0:00:00.603,0:00:03.669
So, this book that I have in my hand

0:00:03.669,0:00:07.603
is a directory of everybody who had an email address

0:00:07.603,0:00:11.122
in 1982. (Laughter)

0:00:11.122,0:00:14.807
Actually, it's deceptively large.

0:00:14.807,0:00:18.244
There's actually only about 20 people on each page,

0:00:18.244,0:00:20.134
because we have the name, address

0:00:20.134,0:00:23.227
and telephone number of every single person.

0:00:23.227,0:00:25.410
And, in fact, everybody's listed twice,

0:00:25.410,0:00:29.968
because it's sorted once by name and once by email address.

0:00:29.968,0:00:32.869
Obviously a very small community.

0:00:32.869,0:00:36.300
There were only two other Dannys on the Internet then.

0:00:36.300,0:00:37.900
I knew them both.

0:00:37.900,0:00:39.656
We didn't all know each other,

0:00:39.656,0:00:42.769
but we all kind of trusted each other,

0:00:42.769,0:00:46.567
and that basic feeling of trust

0:00:46.567,0:00:49.154
permeated the whole network,

0:00:49.154,0:00:51.511
and there was a real sense that

0:00:51.511,0:00:54.517
we could depend on each other to do things.

0:00:54.517,0:00:58.092
So just to give you an idea of the level of trust in this community,

0:00:58.092,0:00:59.717
let me tell you what it was like

0:00:59.717,0:01:03.822
to register a domain name in the early days.

0:01:03.822,0:01:06.452
Now, it just so happened that I got to register

0:01:06.452,0:01:08.912
the third domain name on the Internet.

0:01:08.912,0:01:10.560
So I could have anything I wanted

0:01:10.560,0:01:15.005
other than bbn.com and symbolics.com.

0:01:15.005,0:01:18.419
So I picked think.com, but then I thought,

0:01:18.419,0:01:21.405
you know, there's a lot of really interesting names out there.

0:01:21.405,0:01:25.614
Maybe I should register a few extras just in case.

0:01:25.614,0:01:28.898
And then I thought, "Nah, that wouldn't be very nice."

0:01:28.898,0:01:34.593
(Laughter)

0:01:34.593,0:01:38.222
That attitude of only taking what you need

0:01:38.222,0:01:42.266
was really what everybody had on the network in those days,

0:01:42.266,0:01:45.563
and in fact, it wasn't just the people on the network,

0:01:45.563,0:01:48.283
but it was actually kind of built into the protocols

0:01:48.283,0:01:50.227
of the Internet itself.

0:01:50.227,0:01:54.086
So the basic idea of I.P., or Internet protocol,

0:01:54.086,0:01:57.815
and the way that the -- the routing algorithm that used it,

0:01:57.815,0:02:01.944
were fundamentally "from each according to their ability,

0:02:01.944,0:02:04.062
to each according to their need."

0:02:04.062,0:02:07.075
And so, if you had some extra bandwidth,

0:02:07.075,0:02:08.518
you'd deliver a message for someone.

0:02:08.518,0:02:11.511
If they had some extra bandwidth, they would deliver a message for you.

0:02:11.511,0:02:13.525
You'd kind of depend on people to do that,

0:02:13.525,0:02:16.189
and that was the building block.

0:02:16.189,0:02:18.816
It was actually interesting that such a communist principle

0:02:18.816,0:02:21.252
was the basis of a system developed during the Cold War

0:02:21.252,0:02:23.683
by the Defense Department,

0:02:23.683,0:02:26.753
but it obviously worked really well,

0:02:26.753,0:02:30.196
and we all saw what happened with the Internet.

0:02:30.196,0:02:32.468
It was incredibly successful.

0:02:32.468,0:02:35.765
In fact, it was so successful that there's no way

0:02:35.765,0:02:39.353
that these days you could make a book like this.

0:02:39.353,0:02:45.519
My rough calculation is it would be about 25 miles thick.

