12:32
TED2013

Danny Hillis: The Internet could crash. We need a Plan B

Filmed:

In the 1970s and 1980s, a generous spirit suffused the Internet, whose users were few and far between. But today, the net is ubiquitous, connecting billions of people, machines and essential pieces of infrastructure -- leaving us vulnerable to cyber-attack or meltdown. Internet pioneer Danny Hillis argues that the Internet wasn't designed for this kind of scale, and sounds a clarion call for us to develop a Plan B: a parallel system to fall back on if -- or when -- the Internet crashes.

- Computer theorist
Inventor, scientist, author, engineer -- over his broad career, Danny Hillis has turned his ever-searching brain on an array of subjects, with surprising results. Full bio

So, this book that I have in my hand
00:16
is a directory of everybody who had an email address
00:19
in 1982. (Laughter)
00:23
Actually, it's deceptively large.
00:27
There's actually only about 20 people on each page,
00:30
because we have the name, address
00:34
and telephone number of every single person.
00:36
And, in fact, everybody's listed twice,
00:39
because it's sorted once by name and once by email address.
00:41
Obviously a very small community.
00:45
There were only two other Dannys on the Internet then.
00:48
I knew them both.
00:52
We didn't all know each other,
00:53
but we all kind of trusted each other,
00:55
and that basic feeling of trust
00:58
permeated the whole network,
01:02
and there was a real sense that
01:05
we could depend on each other to do things.
01:07
So just to give you an idea of the level of trust in this community,
01:10
let me tell you what it was like
01:13
to register a domain name in the early days.
01:15
Now, it just so happened that I got to register
01:19
the third domain name on the Internet.
01:22
So I could have anything I wanted
01:24
other than bbn.com and symbolics.com.
01:26
So I picked think.com, but then I thought,
01:30
you know, there's a lot of really interesting names out there.
01:34
Maybe I should register a few extras just in case.
01:37
And then I thought, "Nah, that wouldn't be very nice."
01:41
(Laughter)
01:44
That attitude of only taking what you need
01:50
was really what everybody had on the network in those days,
01:54
and in fact, it wasn't just the people on the network,
01:58
but it was actually kind of built into the protocols
02:01
of the Internet itself.
02:04
So the basic idea of I.P., or Internet protocol,
02:06
and the way that the -- the routing algorithm that used it,
02:09
were fundamentally "from each according to their ability,
02:13
to each according to their need."
02:17
And so, if you had some extra bandwidth,
02:19
you'd deliver a message for someone.
02:22
If they had some extra bandwidth, they would deliver a message for you.
02:24
You'd kind of depend on people to do that,
02:27
and that was the building block.
02:29
It was actually interesting that such a communist principle
02:32
was the basis of a system developed during the Cold War
02:34
by the Defense Department,
02:37
but it obviously worked really well,
02:39
and we all saw what happened with the Internet.
02:42
It was incredibly successful.
02:46
In fact, it was so successful that there's no way
02:48
that these days you could make a book like this.
02:51
My rough calculation is it would be about 25 miles thick.
02:55
But, of course, you couldn't do it,
03:01
because we don't know the names of all the people
03:02
with Internet or email addresses,
03:04
and even if we did know their names,
03:07
I'm pretty sure that they would not want their name,
03:08
address and telephone number published to everyone.
03:11
So the fact is that there's a lot of bad guys on the Internet these days,
03:15
and so we dealt with that by making
03:19
walled communities,
03:23
secure subnetworks, VPNs,
03:25
little things that aren't really the Internet
03:30
but are made out of the same building blocks,
03:31
but we're still basically building it out of those
03:33
same building blocks with those same assumptions of trust.
03:36
And that means that it's vulnerable
03:40
to certain kinds of mistakes that can happen,
03:43
or certain kinds of deliberate attacks,
03:45
but even the mistakes can be bad.
03:47
So, for instance,
03:50
in all of Asia recently,
03:53
it was impossible to get YouTube for a little while
03:55
because Pakistan made some mistakes
03:58
in how it was censoring YouTube in its internal network.
04:01
They didn't intend to screw up Asia, but they did
04:04
because of the way that the protocols work.
04:07
Another example that may have affected many of you in this audience is,
04:10
you may remember a couple of years ago,
04:13
all the planes west of the Mississippi were grounded
04:16
because a single routing card in Salt Lake City
04:19
had a bug in it.
04:22
Now, you don't really think
04:24
that our airplane system depends on the Internet,
04:26
and in some sense it doesn't.
04:29
I'll come back to that later.
04:30
