In the video above, Sharon Goldberg, a CAS assistant professor of computer science, explains how information makes its way around the internet, securely and insecurely. Photo by Jackie Ricciardi

Physicians can now adjust pacemakers wirelessly, a helpful innovation that also makes it possible to kill someone by hacking into the device. We can pay bills online, but that convenience also comes with a cost: in 2014, hackers accessed the accounts of 83 million clients of JPMorgan Chase. The United States military defense, power utilities, and water treatment plants, among other critical systems, are all digital, and while that technology improves efficiency, it exposes our country’s infrastructure to cyber attacks.

The same technology that powers many of society’s greatest scientific advancements brings with it vulnerabilities that impact every aspect of our lives, from our bodies, to our bank accounts, to our national security. The liability is built into the internet, which was devised in the 1960s as an open-access platform for research. It’s the open-access architecture that now makes internet security seem like an oxymoron.

The internet has become so critical to our society that addressing its weaknesses is like “operating on a live patient,” says Mark Crovella, chair of the computer science department at the College of Arts & Sciences, where computer scientists are taking on the challenge of securing a platform designed for open access, while protecting our liberties.

PLUMBING PROBLEMS

We don’t often think about what happens when we hit “send,” but the internet’s architecture determines whether our emails end up where we want them to go. And it’s easier than you might think to mess with that architecture. In 2010, a Chinese service provider hijacked the internet, stealing 15 percent of the world’s traffic for 18 minutes. The stolen traffic included communications meant for the Pentagon, the US Senate, and the office of the Secretary of Defense, as well as other networks like Microsoft and Yahoo. And while China claimed that the hijacking was an accident (an assertion impossible to verify), the incident revealed deeply embedded flaws in the internet’s architecture.

The internet is composed of tens of thousands of independently operated networks (a large employer might be one network; Verizon, another) interconnected via the Border Gateway Protocol (BGP). Every computer in every network has a unique Internet Protocol (IP) address, like every phone has a number. In the absence of a central internet authority, the system functions on trust: there’s no way to prevent networks from lying about the addresses they own, so one network can hijack another’s traffic just by claiming its addresses—it’s almost as if you told the post office you owned your neighbor’s house and asked it to deliver all the mail for that address to you. Developing fixes for insecurities like this one can be like patching a dam—plug one hole and the pressure shifts, forcing water out of a new one.

Sharon Goldberg, an assistant professor of computer science and Alfred P. Sloan fellow, specializes in anticipating and resolving the negative side effects of these fixes. With funding from the National Science Foundation, Cisco Systems, and Verisign Labs, she recently partnered with Leonid Reyzin, a professor of computer science, to write a paper revealing how a flaw in one proposed solution to routing insecurity—the Resource Public Key Infrastructure (RPKI)—would challenge the fundamental openness of the internet.

RPKI is a certification system that would prevent one network from masquerading as another to hijack its traffic. If the owner of a network—ranging from internet service providers to universities to medium-size companies—does not have the right certificate, the network would not be able to connect to the internet. The trouble, Reyzin and Goldberg found, is this system would put a lot of power in the hands of large multinational and national network owners, like governments, and it would create a new avenue for censorship. The controlling organizations would have the power to disconnect portions of the internet that they found objectionable. A government would be able to take networks—for example, those hosting content it doesn’t like, such as a journalist’s blog—offline. Reyzin and Goldberg have suggested modifications to the proposal that would alert networks to suspicious structural changes that could affect routing.

This is like internet plumbing," says Sharon Goldberg. "You don't think about the plumbing until it stops working."

Although these structural maneuverings enable the routing of our communications, “it’s unlikely the end user will even know this is happening,” Goldberg says. We typically notice structural issues only when there is an internet outage, when the internet connection fails, or when traffic is hijacked. “This is like internet plumbing,” says Goldberg. “You don’t think about the plumbing until it stops working.”

OUR DATA, OURSELVES

The internet also has conspicuous problems that are just as insidious as those lurking in the pipes. In an infamous breach of Target stores in 2013, hackers installed malware at the retailer’s cash registers to capture financial information for more than 70 million customers—approximately one-fifth of the United States population. The Department of Homeland Security estimates that more than 1,000 US companies were compromised by the attack—and many of them don’t even realize it yet. Every day, there’s another such incident that highlights the vulnerability of our personal data, so it’s no surprise that the question CAS computer scientists hear most often is: How can I protect myself?