0:02:45.519,0:02:46.693
But, of course, you couldn't do it,

0:02:46.693,0:02:48.483
because we don't know the names of all the people

0:02:48.483,0:02:51.557
with Internet or email addresses,

0:02:51.557,0:02:53.089
and even if we did know their names,

0:02:53.089,0:02:55.522
I'm pretty sure that they would not want their name,

0:02:55.522,0:02:59.818
address and telephone number published to everyone.

0:02:59.818,0:03:03.520
So the fact is that there's a lot of bad guys on the Internet these days,

0:03:03.520,0:03:07.691
and so we dealt with that by making

0:03:07.691,0:03:09.590
walled communities,

0:03:09.590,0:03:14.327
secure subnetworks, VPNs,

0:03:14.327,0:03:15.923
little things that aren't really the Internet

0:03:15.923,0:03:17.894
but are made out of the same building blocks,

0:03:17.894,0:03:20.134
but we're still basically building it out of those

0:03:20.134,0:03:24.401
same building blocks with those same assumptions of trust.

0:03:24.401,0:03:27.123
And that means that it's vulnerable

0:03:27.123,0:03:29.519
to certain kinds of mistakes that can happen,

0:03:29.519,0:03:31.380
or certain kinds of deliberate attacks,

0:03:31.380,0:03:34.485
but even the mistakes can be bad.

0:03:34.485,0:03:37.434
So, for instance,

0:03:37.434,0:03:39.387
in all of Asia recently,

0:03:39.387,0:03:42.820
it was impossible to get YouTube for a little while

0:03:42.820,0:03:45.100
because Pakistan made some mistakes

0:03:45.100,0:03:48.835
in how it was censoring YouTube in its internal network.

0:03:48.835,0:03:51.929
They didn't intend to screw up Asia, but they did

0:03:51.929,0:03:54.833
because of the way that the protocols work.

0:03:54.833,0:03:58.057
Another example that may have affected many of you in this audience is,

0:03:58.057,0:04:00.648
you may remember a couple of years ago,

0:04:00.648,0:04:03.461
all the planes west of the Mississippi were grounded

0:04:03.461,0:04:06.353
because a single routing card in Salt Lake City

0:04:06.353,0:04:08.715
had a bug in it.

0:04:08.715,0:04:10.988
Now, you don't really think

0:04:10.988,0:04:14.014
that our airplane system depends on the Internet,

0:04:14.014,0:04:15.020
and in some sense it doesn't.

0:04:15.020,0:04:16.636
I'll come back to that later.

0:04:16.636,0:04:18.886
But the fact is that people couldn't take off

0:04:18.886,0:04:21.161
because something was going wrong on the Internet,

0:04:21.161,0:04:23.736
and the router card was down.

0:04:23.736,0:04:27.515
And so, there are many of those things that start to happen.

0:04:27.515,0:04:30.654
Now, there was an interesting thing that happened last April.

0:04:30.654,0:04:32.180
All of a sudden,

0:04:32.180,0:04:35.512
a very large percentage of the traffic on the whole Internet,

0:04:35.512,0:04:39.643
including a lot of the traffic between U.S. military installations,

0:04:39.643,0:04:42.411
started getting re-routed through China.

0:04:42.411,0:04:45.133
So for a few hours, it all passed through China.

0:04:45.133,0:04:49.707
Now, China Telecom says it was just an honest mistake,

0:04:49.707,0:04:53.564
and it is actually possible that it was, the way things work,

0:04:53.564,0:04:55.599
but certainly somebody could make

0:04:55.599,0:04:58.872
a dishonest mistake of that sort if they wanted to,

0:04:58.872,0:05:02.230
and it shows you how vulnerable the system is even to mistakes.

0:05:02.230,0:05:07.151
Imagine how vulnerable the system is to deliberate attacks.