But the fact is that people couldn't take off
04:32
because something was going wrong on the Internet,
04:34
and the router card was down.
04:37
And so, there are many of those things that start to happen.
04:39
Now, there was an interesting thing that happened last April.
04:43
All of a sudden,
04:46
a very large percentage of the traffic on the whole Internet,
04:48
including a lot of the traffic between U.S. military installations,
04:51
started getting re-routed through China.
04:55
So for a few hours, it all passed through China.
04:58
Now, China Telecom says it was just an honest mistake,
05:01
and it is actually possible that it was, the way things work,
05:05
but certainly somebody could make
05:09
a dishonest mistake of that sort if they wanted to,
05:11
and it shows you how vulnerable the system is even to mistakes.
05:14
Imagine how vulnerable the system is to deliberate attacks.
05:18
So if somebody really wanted to attack the United States
05:23
or Western civilization these days,
05:26
they're not going to do it with tanks.
05:28
That will not succeed.
05:30
What they'll probably do is something
05:33
very much like the attack that happened
05:35
on the Iranian nuclear facility.
05:38
Nobody has claimed credit for that.
05:41
There was basically a factory of industrial machines.
05:43
It didn't think of itself as being on the Internet.
05:46
It thought of itself as being disconnected from the Internet,
05:49
but it was possible for somebody to smuggle
05:52
a USB drive in there, or something like that,
05:54
and software got in there that causes the centrifuges,
05:56
in that case, to actually destroy themselves.
05:59
Now that same kind of software could destroy an oil refinery
06:02
or a pharmaceutical factory or a semiconductor plant.
06:05
And so there's a lot of -- I'm sure you've read a lot in papers,
06:10
about worries about cyberattacks
06:13
and defenses against those.
06:15
But the fact is, people are mostly focused on
06:18
defending the computers on the Internet,
06:20
and there's been surprisingly little attention
06:22
to defending the Internet itself as a communications medium.
06:24
And I think we probably do need to pay
06:29
some more attention to that, because it's actually kind of fragile.
06:30
So actually, in the early days,
06:34
back when it was the ARPANET,
06:37
there were actually times -- there was a particular time it failed completely
06:38
because one single message processor
06:42
actually got a bug in it.
06:45
And the way the Internet works is
06:48
the routers are basically exchanging information
06:50
about how they can get messages to places,
06:53
and this one processor, because of a broken card,
06:56
decided it could actually get a message
07:00
to some place in negative time.
07:02
So, in other words, it claimed it could deliver a message before you sent it.
07:05
So of course, the fastest way to get a message anywhere
07:09
was to send it to this guy,
07:12
who would send it back in time and get it there super early,
07:14
so every message in the Internet
07:17
started getting switched through this one node,
07:20
and of course that clogged everything up.
07:23
Everything started breaking.
07:25
The interesting thing was, though,
07:27
that the sysadmins were able to fix it,
07:29
but they had to basically turn every single thing on the Internet off.
07:31
Now, of course you couldn't do that today.
07:36
I mean, everything off, it's like
07:37
the service call you get from the cable company,
07:39
except for the whole world.
07:42
Now, in fact, they couldn't do it for a lot of reasons today.
07:45
One of the reasons is a lot of their telephones
07:47
use IP protocol and use things like Skype and so on
07:50
that go through the Internet right now,
07:53
and so in fact we're becoming dependent on it
07:55
for more and more different things,
07:58
like when you take off from LAX,
08:00
you're really not thinking you're using the Internet.
08:03
When you pump gas, you really don't think you're using the Internet.
08:05
What's happening increasingly, though, is these systems
08:09
are beginning to use the Internet.
08:11
Most of them aren't based on the Internet yet,
08:13
but they're starting to use the Internet for service functions,
08:16
for administrative functions,
08:19
and so if you take something like the cell phone system,
08:21
which is still relatively independent of the Internet for the most part,
08:24
Internet pieces are beginning to sneak into it
08:28
in terms of some of the control and administrative functions,
08:31
and it's so tempting to use these same building blocks
08:35
because they work so well, they're cheap,
08:37
they're repeated, and so on.
08:39
So all of our systems, more and more,
08:40
are starting to use the same technology
08:43
and starting to depend on this technology.
08:45
And so even a modern rocket ship these days
08:47
actually uses Internet protocol to talk
08:49
from one end of the rocket ship to the other.
08:52
