Every couple of years, the media is full of articles, conference discussions, and blog posts about reinventing the internet. There are some valid reasons for these conversations. However, the one that I hear often is the one that offers the vaguest explanation: “The internet wasn’t designed for today’s scale”, meaning that the internet, or more precisely, its predecessor ARPANET wasn’t designed for security.
I have a couple of controversial thoughts about ARPANET.
The internet was most certainly designed with security in mind. A whole lot of security. Even from my self-centered perspective, the previous was a pretty outrageous thing to claim. Furthermore, several of original contributors and experts with serious credentials stated too many times that security hadn’t been considered at all.
In defense of my claim, I will present two facts:
Fact one: Accessing ARPANET wasn’t done directly – it was initiated by a user who had to have a user ID and a password. User IDs and passwords are the cornerstones of the computer security. Even today, fifty years after the launch of ARPANET, the same mechanisms are used.
Fact Two: Unlike today, when any Yahoo can sign up for a user ID, and many websites don’t even require a confirmation email acknowledgment before they activate the user ID, back then, the user IDs were assigned by humans operating computers under well-defined guidelines.
This leads to another fact: The rules on how the computers (to which each of the user IDs and passwords was registered) were connected to ARPANET were very restrictive. The policy was that only a limited number of government agencies, private companies under contract, and certain individuals, and departments within universities had legitimate non-commercial-use reasons to have access. If you would like to double check, here is a map of ARPANET from 1973.
Were there gaps in the process and bugs security loopholes in the software? Sure! But we still have bugs and loopholes, and, as Edward Snowden demonstrated, policies and procedures are not an absolute guarantee.
If we have today’s standards with traffic encryption and more sophisticated authentication and user role mechanisms in mind, the ARPANET, which was considered a human/machine system, was certainly designed to be very secure and about the supposed threats of that era.