IN OUR GRAND, FEBRILE ATTEMPT TO DIGITIZE everything and connect everything to everything else via wireless, copper, infrared or fiber, we have forgotten, overlooked, or wholly ignored—I’m not sure which—that the digital world is just as vicious as the physical world.

I can only chuckle at the hubris of early “Internet Manifestos” declaring freedom and independence from old world tyranny such as corporation, governments, and centralized control. As if tyranny would somehow be nullified, forgotten, or extinguished simply be the existence of the Internet itself. Those early authors in their rush to declare emancipation from one tyranny are now subject to yet another.

The Internet has only compounded the problem of tyranny, giving tyranny yet another avenue and another form. This new world tyranny is not about the tyranny of government or some abstract conspiratorial force, but it is the tyranny of the ochlocracy, of distributed denial-of-service; of being at the whim of anonymous attackers 10,000 miles away. Internet tyranny is in short, the tyranny of technology and our lack of foresight regarding our own unexpected subservience.

As we interconnect more and more of our global infrastructure, tyranny’s shadow expands. We suffer from the tyranny of fear; we suffer from the tyranny of anxiety, we suffer from the tyranny of uncertainty because we have no idea what the next disastrous exploit will be. We are at the mercy of our own shortsightedness and baffled by the paradox that the Internet simultaneously benefits and imperils our welfare. If networks cannot currently withstand a 100,000 node distributed denial-of-service attack, what chance do networks have when there are a billion network-aware refrigerators, microwaves and wristwatches leveraged as weapons five years from now?

This abysmal state of affairs is not Cisco’s fault, nor Sun’s, nor even Microsoft’s. Migrating from closed-source software to open-source software affords no greater protection or safety. A majority of the technologies that makes the Internet possible are technologies that were made to work; they were not designed to be secure. DNS, TCP/IP, SNMP, HTTP, ASN.1, RPC, Telnet, FTP; are just a few of the many technologies that exhibit weaknesses in both their definition and implementation. Even protocols specifically designed for security—such as Kerberos and SSH—share similar blemishes. The foundation of the Internet is questionable indeed, and that is the crux of the matter.

The foundation of the Internet is software, and our software is less than satisfactory. To exacerbate the situation, software is becoming the foundation of humanity’s civilizations. Infrastructure is the buzzword on everyone’s lips and software is commanding and commandeering a greater portion of infrastructure everyday.

If the Roman Empire were as frivolous with their concrete as we are with our software, the Romans would never have had an empire to speak of—at least not one as grand. The Romans perfected the formula for concrete because they understood its importance for commerce, shelter, stability, and life. Software is our civilization’s concrete, and is no less important to the viability of our societies. We need to give software the time and attention to the foundations it deserve. I’m am still surprised as an advisor to hear new clients think that firewalls, antivirus, and intrusion detection are sufficient fortifications against software’s failings. They are not. Being created from software themselves, security products share the same faults as other commercial software products, and in some cases their implementation failures are even more egregious given the nature of their intended functions. Many security products are merely intricate gymnastics that distract us from the greater issue at hand: the formulation of our software.

Surprisingly, software development—though perceived as a modern skill—remains firmly entrenched in the craftsmen’s discipline, much akin to the black smiths and textile weavers of the Middle Ages. As noble as craftsmanship may be, the shortfall of the craftsmen’s discipline is that product quality is largely dependent on the craftsmen’s talent and experience not to mention exceedingly expensive. More importantly, even under an experienced hand, consistency is all but non-existent. Without consistency, information security doesn’t stand a chance never mind all the other issues surrounding secure software development.

These two analogies—craftsmen and concrete—work well to help us resolve the greatest issue facing the security and stability of our global infrastructure and guide us in developing suitable technologies. The next great security product probably won’t be a product at all; it will be a movement much like the Industrial Revolution, which removes the craftsmen’s foibles from the production cycle and instills the consistency and reliability of well-engineered parts. The Industrial Revolution transmuted craftsmanship into a commodity promoting reliability, repeatability and mass-production ultimately resulting in less expensive, higher quality, and safer products. Of course, the Industrial Revolution was a movement driven by products that made creating other products easier, a characteristic practically absent from current software development efforts. While automating tasks is the selling feature of many software products, ironically these products were created with little automation themselves. Even with component design, many software developers must jury-rig component interaction to build a cohesive and functioning software application. It is the equivalent of purchasing an automobile whose parts are connected by bubble gum and paperclips…and we call it an “enterprise application.”

What the software industry needs in general, and the information security industry needs in particular is a revolution in software production, not more software products. Our “concrete” is flawed and producing solution stratification—layers of software over layers of software—is proving especially pernicious; it merely adds complexity to an already mind -boggling complex problem.

Revolutionizing software production will make somebody very, very rich. Michael Dell perfected the process of mass-producing personal computers; we need the same kind of visionary in the software industry who can perfect the interconnection of software components as well as increasing component quality while decreasing component price.

The Internet is truly a remarkable creation. It is the eighth world wonder; far surpassing any of humanity’s previous engineering achievements because of its ability to scale in the face of a burgeoning human population. The Roman aqueducts serviced perhaps one million individuals at its peak. The Great Pyramid of Khufu—for all its grandeur, was designed to service a single pharaoh. In comparison, the Internet can concurrently service billions of individuals and devices, but that service is only superior, if it is secure.

David Rice is Executive Security Advisor with TrustWave Corporation providing technical services, product guidance, thought leadership, and premium security consulting services to TrustWave's respected clientele. Rice is a SANS Institute course author, instructor and editor, has developed and authored several security configuration guides and technical publications, and is adjunct faculty for James Madison University's Information Security Graduate Curriculum.