“I don’t like the framing of this question,” says Reyzin. “It puts the responsibility on the individual, while technologists have not provided the right tools for individuals to protect themselves.” He compares the problem to a toaster: The device is designed with the user in mind. Its instructions are simple and its safety warnings are foolproof. We don’t need to understand electricity or the inner workings of the toaster to use it—as long as we don’t shove a metal knife in the slot, we likely won’t get electrocuted while making breakfast.

“There’s no equivalent system for software,” Reyzin says. Our current security measures are weak, and there is no straightforward way for the typical internet user to evaluate whether a website or program is as secure as it claims to be. “It’s very hard for me to evaluate,” says Reyzin. “And I have a PhD in computer science.”

It's very hard for me to evaluate,” says Leonid Reyzin of evaluating whether a website or program is as secure as it claims to be. “And I have a PhD in computer science.”

Reyzin is working to develop better security tools for internet users, including alternatives to the password system, which he describes as “terrible.”

An effective password is long and complicated, he says, qualities that also make it hard to remember, and writing it down defeats the point. Using the same password across multiple sites compromises its “secret” nature and, by extension, our data. And passwords are notoriously easy to hack.

With a three-year, $500,000 grant from the National Science Foundation, Reyzin is testing password alternatives, including markers with “secrets inside them,” like fingerprints and iris scans. He is trying to keep the secrets secret. When you scan your iris at the bank, for instance, the bank should not keep a record of it. How, then, can the bank compare one iris scan to a previous version to verify your identity, while also protecting your security?

Reyzin is working on a system that can securely compare two readings to determine whether to grant access to the user. The first time you scan your iris, the bank would use cryptography—converting data into code—to transform your initial iris scan into a secret “key.” The encrypted form of this key would be stored at the bank, and only a second scan of your iris would decrypt it, allowing you—and only you—to access your banking information.

The bank would never scan your iris the same way twice, however, since your eyes would always be positioned slightly differently in relation to the scanner. So Reyzin is designing an encryption algorithm that will allow the key created with one iris scan to be reliably decrypted with the next scan of the same iris, even though the two scans will not be identical.

SECURITY VS. LIBERTY

From fingerprints to foreign policy, CAS researchers are addressing internet security on a national scale by challenging data collection policies—an issue that has dominated the news since former National Security Agency (NSA) contractor Edward Snowden blew the whistle on US surveillance methods. The classified documents Snowden leaked to journalists prove that the NSA reached deeper into our lives than we realized, amassing a staggering cache of information about our phone calls and internet communications. These revelations have challenged our definition of privacy and fueled a national debate over the balance between security and civil rights.

“As a society, we have established fairly sharply defined boundaries for other kinds of communication, like the telephone and the US Postal Service,” Crovella says. “What’s changed with respect to the internet is that, with the ease and scope with which monitoring can be performed, we’ve slipped out of those traditional boundaries. We’re out of whack.”

The problem here is to balance our concerns over protecting our computer networks with personal liberty and privacy.” —Timothy H. Edgar

In a paper that made national news in summer 2014, Goldberg exposed a policy loophole that illustrates just how far we’ve slipped. She discovered that although US citizens are protected from domestic surveillance under federal law, a little known Executive Order (EO) 12333 authorizes the government to access our digital communications if gathered overseas.

Issued in 1981 by President Ronald Reagan to allow the collection of foreign intelligence, the order translates poorly to the digital realm because the internet does not abide by physical borders. US internet communications are globally routed and stored on servers in data centers throughout the world. “Consequently,” says Goldberg, “this protection of foreign soil versus American soil is no protection at all in terms of privacy.”

Crovella says lawmakers seem to be as confused by the internet’s complexities as the rest of us, making it difficult for them to evaluate the technical impact of their policies on the digital domain. Equally problematic, much of this legislation passes under the radar of the average American. Goldberg points to Section 309 of the Intelligence Authorization Act, which passed in Congress on December 10, 2014, “with no reports in the media whatsoever. Anywhere.” Section 309 sanctions Reagan’s order by enforcing a five-year limit on the length of time US citizens’ phone and internet communications can be held.

