Most people must assume that theres some agency in charge of the Internet, someone who can enforce rules and impose new standards. Of course there isnt.
Partly its from misleading representations of technology on TV and the movies. I especially remember one "Law&Order" episode in which the NYPD computer guru ran a "tracert" program that identified who had sent an e-mail down to the address of their house. Neat trick.
Real forensics is expensive and time-consuming, and there is one person capable of doing it for every million or so attacks. In other words, the criminals are in charge. They set the agenda. The fact that those who are intelligent and resourceful can defend themselves doesnt change the fact that its a state of nature out there; it underscores it.
Every now and then Internet criminals do get caught, and there have been a few high-profile examples recently: The Swedish perpetrator of the "hack of the year" was busted in a dramatic raid on his apartment. Dan Egerstad, a security consultant, had compromised diplomatic communications and hijacked a large number of sensitive government e-mail accounts.
And just about a week ago a large-scale bot herder pleaded guilty to a variety of fraud charges for assembling a botnet of a quarter million PCs to gather PayPal credentials and other personal information. As the story says, this is "the first prosecution of its kind in the nation," and thats the telling fact. These people generally get away with it, even if their attacks are thwarted.
WabiSabiLabis founder, Roberto Preatoni, is jailed on spying charges. Click here to read more.
The recent Internet Governance Forum in Brazil doesnt impress me as something thats going to change that situation much. For one thing, its run by the U.N. I know a lot of people dont like the United States having any authority over the Internet, although the scope of the U.S. governments authority is usually overstated, but Great Turings Ghost! What a corrupt mess the U.N. would make of it! Ill leave the Internet in George Bushs hands any day of the week if the U.N. is the alternative.
The real operative goal of the IGF of course is a limited one, similar to conferences held all the time through standards bodies online on mailing lists and at RSA, for example. Gadi Evrons report from the Rio IGF, for example, indicates that the Chinese really do care about the explosion of malicious attacks emanating from their networks. Whod have thunk it? One would hope that those in authority would see that their networks will be disadvantaged if they are not trusted, so maybe theres hope for China, but Im not putting money on it.
The truth of governance on the Internet, as Vint Cerf said at the IGF, is that its almost entirely privately owned. The rules are what the owners and users agree they are. Cerf argued for a governance model that takes multiple stakeholders into account, an approach that ICANN has taken in his tenure and which has resulted, at its best, in a stalemate. Bring in enough stakeholders and someone powerful enough will impede progress.
Real authority on the Internet only derives from the broadest of consensus, and often its entirely commercial. Governing bodies include standards bodies, large companies, and certain powerful and influential individuals. No academic or standards body created video on the Internet; it came entirely from private companies pushing their own standards to further their own interests, and the outcome has largely been positive. There are many choices and steady progress. Same with voice over IP, for the most part.
And security? Nobody sets rules, even when theres broad consensus that change is necessary. Look at e-mail, which just about everyone agrees is fundamentally broken. If its ever going to get better, it will take many years to do so, and its not at all clear how it will change. The problems with e-mail are the most important ones that should face "Internet governance," and the feds have failed.
One day someone may have enough clout to fix whats broken with the Internet. But would it be worth it?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack
More from Larry Seltzer