The discovery of a chink in the Internet’s armor—particularly one on the scale of the OpenSSL vulnerability Heartbleed—is terrifying not just because it means so much of our online traffic has been unprotected for years but also, in part, because it reminds us of those other, as-yet-undetected security flaws which could have us scrambling to change all of our passwords all over again a year or two down the road. “As Web Grows, It Grows Less Secure” cautioned the headline of Farhad Manjoo’s New York Times column this week.
Manjoo is Slate’s former tech columnist, and I hate to disagree with him. But the discovery and subsequent patching of Heartbleed is anything but a sign that the Web is becoming “less secure.” There’s no meaningful way to quantify how secure the Internet is, or whether it’s growing more or less secure at any given moment. But these announcements, upsetting and inconvenient though they may be, are actually positive signs of progress toward stronger online security. One less major security flaw in OpenSSL is a major triumph, not because Heartbleed was the only—or even the most devastating—vulnerability out there, not because the Internet is now magically secure, but rather because it means that our bug finding and fixing capabilities are better than they’ve ever been. That’s not to say computer security is where it needs to be—far from it—but the discovery of Heartbleed should make that trajectory seem more hopeful than dismal.
Undoubtedly as all of us become increasingly dependent on computer networks for a range of services from commerce to communication, the consequences of security breaches on those networks can become more damaging and further reaching. But that’s a separate issue from the question of whether the technology underlying the Internet is actually becoming less secure with the growth in online users and services. In fact, the growing reliance on these networks has likely helped focus more money and attention on security problems such as Heartbleed. It’s certainly the reason that the announcement was front-page news this week.
Manjoo writes that the Internet is “still in its youth,” and he’s right that many of the problems around online security stem from a lack of understanding, data, and experience that can be traced, at least in part, back to how brief a period of time is this technology has been part of our daily lives and every activity. That’s not to say time will heal all wounds in this space, but it will certainly help—as it has with OpenSSL. You can argue that two years is too long to wait to find a vulnerability as serious as Heartbleed, but that does not mean we’re not moving toward a more secure online environment, just that that movement is much slower than we might like.
So what can we do to speed it up? Many people, including Manjoo, have highlighted the need to provide more money to organizations such as the OpenSSL Project, the group that maintains the open-source code in which the Heartbleed bug was discovered. Last year, the OpenSSL Project made less than $1 million from donations and consulting fees, according to the Wall Street Journal. One line of arguing goes: If the group had been better funded, then it might have been able to attract more coders or better security experts who might have found this bug sooner or prevented it from ever being introduced. Johns Hopkins professor Matthew Green told the Times, “If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won’t happen again.”
Maybe. But maybe not—Apple, one of the richest companies in the world, reported a major security vulnerability in its OS X and iOS operating systems less than two months ago, with the iOS flaw dating back more than a year and the OS X one about 6 months old. Even with its current moment in the spotlight, the OpenSSL Project will never come close to matching Apple’s security spending—as of Wednesday afternoon, the project reported it had received just over $800 in donations this week—and even if it could, that would still be no guarantee that something like Heartbleed would never happen again.
The importance of supporting open-source coding endeavors, particularly those which are used widely, is not a bad lesson to draw from the Heartbleed story. Yes, the OpenSSL Project does an incredibly important job for which it is probably dismally underfunded. Yes, you should by all means give them money now that you know who they are and how much the whole world is relying on them. But it would be a grave mistake to assume that throwing money at the Internet’s security problems will make them go away.
We may or may not spend enough money on Internet security, but we definitely don’t know how to spend it. Companies with billions of dollars and small groups with less than $1 million are all faced with the challenge of trying to figure out how they should be spending their security budget and none of them have got the answer—yet.
Internet technology will never evolve to a point of complete security, but it will eventually reach a point of stability and relative safety, with occasional lapses and breaches, just as the other industries Manjoo invokes—the meatpacking and automotive businesses—have done. He writes:
While those industries were made safe by a combination of regulation and industrywide cooperation, progress took time, and it came through trial and error.
But it’s not clear that the same solutions will work with technology
They will, but the process will indeed be slow and painful and error-prone. We’ll get there, though, one heart bleed at a time.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.