SIMPLE TASKS TO PROTECT YOUR DATA

Associate Professor Leonid Reyzin says the password system we all use
to protect our information online is “terrible.” He is working on a more effective replacement. In the meantime, here’s what you can do to better secure your data:

• Employ two-factor identification by having a second passcode sent to your mobile device.
• Encrypt your messages and phone calls with apps like Wickr and Silent Circle.
• Use search engines that don’t track your online activities, like DuckDuckGo.

“It is good that Congress is trying to regulate 12333 activities,” said former State Department internet policy official John Napier Tye in a U.S. News article. “But the language in this bill just endorses a terrible system that allows the NSA to take virtually everything Americans do online and use it however it wants according to the rules it writes.”

This provision not only passed without notice in the media, it nearly eluded detection by Congress, as it was snuck into the 47-page act the morning it was headed to vote. Michigan Republican Justin Amash noticed the addition and petitioned his colleagues to vote against it, but Congress passed the bill 325 to 100—apparently without reading it.

“Problematic new laws are emerging in democratic and authoritarian countries alike,” according to the summary of Freedom on the Net 2014, a report released in 2014 by the independent watchdog organization Freedom House. While every government has a legitimate need to protect its country’s infrastructure, trade secrets, and public safety, “the problem here is to balance our concerns over protecting our computer networks—especially in the way they interact with critical infrastructure—with personal liberty and privacy,” said Timothy H. Edgar, a visiting lecturer in the CAS computer science department, in a talk at the Berkman Center for Internet & Society at Harvard University.

“A growing list of countries have adopted a variety of more or less restrictive internet filtering practices, and not just the usual suspects,” he said. Democratic countries are debating internet filtering, joining authoritarian states like China, Russia, and Iran, where citizens’ online freedom has long been restricted, said Edgar, who served under President Barack Obama as the first director of privacy and civil liberties for the White House National Security Staff.

In 2014, according to the Freedom House report, internet freedom declined globally for the fourth year in a row. Forty-one countries proposed or passed legislation that give the government more control over internet content, more surveillance power, and more authority to punish users for their actions online. And 38 countries—particularly in North Africa and the Middle East—arrested users for posting content relating to politics and social issues. In response to this tension between security and civil liberty, Edgar suggests that in trying to secure our online world, we may undo the openness that has allowed it to thrive. He asks: “Will we destroy the internet to try to save it?”

SAVING THE INTERNET

Securing the internet would require reform on every level, from the structure of the platform, to the way users engage with it, to the policies that regulate it. This complex undertaking makes it imperative that politicians, doctors, business owners, and journalists—all of us, really—understand the technology that we use every day, and how it enables our society.

To meet this need, the CAS computer science department collaborates with colleagues throughout the University to develop interdisciplinary courses that integrate computer science into the fields of communications, biology, international relations, mathematics & statistics, and engineering. Edgar’s course, Cyber Conflict and Internet Freedom, examines the challenges in tackling network and computer insecurity while protecting civil liberties. Storytelling with Data, offered jointly by the journalism and computer science departments, explores data-driven journalism, which involves analyzing information collected from public databases, leaked documents, and social media.

“Computer science gives students in any discipline a better understanding of how our society works,” Crovella says. “Because society is increasingly organized by computations, and because everyone is affected by software and the pervasive electronics we all live with, it’s important to understand what these technologies are doing, what their limitations are, and how to control them.”

CAS alums are advancing this mission in positions ranging from software engineer for Fidelity Investments, to technical strategist for Microsoft, to deputy director of the Defense Advanced Research Projects Agency’s newly established Information Awareness Office.

“The internet is like the atomic bomb; all of a sudden, the human race has the power to destroy the planet,” says Ran Canetti, a professor of computer science. “This is the big challenge of our society in the coming decade: how to harness technology so we can influence society in a good way, rather than being destructive.” With bombs, banks, even bodies now online, this will be no small feat, leaving CAS faculty, students, and alums with a responsibility no less dramatic than saving the internet to save the world.