1
00:00:00,603 --> 00:00:03,669
So, this book that I have in my hand

2
00:00:03,669 --> 00:00:07,603
is a directory of everybody who had an email address

3
00:00:07,603 --> 00:00:11,122
in 1982. (Laughter)

4
00:00:11,122 --> 00:00:14,807
Actually, it's deceptively large.

5
00:00:14,807 --> 00:00:18,244
There's actually only about 20 people on each page,

6
00:00:18,244 --> 00:00:20,134
because we have the name, address

7
00:00:20,134 --> 00:00:23,227
and telephone number of every single person.

8
00:00:23,227 --> 00:00:25,410
And, in fact, everybody's listed twice,

9
00:00:25,410 --> 00:00:29,968
because it's sorted once by name and once by email address.

10
00:00:29,968 --> 00:00:32,869
Obviously a very small community.

11
00:00:32,869 --> 00:00:36,300
There were only two other Dannys on the Internet then.

12
00:00:36,300 --> 00:00:37,900
I knew them both.

13
00:00:37,900 --> 00:00:39,656
We didn't all know each other,

14
00:00:39,656 --> 00:00:42,769
but we all kind of trusted each other,

15
00:00:42,769 --> 00:00:46,567
and that basic feeling of trust

16
00:00:46,567 --> 00:00:49,154
permeated the whole network,

17
00:00:49,154 --> 00:00:51,511
and there was a real sense that

18
00:00:51,511 --> 00:00:54,517
we could depend on each other to do things.

19
00:00:54,517 --> 00:00:58,092
So just to give you an idea of the level of trust in this community,

20
00:00:58,092 --> 00:00:59,717
let me tell you what it was like

21
00:00:59,717 --> 00:01:03,822
to register a domain name in the early days.

22
00:01:03,822 --> 00:01:06,452
Now, it just so happened that I got to register

23
00:01:06,452 --> 00:01:08,912
the third domain name on the Internet.

24
00:01:08,912 --> 00:01:10,560
So I could have anything I wanted

25
00:01:10,560 --> 00:01:15,005
other than bbn.com and symbolics.com.

26
00:01:15,005 --> 00:01:18,419
So I picked think.com, but then I thought,

27
00:01:18,419 --> 00:01:21,405
you know, there's a lot of really interesting names out there.

28
00:01:21,405 --> 00:01:25,614
Maybe I should register a few extras just in case.

29
00:01:25,614 --> 00:01:28,898
And then I thought, "Nah, that wouldn't be very nice."

30
00:01:28,898 --> 00:01:34,593
(Laughter)

31
00:01:34,593 --> 00:01:38,222
That attitude of only taking what you need

32
00:01:38,222 --> 00:01:42,266
was really what everybody had on the network in those days,

33
00:01:42,266 --> 00:01:45,563
and in fact, it wasn't just the people on the network,

34
00:01:45,563 --> 00:01:48,283
but it was actually kind of built into the protocols

35
00:01:48,283 --> 00:01:50,227
of the Internet itself.

36
00:01:50,227 --> 00:01:54,086
So the basic idea of I.P., or Internet protocol,

37
00:01:54,086 --> 00:01:57,815
and the way that the -- the routing algorithm that used it,

38
00:01:57,815 --> 00:02:01,944
were fundamentally "from each according to their ability,

39
00:02:01,944 --> 00:02:04,062
to each according to their need."

40
00:02:04,062 --> 00:02:07,075
And so, if you had some extra bandwidth,

41
00:02:07,075 --> 00:02:08,518
you'd deliver a message for someone.

42
00:02:08,518 --> 00:02:11,511
If they had some extra bandwidth, they would deliver a message for you.

43
00:02:11,511 --> 00:02:13,525
You'd kind of depend on people to do that,

44
00:02:13,525 --> 00:02:16,189
and that was the building block.

45
00:02:16,189 --> 00:02:18,816
It was actually interesting that such a communist principle

46
00:02:18,816 --> 00:02:21,252
was the basis of a system developed during the Cold War

47
00:02:21,252 --> 00:02:23,683
by the Defense Department,

48
00:02:23,683 --> 00:02:26,753
but it obviously worked really well,

49
00:02:26,753 --> 00:02:30,196
and we all saw what happened with the Internet.

50
00:02:30,196 --> 00:02:32,468
It was incredibly successful.

51
00:02:32,468 --> 00:02:35,765
In fact, it was so successful that there's no way

52
00:02:35,765 --> 00:02:39,353
that these days you could make a book like this.

