Measuring the Security of Internet Infrastructure

The rising tide of spam, phishing and other online crime has shown that it's not enough to leave it to website owners to encrypt traffic. You may be misled or defrauded if you visit the wrong website; or if you visit a website with the right name but at the wrong IP address; or if you visit a site at the right IP address, but hosted in another part of the world. It has thus become clear that we have to protect the Internet at the infrastructure level, which means protecting the naming (DNS) and routing (BGP) mechanisms. The industry is about to deploy DNSSEC, and various ad-hoc mechanisms are being used to protect BGP.However these deployments will take years, and many firms will initially get it wrong. There is a clear case for NPL to monitor the process in order to measure what's working and what isn't; to create pressure on sectors of the economy that lag behind; to help improve both authentication and monitoring tools; and to provide an authoritative voice on the move to a more secure infrastructure. Our research programme will help create this capability at NPL by establishing the monitoring framework. We also plan to develop a BGP reflector system to deal with global routing table growth out of band , along with an authentication and validation system for the route servers used by internet exchanges such as LINX and AMSIX to improve peering point resilience and to prevent a number of possible types of attack.We believe that this is of global importance, and that as players such as the US Department of Commerce and the IETF have got bogged down in political wrangling, a UK / European standards lead has a good chance of developing into global leadership.

The Call refers to the CSIA National Information Assurance Strategy figure of 10bn pa for the cost of security breaches to UK plc, and also to the BERR 2008 survey which found that the average cost of a security breach at a company with over 250 employees was 90-170K. A very much more comprehensive survey of available statistics on the costs of online crime can be found in the ENISA report Security Economics and European Policy , R Anderson et al., 2008 (available from ENISA or from www.ross-anderson.com). Online crime is getting rapidly worse as our societies become more dependent on the Internet, and as the relevant tools and know-how become more widely available to criminals. The deployment of better infrastructure security in the Internet is urgent from both economic and national security perspectives. However, because of the complexity of deployed systems and the great variety of actors - with huge variation in competence - this deployment is likely to be extended and chaotic. A clear standards lead, with a solid evidence base of empirical measurements, can have a quite disproportionate impact and should save the UK (and world) economy billions of pounds of fraud and other costs over the medium term.