testing, 1, 2, 3, oopsie!

Last week, an experiment conducted by Duke University and the European RIPE Network Control Center got a little bit out of hand, interrupting Internet traffic in 60 countries worldwide.  In all, about one percent of Internet traffic was affected by the test gone awry.  One percent of Internet traffic does not sound like a lot – most of that traffic was probably illegal file sharing, lolcats and porn, but what if your Internet based business was affected?  My employer (who shall remain nameless and whose opinions this post does not reflect) is an Internet based business in which the value of each (time sensitive) transaction is probably thousands of times the average for the rest of the net.  We were not affected by the testers’ little oopsie, but had we been, the potential losses would have been significant.  I am sure my company is not the only one in such a situation.

Yes, Cisco did fix the bug which caused this particular outage, but I think that this incident points out some questions that really need to be answered:

Should researchers be conducting experiments on the Internet with potential for widespread negative impact on a shared business resource? If someone ran this type of potentially disruptive testing on my company’s network during business hours, I’d be looking for them to be fired, sued, arrested and forced to listen to this album for the rest of their lives.  Researchers need to realize that the Internet is the planet’s “production network” with no “maintenance window” and that the same best practices we follow in the enterprise (separate test environment, for example) need to be followed when tinkering with its innards.

Had someone experienced significant financial losses due to this experiment, what would its recourse be? No one expects the Internet to be free of glitches and outages, but in this case, a conscious decision was made to do something which could reasonably be expected to cause problems.  Could there be lawsuits here?  Are the researchers exposing their organizations to potentially ginormous liability?  If the damaged party was in, say, Asia, who would have jurisdiction over the case and where would it be tried?

In an era where cyberspace is increasingly recognized as a “battlespace,” could an experiment such as this (on a larger scale) be mistaken for a cyber attack and possibly lead to real world hostilities?

Researchers and governments should take this opportunity to stop and think about the “rules of the road” for the global Internet.  Long ago, we all recognized that the oceans are a common resource and that we need a Law of the Sea to allow us to agree on what is and is not acceptable on the bounding main.  It seems to me that the Internet is the sea of the 21st century and needs a similar set of supranational rules to ensure that it accessible to all.  Are you listening, UN?

Leave a Reply