53
00:02:39,353 --> 00:02:45,519
My rough calculation is it would be about 25 miles thick.

54
00:02:45,519 --> 00:02:46,693
But, of course, you couldn't do it,

55
00:02:46,693 --> 00:02:48,483
because we don't know the names of all the people

56
00:02:48,483 --> 00:02:51,557
with Internet or email addresses,

57
00:02:51,557 --> 00:02:53,089
and even if we did know their names,

58
00:02:53,089 --> 00:02:55,522
I'm pretty sure that they would not want their name,

59
00:02:55,522 --> 00:02:59,818
address and telephone number published to everyone.

60
00:02:59,818 --> 00:03:03,520
So the fact is that there's a lot of bad guys on the Internet these days,

61
00:03:03,520 --> 00:03:07,691
and so we dealt with that by making

62
00:03:07,691 --> 00:03:09,590
walled communities,

63
00:03:09,590 --> 00:03:14,327
secure subnetworks, VPNs,

64
00:03:14,327 --> 00:03:15,923
little things that aren't really the Internet

65
00:03:15,923 --> 00:03:17,894
but are made out of the same building blocks,

66
00:03:17,894 --> 00:03:20,134
but we're still basically building it out of those

67
00:03:20,134 --> 00:03:24,401
same building blocks with those same assumptions of trust.

68
00:03:24,401 --> 00:03:27,123
And that means that it's vulnerable

69
00:03:27,123 --> 00:03:29,519
to certain kinds of mistakes that can happen,

70
00:03:29,519 --> 00:03:31,380
or certain kinds of deliberate attacks,

71
00:03:31,380 --> 00:03:34,485
but even the mistakes can be bad.

72
00:03:34,485 --> 00:03:37,434
So, for instance,

73
00:03:37,434 --> 00:03:39,387
in all of Asia recently,

74
00:03:39,387 --> 00:03:42,820
it was impossible to get YouTube for a little while

75
00:03:42,820 --> 00:03:45,100
because Pakistan made some mistakes

76
00:03:45,100 --> 00:03:48,835
in how it was censoring YouTube in its internal network.

77
00:03:48,835 --> 00:03:51,929
They didn't intend to screw up Asia, but they did

78
00:03:51,929 --> 00:03:54,833
because of the way that the protocols work.

79
00:03:54,833 --> 00:03:58,057
Another example that may have affected many of you in this audience is,

80
00:03:58,057 --> 00:04:00,648
you may remember a couple of years ago,

81
00:04:00,648 --> 00:04:03,461
all the planes west of the Mississippi were grounded

82
00:04:03,461 --> 00:04:06,353
because a single routing card in Salt Lake City

83
00:04:06,353 --> 00:04:08,715
had a bug in it.

84
00:04:08,715 --> 00:04:10,988
Now, you don't really think

85
00:04:10,988 --> 00:04:14,014
that our airplane system depends on the Internet,

86
00:04:14,014 --> 00:04:15,020
and in some sense it doesn't.

87
00:04:15,020 --> 00:04:16,636
I'll come back to that later.

88
00:04:16,636 --> 00:04:18,886
But the fact is that people couldn't take off

89
00:04:18,886 --> 00:04:21,161
because something was going wrong on the Internet,

90
00:04:21,161 --> 00:04:23,736
and the router card was down.

91
00:04:23,736 --> 00:04:27,515
And so, there are many of those things that start to happen.

92
00:04:27,515 --> 00:04:30,654
Now, there was an interesting thing that happened last April.

93
00:04:30,654 --> 00:04:32,180
All of a sudden,

94
00:04:32,180 --> 00:04:35,512
a very large percentage of the traffic on the whole Internet,

95
00:04:35,512 --> 00:04:39,643
including a lot of the traffic between U.S. military installations,

96
00:04:39,643 --> 00:04:42,411
started getting re-routed through China.

97
00:04:42,411 --> 00:04:45,133
So for a few hours, it all passed through China.

98
00:04:45,133 --> 00:04:49,707
Now, China Telecom says it was just an honest mistake,

99
00:04:49,707 --> 00:04:53,564
and it is actually possible that it was, the way things work,

100
00:04:53,564 --> 00:04:55,599
but certainly somebody could make

101
00:04:55,599 --> 00:04:58,872
a dishonest mistake of that sort if they wanted to,

102
00:04:58,872 --> 00:05:02,230
and it shows you how vulnerable the system is even to mistakes.

103
00:05:02,230 --> 00:05:07,151
Imagine how vulnerable the system is to deliberate attacks.

