The system works so well, it’s taken for granted. But it’s not diverse, and that’s where the vulnerability lies

The Great Famine that ravaged Ireland in the mid-1800s was due partly to an overreliance on one kind of crop (the Irish Lumper potato). When this varietal was devastated by infestations of Phytophthora infestans, widespread famine followed, and a million Irish perished.

The lesson? Where there’s lack of diversity, there’s vulnerability — and very bad things can happen.

Fast forward to 2017 and our global, always connected internet. At first glance, the internet appears extraordinarily diverse: billions of computers and mobile devices, connected through myriad systems and servers, with even larger numbers of Internet of Things (IoT) devices expected to be added within the next few years.

But one crucial part of the internet’s infrastructure, the Domain Name System (DNS), isn’t diverse — and that keeps me up at night. To me, this is our modern Irish Lumper potato.

DNS is the phone book of the internet: It’s what sends you to the correct domain when you type in a web address. And it works so well that it’s easily taken for granted. And in most cases, it’s all based on the same de-facto standard open-source software. This ubiquity creates a system-wide vulnerability.

As applied to DNS, diversity means making sure these mission-critical services aren’t all the same type, aren’t all the same kind of “potato.” By running different operating systems on different hardware, the DNS infrastructure will be less susceptible to a single software bug or man-made attack.

In May, the CEO of messaging app Telegram took to Twitter to call out GoDaddy GDDY, +1.06% for DNS issues that blocked usage of Telegram services for more than an hour. I do understand the frustration over the extended downtime. But what I hope is that we, in the communications industry, take the time to be more proactive in protecting our common vulnerabilities.

BIND’s success is its weakness

App store protection aside, carriers and hosting companies, especially, should use diversity to protect themselves (and the rest of us). Take the widely deployed BIND DNS software, an open-source system that represents more than 80% of the world’s DNS servers and is used in most commercial DNS appliances. BIND, which is so successful at doing its job that it is used by, well, everyone, is an especially attractive target for malicious attackers. (The name originates as an acronym of Berkeley Internet Name Domain, as it was used within the California university.)

Many managed providers and telecom companies too, including some of the largest mobile and terrestrial network providers in the world, are using BIND or BIND-based derivatives. Some are 100% BIND; others are 50%. I’m guessing many CEOs at these companies don’t even know their networks are vulnerable.

This goes far beyond Netflix NFLX, +3.02% streaming your favorite movie or your email working on your smartphone. Consider how much of our economy — transportation, health care, financial services — relies on the internet working as expected. Nothing works over the internet without DNS: no web access, instant messaging, email or voice over IP.

It seems to me that there’s a conversation to be had across the communications sector in particular (the upcoming Mobile World Congress Americas would be a good time, perhaps) about common exposures in our system as a whole. These issues, seen by each company as a minimal risk, create a catastrophic risk to the ecosystem at large.

I’m not trying to be apocalyptic here. There’s probably enough redundancy and scale to the infrastructure of the internet that it would be difficult to write an exploit that could take it all down, wholesale.

But I do think we’re more fragile than we would like to admit. The lack of DNS diversity is one of those fundamental vulnerabilities that we need to address.