CACR partners with Internet Civil Engineering Institute

With all the attention on internet vulnerabilities like Heartbleed and Shellshock, few of us are aware of the larger threat. The software underlying the internet's critical functions is decades out of date, and in many cases barely limping along – only thanks to volunteer developers who are short on time and resources. The Center for Applied Cybersecurity Research (CACR) and the Internet Civil Engineering Institute (ICEI) are joining forces to do something about it.

"Open source software makes up a large number of key internet services," says Von Welch, director of CACR. "These services are key in terms of both the internet’s reliability and our security, but are often maintained by small numbers of volunteers."

ICEI formed to address the reality that too much of the internet's infrastructure is supported by too few people. The organization's mission is to support the development and stewardship of reliable, secure, and open source internet infrastructure software. In particular, ICEI focuses on the software underlying the internet's critical functions, modernizing it and future-proofing it by providing developer resources and expertise.

ICEI's deep technical connections and experience securing internet software, combined with CACR's cybersecurity expertise, make for a powerful collaboration to bolster internet security. The two organizations will collaborate on making the internet more secure and more reliable, and in raising financial support through federal grants and other public or private sector support to sustain these efforts. Such funding is crucial to addressing the underlying causes of internet software vulnerabilities: lack of support, professional development, and a maintenance network.

"The skill and manpower crisis in internet infrastructure software is formidable," said Andrew Kirch, chairman of the ICEI board. "CACR's support is invaluable in overcoming these challenges to preserve a reliable, secure, and open internet for everyone. We're happy to be working with CACR."

ICEI and CACR have a rich history of working together. They previously collaborated on a new version of the Network Time Protocol (NTP). Like too much of the internet's infrastructure, NTP was out-of-date and increasingly vulnerable. One part-time person supported the critical time-keeping software, and had lost the root passwords to the machine where the source code was maintained (so it went years without security updates).

Susan Sons, ICEI president/hacker-in-chief and CACR senior systems analyst, led the NTP rescue. Under Sons' leadership, ICEI and CACR took control of the project, overhauled the code, and created a stable organization for ongoing maintenance. The result is a new – meaning robust, secure, stable, and sustainable – version of NTP. (For more, read Cory Doctorow's coverage on Boing Boing.)

Over the next three years, ICEI and CACR will help provide much-needed stability to internet software projects. CACR will support Susan Sons' time to act as ICEI president. Her dual roles as ICEI president/hacker-in-chief and CACR senior systems analyst will help bridge the two organizations. Von Welch will participate in ICEI's leadership meeting. Together, both groups will strive to fundamentally improve the security of the internet, ensuring that its critical software is supported by the necessary workforce with the necessary tools and resources.