104
00:05:07,151 --> 00:05:10,549
So if somebody really wanted to attack the United States

105
00:05:10,549 --> 00:05:12,641
or Western civilization these days,

106
00:05:12,641 --> 00:05:14,830
they're not going to do it with tanks.

107
00:05:14,830 --> 00:05:17,243
That will not succeed.

108
00:05:17,243 --> 00:05:19,246
What they'll probably do is something

109
00:05:19,246 --> 00:05:22,537
very much like the attack that happened

110
00:05:22,537 --> 00:05:25,244
on the Iranian nuclear facility.

111
00:05:25,244 --> 00:05:27,518
Nobody has claimed credit for that.

112
00:05:27,518 --> 00:05:31,025
There was basically a factory of industrial machines.

113
00:05:31,025 --> 00:05:33,602
It didn't think of itself as being on the Internet.

114
00:05:33,602 --> 00:05:36,189
It thought of itself as being disconnected from the Internet,

115
00:05:36,189 --> 00:05:38,136
but it was possible for somebody to smuggle

116
00:05:38,136 --> 00:05:40,668
a USB drive in there, or something like that,

117
00:05:40,668 --> 00:05:44,064
and software got in there that causes the centrifuges,

118
00:05:44,064 --> 00:05:47,057
in that case, to actually destroy themselves.

119
00:05:47,057 --> 00:05:49,723
Now that same kind of software could destroy an oil refinery

120
00:05:49,723 --> 00:05:54,145
or a pharmaceutical factory or a semiconductor plant.

121
00:05:54,145 --> 00:05:57,411
And so there's a lot of -- I'm sure you've read a lot in papers,

122
00:05:57,411 --> 00:05:59,602
about worries about cyberattacks

123
00:05:59,602 --> 00:06:02,212
and defenses against those.

124
00:06:02,212 --> 00:06:04,192
But the fact is, people are mostly focused on

125
00:06:04,192 --> 00:06:06,475
defending the computers on the Internet,

126
00:06:06,475 --> 00:06:08,861
and there's been surprisingly little attention

127
00:06:08,861 --> 00:06:13,226
to defending the Internet itself as a communications medium.

128
00:06:13,226 --> 00:06:15,089
And I think we probably do need to pay

129
00:06:15,089 --> 00:06:18,177
some more attention to that, because it's actually kind of fragile.

130
00:06:18,177 --> 00:06:21,104
So actually, in the early days,

131
00:06:21,104 --> 00:06:22,828
back when it was the ARPANET,

132
00:06:22,828 --> 00:06:26,417
there were actually times -- there was a particular time it failed completely

133
00:06:26,417 --> 00:06:29,702
because one single message processor

134
00:06:29,702 --> 00:06:32,178
actually got a bug in it.

135
00:06:32,178 --> 00:06:34,450
And the way the Internet works is

136
00:06:34,450 --> 00:06:38,017
the routers are basically exchanging information

137
00:06:38,017 --> 00:06:40,607
about how they can get messages to places,

138
00:06:40,607 --> 00:06:44,505
and this one processor, because of a broken card,

139
00:06:44,505 --> 00:06:46,514
decided it could actually get a message

140
00:06:46,514 --> 00:06:49,202
to some place in negative time.

141
00:06:49,202 --> 00:06:53,185
So, in other words, it claimed it could deliver a message before you sent it.

142
00:06:53,185 --> 00:06:56,335
So of course, the fastest way to get a message anywhere

143
00:06:56,335 --> 00:06:58,211
was to send it to this guy,

144
00:06:58,211 --> 00:07:01,758
who would send it back in time and get it there super early,

145
00:07:01,758 --> 00:07:04,614
so every message in the Internet

146
00:07:04,614 --> 00:07:07,856
started getting switched through this one node,

147
00:07:07,856 --> 00:07:09,372
and of course that clogged everything up.

148
00:07:09,372 --> 00:07:11,527
Everything started breaking.

149
00:07:11,527 --> 00:07:13,567
The interesting thing was, though,

150
00:07:13,567 --> 00:07:15,407
that the sysadmins were able to fix it,

151
00:07:15,407 --> 00:07:20,189
but they had to basically turn every single thing on the Internet off.

152
00:07:20,189 --> 00:07:21,587
Now, of course you couldn't do that today.

153
00:07:21,587 --> 00:07:23,981
I mean, everything off, it's like

154
00:07:23,981 --> 00:07:26,213
the service call you get from the cable company,

155
00:07:26,213 --> 00:07:29,974
except for the whole world.

156
00:07:29,974 --> 00:07:32,033
Now, in fact, they couldn't do it for a lot of reasons today.