0:05:07.151,0:05:10.549
So if somebody really wanted to attack the United States

0:05:10.549,0:05:12.641
or Western civilization these days,

0:05:12.641,0:05:14.830
they're not going to do it with tanks.

0:05:14.830,0:05:17.243
That will not succeed.

0:05:17.243,0:05:19.246
What they'll probably do is something

0:05:19.246,0:05:22.537
very much like the attack that happened

0:05:22.537,0:05:25.244
on the Iranian nuclear facility.

0:05:25.244,0:05:27.518
Nobody has claimed credit for that.

0:05:27.518,0:05:31.025
There was basically a factory of industrial machines.

0:05:31.025,0:05:33.602
It didn't think of itself as being on the Internet.

0:05:33.602,0:05:36.189
It thought of itself as being disconnected from the Internet,

0:05:36.189,0:05:38.136
but it was possible for somebody to smuggle

0:05:38.136,0:05:40.668
a USB drive in there, or something like that,

0:05:40.668,0:05:44.064
and software got in there that causes the centrifuges,

0:05:44.064,0:05:47.057
in that case, to actually destroy themselves.

0:05:47.057,0:05:49.723
Now that same kind of software could destroy an oil refinery

0:05:49.723,0:05:54.145
or a pharmaceutical factory or a semiconductor plant.

0:05:54.145,0:05:57.411
And so there's a lot of -- I'm sure you've read a lot in papers,

0:05:57.411,0:05:59.602
about worries about cyberattacks

0:05:59.602,0:06:02.212
and defenses against those.

0:06:02.212,0:06:04.192
But the fact is, people are mostly focused on

0:06:04.192,0:06:06.475
defending the computers on the Internet,

0:06:06.475,0:06:08.861
and there's been surprisingly little attention

0:06:08.861,0:06:13.226
to defending the Internet itself as a communications medium.

0:06:13.226,0:06:15.089
And I think we probably do need to pay

0:06:15.089,0:06:18.177
some more attention to that, because it's actually kind of fragile.

0:06:18.177,0:06:21.104
So actually, in the early days,

0:06:21.104,0:06:22.828
back when it was the ARPANET,

0:06:22.828,0:06:26.417
there were actually times -- there was a particular time it failed completely

0:06:26.417,0:06:29.702
because one single message processor

0:06:29.702,0:06:32.178
actually got a bug in it.

0:06:32.178,0:06:34.450
And the way the Internet works is

0:06:34.450,0:06:38.017
the routers are basically exchanging information

0:06:38.017,0:06:40.607
about how they can get messages to places,

0:06:40.607,0:06:44.505
and this one processor, because of a broken card,

0:06:44.505,0:06:46.514
decided it could actually get a message

0:06:46.514,0:06:49.202
to some place in negative time.

0:06:49.202,0:06:53.185
So, in other words, it claimed it could deliver a message before you sent it.

0:06:53.185,0:06:56.335
So of course, the fastest way to get a message anywhere

0:06:56.335,0:06:58.211
was to send it to this guy,

0:06:58.211,0:07:01.758
who would send it back in time and get it there super early,

0:07:01.758,0:07:04.614
so every message in the Internet

0:07:04.614,0:07:07.856
started getting switched through this one node,

0:07:07.856,0:07:09.372
and of course that clogged everything up.

0:07:09.372,0:07:11.527
Everything started breaking.

0:07:11.527,0:07:13.567
The interesting thing was, though,

0:07:13.567,0:07:15.407
that the sysadmins were able to fix it,

0:07:15.407,0:07:20.189
but they had to basically turn every single thing on the Internet off.

0:07:20.189,0:07:21.587
Now, of course you couldn't do that today.

0:07:21.587,0:07:23.981
I mean, everything off, it's like

0:07:23.981,0:07:26.213
the service call you get from the cable company,

0:07:26.213,0:07:29.974
except for the whole world.

0:07:29.974,0:07:32.033
Now, in fact, they couldn't do it for a lot of reasons today.