That's crazy. It was never designed to do things like that.
08:54
So we've built this system
08:57
where we understand all the parts of it,
09:00
but we're using it in a very, very different way than we expected to use it,
09:03
and it's gotten a very, very different scale
09:07
than it was designed for.
09:10
And in fact, nobody really exactly understands
09:12
all the things it's being used for right now.
09:14
It's turning into one of these big emergent systems
09:17
like the financial system, where we've designed all the parts
09:19
but nobody really exactly understands
09:23
how it operates and all the little details of it
09:25
and what kinds of emergent behaviors it can have.
09:28
And so if you hear an expert talking about the Internet
09:31
and saying it can do this, or it does do this, or it will do that,
09:34
you should treat it with the same skepticism
09:37
that you might treat the comments of an economist about the economy
09:39
or a weatherman about the weather, or something like that.
09:44
They have an informed opinion,
09:46
but it's changing so quickly that even the experts
09:49
don't know exactly what's going on.
09:51
So if you see one of these maps of the Internet,
09:53
it's just somebody's guess.
09:56
Nobody really knows what the Internet is right now
09:58
because it's different than it was an hour ago.
10:00
It's constantly changing. It's constantly reconfiguring.
10:02
And the problem with it is,
10:05
I think we are setting ourselves up for a kind of disaster
10:07
like the disaster we had in the financial system,
10:10
where we take a system that's basically built on trust,
10:13
was basically built for a smaller-scale system,
10:18
and we've kind of expanded it way beyond the limits
10:21
of how it was meant to operate.
10:24
And so right now, I think it's literally true
10:26
that we don't know what the consequences
10:29
of an effective denial-of-service attack
10:33
on the Internet would be,
10:35
and whatever it would be is going to be worse next year,
10:37
and worse next year, and so on.
10:39
But so what we need is a plan B.
10:40
There is no plan B right now.
10:43
There's no clear backup system that we've very carefully kept
10:44
to be independent of the Internet,
10:48
made out of completely different sets of building blocks.
10:50
So what we need is something that doesn't necessarily
10:53
have to have the performance of the Internet,
10:56
but the police department has to be able
10:59
to call up the fire department even without the Internet,
11:00
or the hospitals have to order fuel oil.
11:03
This doesn't need to be a multi-billion-dollar government project.
11:05
It's actually relatively simple to do, technically,
11:10
because it can use existing fibers that are in the ground,
11:12
existing wireless infrastructure.
11:16
It's basically a matter of deciding to do it.
11:18
But people won't decide to do it
11:21
until they recognize the need for it,
11:23
and that's the problem that we have right now.
11:26
So there's been plenty of people,
11:27
plenty of us have been quietly arguing
11:30
that we should have this independent system for years,
11:33
but it's very hard to get people focused on plan B
11:36
when plan A seems to be working so well.
11:39
So I think that, if people understand
11:43
how much we're starting to depend on the Internet,
11:46
and how vulnerable it is,
11:49
we could get focused on
11:51
just wanting this other system to exist,
11:53
and I think if enough people say, "Yeah, I would like to use it,
11:56
I'd like to have such a system," then it will get built.
11:59
It's not that hard a problem.
12:02
It could definitely be done by people in this room.
12:04
And so I think that this is actually,
12:07
of all the problems you're going to hear about at the conference,
12:11
this is probably one of the very easiest to fix.
12:15
So I'm happy to get a chance to tell you about it.
12:17
Thank you very much.
12:20
(Applause)
12:23
Translated by Joseph Geni
Reviewed by Morton Bast

▲Back to top

About the Speaker:

Danny Hillis - Computer theorist
Inventor, scientist, author, engineer -- over his broad career, Danny Hillis has turned his ever-searching brain on an array of subjects, with surprising results.

Why you should listen

Danny Hillis is an inventor, scientist, author and engineer. While completing his doctorate at MIT, he pioneered the concept of parallel computers that is now the basis for most supercomputers, as well as the RAID array. He holds over 100 US patents, covering parallel computers, disk arrays, forgery prevention methods, and various electronic and mechanical devices, and has recently been working on problems in medicine as well. He is also the designer of a 10,000-year mechanical clock, and he gave a TED Talk in 1994 that is practically prophetic. Throughout his career, Hillis has worked at places like Disney and now Applied Minds, always looking for the next fascinating problem.

More profile about the speaker
Danny Hillis | Speaker | TED.com