Tom Leighton, a founder and chief scientist at Akamai Technologies, as well as professor of applied mathematics at the Massachusetts Institute of Technology, grapples with troubling Internet security issues daily. Keeping Akamai customers safe from denial-of-service attacks, for example, gives Leighton an unusual and thorough view of the state of US cybersecurity.

He brought this view to the President's Information Technology Advisory Committee (PITAC), a US federal advisory group on national IT infrastructure issues, for which Leighton chaired a study examining the condition of federal cybersecurity research and development efforts.

The committee's February 2005 report, Cyber Security: A Crisis of Prioritization, concludes that because today's Internet technologies have serious vulnerabilities, fundamental architecture and technology changes are needed to protect US citizens, businesses, and military groups (see an analysis of the report on p. 9).

The report advocates focusing R&D efforts in 10 security areas; increasing the funding for the US National Science Foundation and other programs fostering fundamental security research; recruiting and retaining more security experts at universities; and improving research program coordination. Leighton spoke with IEEE Security & Privacy regarding today's security challenges, what needs to change, and how the security community can help.

Leighton: The bad news is [that] they're all urgent; there's no silver bullet. As the report points out, if we fail to adequately address any of the 10, we leave ourselves exposed. There's not a quick answer.

Leighton: The NSF's Cyber Trust program—the scholarship program is an important component there. It's a focus on open research, it's not classified. It's not looking for the patch to the latest attack, it's focused on fundamentals It's a program that has lasting funding, not a one-year contract and then it's up. If [a program's] funding is going to dry up in a year or two, then that's not a stable environment, and it makes it harder to attract and retain the best people.

Leighton: At the high level, having holistic security is very important. For example, we have SSL [Secure Sockets Layer] today. It's actually one of the few protocols used in a networking environment that is secure on its own, but it's easy to circumvent it. It's easy for me to trick you into giving me your password Even if you do everything you're supposed to, [if] you're as vigilant as can be, I can still trick you. Even if you have secure pieces—for example, SSL—if you don't have a holistic view of system security or end-to-end security, you can still be easily defeated.

Today, of course, on the Internet, very few protocols are secure. DNS [Domain Name System] has no security. The Border Gateway Protocol, which is responsible for routing the packets through the Internet, is not secure. As a result, I can steal your traffic—I can direct your traffic to wherever I want. When you think you're going to your bank, I can actually send you somewhere else. At the fundamental level, the protocols themselves are insecure, and obviously that needs to be fixed, but even if we did that, we would still have to have a holistic view of security.

Leighton: We're really in a surprisingly distressing state. We've developed great technology for the last 30 or 40 years in the networking world; we can do amazing things with the Internet today. Our nation is now critically reliant on the Internet for a lot of things—banking, defense, a lot of the utilities industries are critically reliant on IP technology. But we've never incorporated the security.

We treat security today at almost the same level as we did 30 or 40 years ago when the Arpanet was created, when the only people who used it were respected researchers at a few universities and industries, and the government. They had no need for security because these were trusted people. Not only that, they were smart enough [that] they could be trusted not to do something by accident that could hurt the network. So no security was embedded in the protocols, and we've never really gone back and addressed that. We've just added on more and more layers of functionality and sophistication that have brought us great efficiencies and capabilities. And so we've embraced the Internet wholeheartedly for all the right reasons, but now we're faced with the fact that there are vulnerabilities.

Leighton: I think so. Today, you see the stats on phishing and pharming—one statistic I saw, and [which is] in the report, is [that] 1 percent of US households lost their identity to identity theft in the first half of 2004 at a cost of at least US$400 million in fraud. I've seen other statistics saying that the totals go far higher than that, and it's a rapidly rising problem. It's so hard to catch the criminals responsible for it. As that increases, it creates a lack of trust and confidence in the system. And that can eventually prevent the increased adoption and usage of the Internet for e-commerce. I think that's something we have to pay attention to as we think about the next generation.

Leighton: They come in several dimensions. First, if you had a secure infrastructure, you wouldn't have to worry about all your confidential information being stolen or compromised. It could involve anything from medical records to your bank account information The threat of economic loss or theft of confidential information could be substantially mitigated.

Second, you have to look at the US citizens; they would be better off if our military and our government [were] using a secure infrastructure. As the military becomes more and more reliant (and today I think they're already critically reliant) on IP technologies and on networked communications—if that's insecure, the nation has problems in terms of national security and defense.

Leighton: That was raised at our public hearings, [but] at some level that was beyond our mandate. The Manhattan Project actually involved building the device. Today we're not prepared to build the device. It was beyond our mandate—even if we were able to today—to outline a plan for building the device, namely the new secure infrastructure.

The problem is even more fundamental. We don't really know for sure today what that infrastructure looks like. That's why we're focusing on the first step, which is figuring that part out. What should the Manhattan version of the Internet look like? [What] is the basic, fundamental research that needs to be done to develop the secure protocols—for example, the end-to-end system approach to security, better software engineering, [the] ability to track down the bad guys? Those areas need to be researched; then we're going to have a much better idea what it is we need to build.

Leighton: Helping Congress be aware. Helping the administration be aware of the problem. Helping senior figures in industry, at the CEO level, understand the problem. Within government and within industry, in the trenches, there's a pretty good understanding of the problem we face I don't think there's that same level of understanding at the more senior levels of government and in some cases, in industry.

We're in this difficult state where we are embracing IP technology, we are critically reliant on it, and we haven't discovered at the highest levels yet [that] there's a major security problem with it.

Leighton: Yes, for example. And helping to educate. Members of this committee, myself included, are spending time briefing various committees in Congress and the staff, various agencies within the government, to help them understand the nature of the problem and that this really is serious.

I think once that understanding is there, it becomes a lot easier to say, "We really have to follow these recommendations; we really have to get going." And what we're asking for is actually a very small amount of money. As one congressional staffer said, this is a drop in the bucket—especially when you consider the financial losses just from identity theft, never mind the threat to our national security.

Leighton: It is a subject that was raised during our public meetings. Our mandate really didn't cover that issue, so we didn't make a recommendation along those lines.

Leighton: It's a necessary model, but it's not sufficient. It's important, certainly today, for people at home and in universities and in businesses to secure their networked equipment, to deploy the latest patches, to have firewalls put in place. That said, even if they do all that, and they're as diligent as they can be, it doesn't solve the problem. You look at some of the statistics quoted in the report: forty percent of the Fortune 100 companies—all of whom invest a substantial amount of money into cybersecurity and defenses—they were the source of attacks, of viruses and worms. So not only were they compromised, they were compromised so badly that their computing equipment was attacking other enterprises. You can see that if the Fortune 100 can't get it right it's even tougher for the folks at home [or] for small business to do it right. The recommendation is necessary, but clearly not sufficient.

Leighton: There really isn't any effective coordination today, so I think you're starting fresh in some sense. Instead of revamping something, it would be creating something.

The CEO would create some analog of the 10 areas that we are in critical need of funding and then he'd, in an ideal world, help allocate funds against those strategic objectives. And then he would measure [the] performance of those who were spending the money against their accomplishments in those strategic objectives. You'd have a coordinated approach. You'd identify the goals, you'd allocate funds according to the goals, and then you'd measure performance against the goals. That's the way you'd do it in business.

Laurianne McLaughlin is a freelance technology writer based in Massachusetts.