Google+

BBC Future

In Depth

The internet’s weakest links

About the author

John Pavlus is an award-winning filmmaker and writer focusing on science, technology and design topics. His work has appeared in Scientific American, Technology Review, Wired, National Public Radio, Nature Publishing Group, The New York Times Magazine, Fast Company, and elsewhere. He lives in Brooklyn, NY. 

The internet’s weakest links

(Copyright: Thinkstock)

If you think the most vulnerable regions are autocratic regimes or civil war zones, think again. Many countries or regions are at severe risk of disconnection. Here's why.

How many phone calls does it take to kill the internet? It seems like an odd question to ask about a network once thought to be strong enough to withstand a nuclear attack. However, first-strike mushroom clouds aren’t the biggest threat to the internet anymore. Just ask the citizens of Libya, Egypt and Syria: nations whose connections have been recently severed, albeit temporarily.

But if you think that the internet’s most vulnerable regions correspond to autocratic regimes or civil war zones, think again. Following the Syrian blackout in late 2012, Renesys, a consultancy that specialises in monitoring and mitigating risks to connectivity, created a map ranking every country’s "risk of internet disconnection". They found resilience has little to do with the presence or absence of jackbooted thugs: Belarus is at "significant risk" of internet disconnection, while China – which blacked out the entire province of Xinjiang for ten months in 2009 and 2010 – is rated at "low risk".

How can this be? Renesys simplified the question of global internet resilience by tracking one metric: the number of so-called "frontier" internet service providers (ISPs) that a country has. A frontier ISP is one that maintains connections or gateways to the global internet at large, not just to its own domestic network. "Not all ISPs have or need connections to the outside world," says Jim Cowie, chief technology officer and co-founder of Renesys. "Comcast, for example, only sells internet service in the United States."

It's this number of international gateways, then, that captures how difficult it would be to snuff out a country's internet pulse. Disable them, and the global web goes dark. The more gateways there are, the more difficult it will be to neutralise all of them.

Even sophisticated, highly networked countries can be at risk of a blackout if their digital frontier has a paucity of global connections. "Iran is a good example of this," says Cowie. "Iran was one of the countries that came to networking really early – they have nearly 100 ISPs all over the country. But very few [of those] are internationally connected ISPs by design." Renesys's map places Iran in the "significant risk" category, one of 72 countries and territories with "fewer than 10 service providers at [the] international frontier."

One advantage in using frontier ISPs as a proxy for internet resilience is that it cuts through any biases from news reports about blackouts in developing world nations. "It doesn't matter whether the damage comes from politics or war or a meteor strike hitting the wrong building," Cowie says. "Vulnerable is vulnerable." Any country with just one or two connections to the global internet has a clear point of failure. By this measure, Syria and Libya are as much at "severe risk" of disconnection as Greenland.

‘Leaky bucket’

But mere physical connections don't paint a full picture of a country's disconnection risk. Outside of a massive solar flare or electromagnetic pulse, unplugging a country from the global web may be an organisational problem more than anything else.

Would you expect Afghanistan, sundered by war for decades, to be at less risk than its relatively stable neighbour Iran? Probably not, but it is as likely to lose the internet as India, the world's largest democracy. It turns out that the very circumstances that make Afghanistan a near-failed state – regional fragmentation and a central government unable to control local warlords – also make it impossible for Kabul to systematically clamp down on Afghanistan's motley hodgepodge of globally-connected ISPs, which are powered by "various satellite providers, as well as by Uzbek, Iranian, and Pakistani terrestrial transit," according to Renesys.

This organisational inertia is also what makes Renesys deem China at "low risk" of internet cutoff. Beijing's autocrats would have to make too many phone calls to too many frontier ISPs across their vast domain, says Cowie, to make a bona fide internet blackout very practical. And that's just the official global connections. "There are a lot of independent, unlicensed connections; foreign companies [doing business in China] have VPNs" that connect them to their home countries, Cowie says. "I'd have to believe it'd be a leaky bucket."

