's being used for right now.
  • 9:01 - 9:04
    It's turning into one of these big emergent systems
  • 9:04 - 9:07
    like the financial system, where we've designed all the parts
  • 9:07 - 9:10
    but nobody really exactly understands
  • 9:10 - 9:13
    how it operates and all the little details of it
  • 9:13 - 9:16
    and what kinds of emergent behaviors it can have.
  • 9:16 - 9:19
    And so if you hear an expert talking about the Internet
  • 9:19 - 9:22
    and saying it can do this, or it does do this, or it will do that,
  • 9:22 - 9:24
    you should treat it with the same skepticism
  • 9:24 - 9:29
    that you might treat the comments of an economist about the economy
  • 9:29 - 9:31
    or a weatherman about the weather, or something like that.
  • 9:31 - 9:33
    They have an informed opinion,
  • 9:33 - 9:36
    but it's changing so quickly that even the experts
  • 9:36 - 9:38
    don't know exactly what's going on.
  • 9:38 - 9:40
    So if you see one of these maps of the Internet,
  • 9:40 - 9:42
    it's just somebody's guess.
  • 9:42 - 9:44
    Nobody really knows what the Internet is right now
  • 9:44 - 9:47
    because it's different than it was an hour ago.
  • 9:47 - 9:50
    It's constantly changing. It's constantly reconfiguring.
  • 9:50 - 9:51
    And the problem with it is,
  • 9:51 - 9:55
    I think we are setting ourselves up for a kind of disaster
  • 9:55 - 9:58
    like the disaster we had in the financial system,
  • 9:58 - 10:03
    where we take a system that's basically built on trust,
  • 10:03 - 10:05
    was basically built for a smaller-scale system,
  • 10:05 - 10:08
    and we've kind of expanded it way beyond the limits
  • 10:08 - 10:10
    of how it was meant to operate.
  • 10:10 - 10:14
    And so right now, I think it's literally true
  • 10:14 - 10:17
    that we don't know what the consequences
  • 10:17 - 10:20
    of an effective denial-of-service attack
  • 10:20 - 10:21
    on the Internet would be,
  • 10:21 - 10:23
    and whatever it would be is going to be worse next year,
  • 10:23 - 10:25
    and worse next year, and so on.
  • 10:25 - 10:27
    But so what we need is a plan B.
  • 10:27 - 10:29
    There is no plan B right now.
  • 10:29 - 10:32
    There's no clear backup system that we've very carefully kept
  • 10:32 - 10:34
    to be independent of the Internet,
  • 10:34 - 10:37
    made out of completely different sets of building blocks.
  • 10:37 - 10:40
    So what we need is something that doesn't necessarily
  • 10:40 - 10:43
    have to have the performance of the Internet,
  • 10:43 - 10:45
    but the police department has to be able
  • 10:45 - 10:47
    to call up the fire department even without the Internet,
  • 10:47 - 10:50
    or the hospitals have to order fuel oil.
  • 10:50 - 10:54
    This doesn't need to be a multi-billion-dollar government project.
  • 10:54 - 10:57
    It's actually relatively simple to do, technically,
  • 10:57 - 11:01
    because it can use existing fibers that are in the ground,
  • 11:01 - 11:03
    existing wireless infrastructure.
  • 11:03 - 11:06
    It's basically a matter of deciding to do it.
  • 11:06 - 11:08
    But people won't decide to do it
  • 11:08 - 11:10
    until they recognize the need for it,
  • 11:10 - 11:12
    and that's the problem that we have right now.
  • 11:12 - 11:15
    So there's been plenty of people,
  • 11:15 - 11:18
    plenty of us have been quietly arguing
  • 11:18 - 11:21
    that we should have this independent system for years,
  • 11:21 - 11:24
    but it's very hard to get people focused on plan B
  • 11:24 - 11:27
    when plan A seems to be working so well.
  • 11:27 - 11:31
    So I think that, if people understand
  • 11:31 - 11:34
    how much we're starting to depend on the Internet,
  • 11:34 - 11:36
    and how vulnerable it is,
  • 11:36 - 11:38
    we could get focused on
  • 11:38 - 11:41
    just wanting this other system to exist,
  • 11:41 - 11:44
    and I think if enough people say, "Yeah, I would like to use it,
  • 11:44 - 11:47
    I'd like to have such a system," then it will get built.
  • 11:47 - 11:48
    It's not that hard a problem.
  • 11:48 - 11:52
    It could definitely be done by people in this room.
  • 11:52 - 11:56
    And so I think that this is actually,
  • 11:56 - 11:59
    of all the problems you're going to hear about at the conference,
  • 11:59 - 12:02
    this is probably one of the very easiest to fix.
  • 12:02 - 12:05
    So I'm happy to get a chance to tell you about it.
  • 12:05 - 12:07
    Thank you very much.
  • 12:07 - 12:11
    (Applause)
Title:
The Internet could crash. We need a Plan B
Speaker:
Danny Hillis
Description:

In the 1970s and 1980s, a generous spirit suffused the Internet, whose users were few and far between. But today, the net is ubiquitous, connecting billions of people, machines and essential pieces of infrastructure -- leaving us vulnerable to cyber-attack or meltdown. Internet pioneer Danny Hillis argues that the Internet wasn't designed for this kind of scale, and sounds a clarion call for us to develop a Plan B: a parallel system to fall back on should -- or when -- the Internet crashes.
more » « less
Video Language:
English
Team:
closed TED
Project:
TEDTalks
Duration:
12:31

English subtitles

Revisions Compare revisions

Our website uses cookies for analysis purposes.