0:07:32.033,0:07:34.655
One of the reasons is a lot of their telephones

0:07:34.655,0:07:37.624
use IP protocol and use things like Skype and so on

0:07:37.624,0:07:39.693
that go through the Internet right now,

0:07:39.693,0:07:42.975
and so in fact we're becoming dependent on it

0:07:42.975,0:07:44.767
for more and more different things,

0:07:44.767,0:07:47.705
like when you take off from LAX,

0:07:47.705,0:07:49.586
you're really not thinking you're using the Internet.

0:07:49.586,0:07:53.702
When you pump gas, you really don't think you're using the Internet.

0:07:53.702,0:07:55.827
What's happening increasingly, though, is these systems

0:07:55.827,0:07:57.694
are beginning to use the Internet.

0:07:57.694,0:08:00.744
Most of them aren't based on the Internet yet,

0:08:00.744,0:08:03.280
but they're starting to use the Internet for service functions,

0:08:03.280,0:08:05.185
for administrative functions,

0:08:05.185,0:08:08.248
and so if you take something like the cell phone system,

0:08:08.248,0:08:12.568
which is still relatively independent of the Internet for the most part,

0:08:12.568,0:08:15.527
Internet pieces are beginning to sneak into it

0:08:15.527,0:08:19.331
in terms of some of the control and administrative functions,

0:08:19.331,0:08:21.661
and it's so tempting to use these same building blocks

0:08:21.661,0:08:23.925
because they work so well, they're cheap,

0:08:23.925,0:08:25.025
they're repeated, and so on.

0:08:25.025,0:08:27.797
So all of our systems, more and more,

0:08:27.797,0:08:29.577
are starting to use the same technology

0:08:29.577,0:08:31.644
and starting to depend on this technology.

0:08:31.644,0:08:34.069
And so even a modern rocket ship these days

0:08:34.069,0:08:36.795
actually uses Internet protocol to talk

0:08:36.795,0:08:38.611
from one end of the rocket ship to the other.

0:08:38.611,0:08:41.797
That's crazy. It was never designed to do things like that.

0:08:41.797,0:08:44.914
So we've built this system

0:08:44.914,0:08:48.024
where we understand all the parts of it,

0:08:48.024,0:08:51.722
but we're using it in a very, very different way than we expected to use it,

0:08:51.722,0:08:54.161
and it's gotten a very, very different scale

0:08:54.161,0:08:56.332
than it was designed for.

0:08:56.332,0:08:59.008
And in fact, nobody really exactly understands

0:08:59.008,0:09:01.271
all the things it's being used for right now.

0:09:01.271,0:09:03.774
It's turning into one of these big emergent systems

0:09:03.774,0:09:07.255
like the financial system, where we've designed all the parts

0:09:07.255,0:09:09.861
but nobody really exactly understands

0:09:09.861,0:09:13.088
how it operates and all the little details of it

0:09:13.088,0:09:15.807
and what kinds of emergent behaviors it can have.

0:09:15.807,0:09:18.940
And so if you hear an expert talking about the Internet

0:09:18.940,0:09:21.635
and saying it can do this, or it does do this, or it will do that,

0:09:21.635,0:09:24.096
you should treat it with the same skepticism

0:09:24.096,0:09:28.511
that you might treat the comments of an economist about the economy

0:09:28.511,0:09:30.778
or a weatherman about the weather, or something like that.

0:09:30.778,0:09:33.426
They have an informed opinion,

0:09:33.426,0:09:35.967
but it's changing so quickly that even the experts

0:09:35.967,0:09:37.785
don't know exactly what's going on.

0:09:37.785,0:09:40.477
So if you see one of these maps of the Internet,

0:09:40.477,0:09:42.143
it's just somebody's guess.

0:09:42.143,0:09:44.341
Nobody really knows what the Internet is right now

0:09:44.341,0:09:47.082
because it's different than it was an hour ago.