157
00:07:32,033 --> 00:07:34,655
One of the reasons is a lot of their telephones

158
00:07:34,655 --> 00:07:37,624
use IP protocol and use things like Skype and so on

159
00:07:37,624 --> 00:07:39,693
that go through the Internet right now,

160
00:07:39,693 --> 00:07:42,975
and so in fact we're becoming dependent on it

161
00:07:42,975 --> 00:07:44,767
for more and more different things,

162
00:07:44,767 --> 00:07:47,705
like when you take off from LAX,

163
00:07:47,705 --> 00:07:49,586
you're really not thinking you're using the Internet.

164
00:07:49,586 --> 00:07:53,702
When you pump gas, you really don't think you're using the Internet.

165
00:07:53,702 --> 00:07:55,827
What's happening increasingly, though, is these systems

166
00:07:55,827 --> 00:07:57,694
are beginning to use the Internet.

167
00:07:57,694 --> 00:08:00,744
Most of them aren't based on the Internet yet,

168
00:08:00,744 --> 00:08:03,280
but they're starting to use the Internet for service functions,

169
00:08:03,280 --> 00:08:05,185
for administrative functions,

170
00:08:05,185 --> 00:08:08,248
and so if you take something like the cell phone system,

171
00:08:08,248 --> 00:08:12,568
which is still relatively independent of the Internet for the most part,

172
00:08:12,568 --> 00:08:15,527
Internet pieces are beginning to sneak into it

173
00:08:15,527 --> 00:08:19,331
in terms of some of the control and administrative functions,

174
00:08:19,331 --> 00:08:21,661
and it's so tempting to use these same building blocks

175
00:08:21,661 --> 00:08:23,925
because they work so well, they're cheap,

176
00:08:23,925 --> 00:08:25,025
they're repeated, and so on.

177
00:08:25,025 --> 00:08:27,797
So all of our systems, more and more,

178
00:08:27,797 --> 00:08:29,577
are starting to use the same technology

179
00:08:29,577 --> 00:08:31,644
and starting to depend on this technology.

180
00:08:31,644 --> 00:08:34,069
And so even a modern rocket ship these days

181
00:08:34,069 --> 00:08:36,795
actually uses Internet protocol to talk

182
00:08:36,795 --> 00:08:38,611
from one end of the rocket ship to the other.

183
00:08:38,611 --> 00:08:41,797
That's crazy. It was never designed to do things like that.

184
00:08:41,797 --> 00:08:44,914
So we've built this system

185
00:08:44,914 --> 00:08:48,024
where we understand all the parts of it,

186
00:08:48,024 --> 00:08:51,722
but we're using it in a very, very different way than we expected to use it,

187
00:08:51,722 --> 00:08:54,161
and it's gotten a very, very different scale

188
00:08:54,161 --> 00:08:56,332
than it was designed for.

189
00:08:56,332 --> 00:08:59,008
And in fact, nobody really exactly understands

190
00:08:59,008 --> 00:09:01,271
all the things it's being used for right now.

191
00:09:01,271 --> 00:09:03,774
It's turning into one of these big emergent systems

192
00:09:03,774 --> 00:09:07,255
like the financial system, where we've designed all the parts

193
00:09:07,255 --> 00:09:09,861
but nobody really exactly understands

194
00:09:09,861 --> 00:09:13,088
how it operates and all the little details of it

195
00:09:13,088 --> 00:09:15,807
and what kinds of emergent behaviors it can have.

196
00:09:15,807 --> 00:09:18,940
And so if you hear an expert talking about the Internet

197
00:09:18,940 --> 00:09:21,635
and saying it can do this, or it does do this, or it will do that,

198
00:09:21,635 --> 00:09:24,096
you should treat it with the same skepticism

199
00:09:24,096 --> 00:09:28,511
that you might treat the comments of an economist about the economy

200
00:09:28,511 --> 00:09:30,778
or a weatherman about the weather, or something like that.

201
00:09:30,778 --> 00:09:33,426
They have an informed opinion,

202
00:09:33,426 --> 00:09:35,967
but it's changing so quickly that even the experts

203
00:09:35,967 --> 00:09:37,785
don't know exactly what's going on.

204
00:09:37,785 --> 00:09:40,477
So if you see one of these maps of the Internet,

205
00:09:40,477 --> 00:09:42,143
it's just somebody's guess.

206
00:09:42,143 --> 00:09:44,341
Nobody really knows what the Internet is right now

207
00:09:44,341 --> 00:09:47,082
because it's different than it was an hour ago.

