Such a policy would emphasize support for universal end-to-end encryption tools such as secure web browsing. A website is delivered securely when that site’s address starts with “https”—the ‘s’ stands for secure—and your browser puts a lock or key icon next to the address. Browsers can load and display secure pages, guaranteeing that while the pages are in transit from server to user, the pages remain confidential and are protected from tampering, and that the user’s browser verifies that the server is not an impostor. At present, secure browsing is underused and underfunded, leading to troubling security lapses. A notorious example is the Heartbleed bug, disclosed in Aprilof 2014. Heartbleed allowed attackers to reach out across the Internet and extract the contents of a computer’s memory, including encryption keys, passwords, and private information. Two-thirds of the websites on the Internet were vulnerable, along with countless computers embedded in cars, wireless routers, home appliances, and other equipment. Because exploitation via Heartbleed usually did not leave a record, the full consequences of Heartbleed will almost certainly never be known. All of this was due to a single programming error in a software package called OpenSSL, which is used by the majority of websites that provide secure pages. By any measure, OpenSSL is a core piece of our cyber infrastructure. Yet it has been maintained by a very small team of developers—in the words of one journalist, “two guys named Steve”—and the foundation supporting it never had a budget reaching even $1 million per year. Despite its central role in web security, OpenSSL had never undergone a careful security audit. Matthew Green, a cryptographer at Johns Hopkins University and an outspoken critic of OpenSSL, said after Heartbleed that “the OpenSSL Foundation has some very devoted people, it just doesn’t have enough of them, and it can’t afford enough of them.” Since the Heartbleed attack, a consortium of companies, including some of the biggest names in the Internet business, pledged contributions of a few million dollars to start the Core Infrastructure Initiative (CII), a grant-making process for security audits of important infrastructure components like OpenSSL. CII’s budget of a few million dollars is nowhere near the few hundred million now devoted to the NSA’s SIGINT Enabling program, but it is a start. A more proactive government policy would provide ample funding for security audits. By leaving OpenSSL to its own devices, government perpetuates the status quo and implicitly rejects a protect-first strategy.7
Starter PackSIEP AffirmativeUTNIF 2015Advantage 2—Internet FreedomThe U.S. is transferring ICANN operations to a global multistakeholder organization. Concerns about NSA give the perception of impropriety and will blunder the transition, causing nationalized internets.