0:09:47.082,0:09:49.883
It's constantly changing. It's constantly reconfiguring.

0:09:49.883,0:09:51.397
And the problem with it is,

0:09:51.397,0:09:54.738
I think we are setting ourselves up for a kind of disaster

0:09:54.738,0:09:57.533
like the disaster we had in the financial system,

0:09:57.533,0:10:02.877
where we take a system that's basically built on trust,

0:10:02.877,0:10:05.498
was basically built for a smaller-scale system,

0:10:05.498,0:10:08.407
and we've kind of expanded it way beyond the limits

0:10:08.407,0:10:10.403
of how it was meant to operate.

0:10:10.403,0:10:13.671
And so right now, I think it's literally true

0:10:13.671,0:10:17.176
that we don't know what the consequences

0:10:17.176,0:10:19.610
of an effective denial-of-service attack

0:10:19.610,0:10:21.383
on the Internet would be,

0:10:21.383,0:10:23.257
and whatever it would be is going to be worse next year,

0:10:23.257,0:10:24.665
and worse next year, and so on.

0:10:24.665,0:10:27.214
But so what we need is a plan B.

0:10:27.214,0:10:28.846
There is no plan B right now.

0:10:28.846,0:10:32.349
There's no clear backup system that we've very carefully kept

0:10:32.349,0:10:34.295
to be independent of the Internet,

0:10:34.295,0:10:37.361
made out of completely different sets of building blocks.

0:10:37.361,0:10:40.374
So what we need is something that doesn't necessarily

0:10:40.374,0:10:43.108
have to have the performance of the Internet,

0:10:43.108,0:10:44.625
but the police department has to be able

0:10:44.625,0:10:47.148
to call up the fire department even without the Internet,

0:10:47.148,0:10:49.713
or the hospitals have to order fuel oil.

0:10:49.713,0:10:54.327
This doesn't need to be a multi-billion-dollar government project.

0:10:54.327,0:10:57.075
It's actually relatively simple to do, technically,

0:10:57.075,0:11:00.877
because it can use existing fibers that are in the ground,

0:11:00.877,0:11:02.836
existing wireless infrastructure.

0:11:02.836,0:11:05.601
It's basically a matter of deciding to do it.

0:11:05.601,0:11:08.085
But people won't decide to do it

0:11:08.085,0:11:10.464
until they recognize the need for it,

0:11:10.464,0:11:11.962
and that's the problem that we have right now.

0:11:11.962,0:11:14.745
So there's been plenty of people,

0:11:14.745,0:11:17.789
plenty of us have been quietly arguing

0:11:17.789,0:11:20.707
that we should have this independent system for years,

0:11:20.707,0:11:23.716
but it's very hard to get people focused on plan B

0:11:23.716,0:11:27.390
when plan A seems to be working so well.

0:11:27.390,0:11:30.819
So I think that, if people understand

0:11:30.819,0:11:33.873
how much we're starting to depend on the Internet,

0:11:33.873,0:11:35.850
and how vulnerable it is,

0:11:35.850,0:11:37.956
we could get focused on

0:11:37.956,0:11:40.980
just wanting this other system to exist,

0:11:40.980,0:11:44.057
and I think if enough people say, "Yeah, I would like to use it,

0:11:44.057,0:11:47.067
I'd like to have such a system," then it will get built.

0:11:47.067,0:11:48.490
It's not that hard a problem.

0:11:48.490,0:11:51.725
It could definitely be done by people in this room.

0:11:51.725,0:11:56.084
And so I think that this is actually,

0:11:56.084,0:11:59.263
of all the problems you're going to hear about at the conference,

0:11:59.263,0:12:01.941
this is probably one of the very easiest to fix.

0:12:01.941,0:12:04.708
So I'm happy to get a chance to tell you about it.

0:12:04.708,0:12:07.319
Thank you very much.

0:12:07.319,0:12:11.173
(Applause)