208
00:09:47,082 --> 00:09:49,883
It's constantly changing. It's constantly reconfiguring.

209
00:09:49,883 --> 00:09:51,397
And the problem with it is,

210
00:09:51,397 --> 00:09:54,738
I think we are setting ourselves up for a kind of disaster

211
00:09:54,738 --> 00:09:57,533
like the disaster we had in the financial system,

212
00:09:57,533 --> 00:10:02,877
where we take a system that's basically built on trust,

213
00:10:02,877 --> 00:10:05,498
was basically built for a smaller-scale system,

214
00:10:05,498 --> 00:10:08,407
and we've kind of expanded it way beyond the limits

215
00:10:08,407 --> 00:10:10,403
of how it was meant to operate.

216
00:10:10,403 --> 00:10:13,671
And so right now, I think it's literally true

217
00:10:13,671 --> 00:10:17,176
that we don't know what the consequences

218
00:10:17,176 --> 00:10:19,610
of an effective denial-of-service attack

219
00:10:19,610 --> 00:10:21,383
on the Internet would be,

220
00:10:21,383 --> 00:10:23,257
and whatever it would be is going to be worse next year,

221
00:10:23,257 --> 00:10:24,665
and worse next year, and so on.

222
00:10:24,665 --> 00:10:27,214
But so what we need is a plan B.

223
00:10:27,214 --> 00:10:28,846
There is no plan B right now.

224
00:10:28,846 --> 00:10:32,349
There's no clear backup system that we've very carefully kept

225
00:10:32,349 --> 00:10:34,295
to be independent of the Internet,

226
00:10:34,295 --> 00:10:37,361
made out of completely different sets of building blocks.

227
00:10:37,361 --> 00:10:40,374
So what we need is something that doesn't necessarily

228
00:10:40,374 --> 00:10:43,108
have to have the performance of the Internet,

229
00:10:43,108 --> 00:10:44,625
but the police department has to be able

230
00:10:44,625 --> 00:10:47,148
to call up the fire department even without the Internet,

231
00:10:47,148 --> 00:10:49,713
or the hospitals have to order fuel oil.

232
00:10:49,713 --> 00:10:54,327
This doesn't need to be a multi-billion-dollar government project.

233
00:10:54,327 --> 00:10:57,075
It's actually relatively simple to do, technically,

234
00:10:57,075 --> 00:11:00,877
because it can use existing fibers that are in the ground,

235
00:11:00,877 --> 00:11:02,836
existing wireless infrastructure.

236
00:11:02,836 --> 00:11:05,601
It's basically a matter of deciding to do it.

237
00:11:05,601 --> 00:11:08,085
But people won't decide to do it

238
00:11:08,085 --> 00:11:10,464
until they recognize the need for it,

239
00:11:10,464 --> 00:11:11,962
and that's the problem that we have right now.

240
00:11:11,962 --> 00:11:14,745
So there's been plenty of people,

241
00:11:14,745 --> 00:11:17,789
plenty of us have been quietly arguing

242
00:11:17,789 --> 00:11:20,707
that we should have this independent system for years,

243
00:11:20,707 --> 00:11:23,716
but it's very hard to get people focused on plan B

244
00:11:23,716 --> 00:11:27,390
when plan A seems to be working so well.

245
00:11:27,390 --> 00:11:30,819
So I think that, if people understand

246
00:11:30,819 --> 00:11:33,873
how much we're starting to depend on the Internet,

247
00:11:33,873 --> 00:11:35,850
and how vulnerable it is,

248
00:11:35,850 --> 00:11:37,956
we could get focused on

249
00:11:37,956 --> 00:11:40,980
just wanting this other system to exist,

250
00:11:40,980 --> 00:11:44,057
and I think if enough people say, "Yeah, I would like to use it,

251
00:11:44,057 --> 00:11:47,067
I'd like to have such a system," then it will get built.

252
00:11:47,067 --> 00:11:48,490
It's not that hard a problem.

253
00:11:48,490 --> 00:11:51,725
It could definitely be done by people in this room.

254
00:11:51,725 --> 00:11:56,084
And so I think that this is actually,

255
00:11:56,084 --> 00:11:59,263
of all the problems you're going to hear about at the conference,

256
00:11:59,263 --> 00:12:01,941
this is probably one of the very easiest to fix.

257
00:12:01,941 --> 00:12:04,708
So I'm happy to get a chance to tell you about it.

258
00:12:04,708 --> 00:12:07,319
Thank you very much.

259
00:12:07,319 --> 00:12:11,173
(Applause)