NEW YORK – It was the computer programming equivalent of misspelling Mississippi – an error at once careless, inevitable and very hard for most human eyes to spot.
The bug known as Heartbleed, a flaw in the most commonly used system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten, a computer security expert at Princeton University.
In some ways, the tech world today resembles the chaotic, unruly days of other essential industries, including the meatpacking industry depicted in Upton Sinclair’s “The Jungle” and the automobile business portrayed in Ralph Nader’s “Unsafe at Any Speed.” While those industries were made safe by a combination of regulation and industrywide cooperation, progress took time, and it came through trial and error.
But it’s not clear that the same solutions will work with technology. We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety. We’re constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable.
Even though security is an increasing area of concern for large technology companies, it is often considered an afterthought rather than an essential part of building all the goodies we use. Experts say that while instituting a more secure tech culture is possible, it will require a long-term investment in educating software engineers and improving core technologies.
“There’s a level of care in designing systems and sweating the details of their operations that’s missing in the culture of software development,” Felten said. “We don’t have the kind of safety culture that is common in fields such as aviation.”
That’s because enhanced safety will surely cost consumers in speed, novelty and convenience.
“We have standards for coding in mission-critical systems like the airline industry, but I’m not sure we would want those standards applied everywhere,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University.
Such strict standards require programmers to spend significantly more time testing their work – and neither technology companies nor consumers can stomach such delays.
“I don’t think we want to wait 20 years for the next Google and Facebook,” Green said.
Like other similar bugs found recently – including one in Apple’s mobile and desktop devices – the Heartbleed flaw had gone unnoticed for years. As far as researchers can tell, the problem was introduced by a programmer making a routine coding change on New Year’s Eve in 2011. OpenSSL, the system in which the error was found, is an open-source program, which means that its code resides online and can be amended by anyone. In theory, such code is supposed to be more secure from bugs than a closed system; with enough programmers checking the code, the flaw should have been quickly detected.
But apparently that did not happen.
“There just weren’t enough eyeballs on this – and that’s very bad,” Green said.
One problem might be basic economics. Many huge Internet companies depend on free technologies like OpenSSL to run their systems, but they don’t always return resources to the small teams that create the code.
“If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won’t happen again,” Green said.
Unlike other potentially dangerous corners of modern life, like aviation or health care, the tech industry is unusually volatile. The companies that run the show today will inevitably be usurped by newer ones that offer supposedly better ways of doing things. Such constant upheaval makes industrywide coordination on security more difficult.
“I’m not sure there’s any other industry that handles as much change and as much usage in such a short amount of time,” said Kurt Baumgartner, a researcher at Kaspersky Lab, a digital security firm.
Still, Baumgartner contends that the field is getting better. Compared with the slow, haphazard way that companies once responded to security threats, the industry’s response to Heartbleed was “pretty responsibly coordinated,” he said. Many large companies fixed their services before the problem was disclosed. “On the whole, things have been improving.”
But is it improving enough to keep up with an increasingly determined set of attackers? According to a recent study by Risk Based Security, a threat research firm, there were more than 2,000 data security breaches in 2013. The good news is that the number of intrusions was down from 2012, when more than 3,000 episodes were reported. The bad news is that the smaller number of attacks in 2013 resulted in more damage – about 814 million data records were exposed during the year (including the credit card you used at Target), about twice as many as in any other previous year on record.
The numbers point to another factor that adds to the difficulty in addressing digital threats: Attackers are intelligent, so, frequently, advances in security are matched by advances in attacks. This makes online security a more complicated problem than, say, improving the safety of automobiles.
If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one.
“Overall, attackers have the competitive advantage,” said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. “Defenders need to defend everything. All attackers need to find is one vulnerability.”
Does this mean we’re doomed? Not necessarily; researchers are gratified that large hacks and vulnerabilities are receiving more attention, which might push the industry and consumers to take security more seriously.
“Within the past year or so, it’s interesting to see how high-profile these threats have become,” Weedon said. “Now average people are talking about how to patch their systems. And that’s the best we can hope for, for now.”