Not everyone agrees with Renesys's sanguine assessment of China's disconnection risk. "It doesn't seem to be accurate," says Adam Segal, an expert on Chinese technology and cybersecurity at the Council on Foreign Relations. "Given everything we know, there's no reason to believe the [Chinese] ISPs wouldn't fall into line if the government said to shut down."

Segal cites the blackouts in Xinjiang and Tibet as evidence of China's ability to flex its organisational muscle over its frontier internet connections. Chinese ISPs are already accustomed to constantly filtering and censoring all global web traffic; "they know that if they don't do it, they won't be in business any longer," Segal says. "Unless society has completely broken down there, it's hard to imagine that a company would balk [at a cutoff order]." So while it might take a lot of phone calls to cut China off from the web, those calls could go through rather quickly.

What's more, the result probably wouldn't even look like a blackout at first. "The Chinese don't want to be considered in the same category as Syria and Egypt," Segal explains. "They have to maintain a story to their users that they have an open internet, so what they get instead are incredibly slow load times. They very rarely will get blocked."

Postcode problem

The organisational nature of resilience extends into the purely digital realm, as well. After all, at its most fundamental level, the internet is just information: a set of open, mutually agreed-upon standards called TCP/IP. Those protocols connect the "autonomous systems" that make up the so-called "network of networks" we call the global internet. This is made up of tens of thousands of these autonomous systems; countries have them, and so do large organisations and companies. "If IP addresses are like street numbers for individual computers, autonomous systems are a bit like postcodes," explains John Graham-Cumming, an author, programmer and cybersecurity expert at Cloudflare. "They are how one network says to another, 'I am the place to go if you want to reach Belarus, or the BBC."

In the case of Belarus – the only country in Europe marked "at significant risk" of internet disconnection according to Renesys – "there is a single 'postcode', controlled by a state-owned telecom company, that connects to the rest of the world," says Graham-Cumming. "If you had control of that, you could cut the country off." These "postcodes" aren't secret, either – the internet wouldn't work if they were. Belarus's is 6697.

To the other autonomous systems and routers connecting the global internet, this single four-digit number represents Belarus's entire existence. And removing it would be trivial, says Graham-Cumming: "You'd go to the telecom company, and a command would be typed into the routers, saying 6697 doesn't exist anymore, or that it's empty. Because the internet operates by cooperation, the other routers would say, 'OK, thanks for the update.' And you'd be gone."

Much like a neutron bomb wiping out life while preserving physical property, neutralising an autonomous system's address can "delete" portions of the internet without making costly or irreversible changes to network infrastructure. "If any country wants to cut [itself] off, it's all done on the command line, and you can leave it all running," Graham-Cumming says. He suspects this is what happened in Syria – although, as Jim Cowie adds, "we won't know for sure until the war's over and we can talk to the network engineers."

Which brings us to a mirror version of the question posed at the beginning: how many phone calls would it take to strengthen the internet? In the case of Bahrain, a tiny island monarchy in the Persian Gulf, it took several decades. "For many years they had a single telephone company largely owned by the government," says Cowie. "But they wanted to become the financial centre of the Gulf, so they started a 30-year plan to open up the ISP market and bring in as many competitors as they could."

Today, Cowie says, Bahrain has "about 10 providers that can all connect to international ISPs." That's not anywhere as resilient as the United States or United Kingdom, but it is enough to put Bahrain at "low risk" of internet disconnection alongside India, China, Mexico and New Zealand.

In Africa, where much of the continent is at severe risk of disconnection, similar network robustness could develop even faster. "Africa is the fastest-growing continent in terms of internet presence: more autonomous systems are joining every year, and countries that once only had satellite connections [to the global internet] are investing in fibre-optic cables," says Cowie.

In another 30 years, will a world map of internet resilience show every country at low risk? That's about as likely as world peace breaking out. But knowing how many phone calls it would take to kill the web – and where – can at least help point out where this "network of networks" still needs more shoring up.

If you would like to comment on this article or anything else you have seen on Future, head over to our Facebook page or message us on Twitter.

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.