Meet the Seven People Who Hold the Keys to Worldwide Internet Security

It sounds like the stuff of science fiction: seven keys, held by individuals from all over the world, that together control security at the core of the web. The reality is rather closer to The Office than The Matrix

James Ball

In a nondescript industrial estate in El Segundo, a boxy suburb in northern Los Angeles just a mile or two from LAX international airport, 20 people wait in a windowless canteen for a ceremony to begin. Outside, the sun is shining on an unseasonably warm February day; inside, the only light comes from the glare of halogen bulbs.

There is a strange mix of accents — predominantly American, but smatterings of Swedish, Russian, Spanish and Portuguese can be heard around the room, as men and women (but mostly men) chat over pepperoni pizza and 75-cent vending machine soda. In the corner, an Asteroids arcade machine blares out tinny music and flashing lights.

It might be a fairly typical office scene, were it not for the extraordinary security procedures that everyone in this room has had to complete just to get here, the sort of measures normally reserved for nuclear launch codes or presidential visits. The reason we are all here sounds like the stuff of science fiction, or the plot of a new Tom Cruise franchise: the ceremony we are about to witness sees the coming together of a group of people, from all over the world, who each hold a key to theinternet. Together, their keys create a master key, which in turn controls one of the central security measures at the core of the web. Rumours about the power of these keyholders abound: could their key switch off the internet? Or, if someone somehow managed to bring the whole system down, could they turn it on again?

The keyholders have been meeting four times a year, twice on the east coast of the US and twice here on the west, since 2010. Gaining access to their inner sanctum isn’t easy, but last month I was invited along to watch the ceremony and meet some of the keyholders — a select group of security experts from around the world. All have long backgrounds in internet security and work for various international institutions. They were chosen for their geographical spread as well as their experience — no one country is allowed to have too many keyholders. They travel to the ceremony at their own, or their employer’s, expense.

What these men and women control is the system at the heart of the web: the domain name system, or DNS. This is the internet’s version of a telephone directory — a series of registers linking web addresses to a series of numbers, called IP addresses. Without these addresses, you would need to know a long sequence of numbers for every site you wanted to visit. To get to the Guardian, for instance, you’d have to enter “77.91.251.10” instead of theguardian.com.

The master key is part of a new global effort to make the whole domain name system secure and the internet safer: every time the keyholders meet, they are verifying that each entry in these online “phone books” is authentic. This prevents a proliferation of fake web addresses which could lead people to malicious sites, used to hack computers or steal credit card details.

The east and west coast ceremonies each have seven keyholders, with a further seven people around the world who could access a last-resort measure to reconstruct the system if something calamitous were to happen. Each of the 14 primary keyholders owns a traditional metal key to a safety deposit box, which in turn contains a smartcard, which in turn activates a machine that creates a new master key. The backup keyholders have something a bit different: smartcards that contain a fragment of code needed to build a replacement key-generating machine. Once a year, these shadow holders send the organisation that runs the system — the Internet Corporation for Assigned Names and Numbers (Icann) — a photograph of themselves with that day’s newspaper and their key, to verify that all is well.

The fact that the US-based, not-for-profit organisation Icann — rather than a government or an international body — has one of the biggest jobs in maintaining global internet security has inevitably come in for criticism. Today’s occasionally over-the-top ceremony (streamed live on Icann’s website) is intended to prove how seriously they are taking this responsibility. It’s one part The Matrix (the tech and security stuff) to two parts The Office (pretty much everything else).

Read the full article at the Guardian.