David Clark remembers the moment the Internet’s Pandora’s box creaked open and said, “Hello, world.” It was 2 November 1988, and the Morris Worm was slithering its way through cyberspace like a python on speed. Designed with the innocence of a curious grad student and the destruction of a cyber sledgehammer, it crashed some 6,000 machines—roughly one-tenth of the Internet at the time. Not bad for an opening act.

Back then, the network engineers in the room weren’t pondering threats to democracy or ransomware gangs knocking on NHS servers. No, they were earnestly wrestling with TCP packet loss and the excitement of latency reduction. Making things go faster, scale bigger, and connect better. The digital equivalent of building a racetrack and forgetting brakes might be useful.

Security? That was someone else’s problem—possibly yours, dear user. Or no one’s. Because, in the end, crime and aggression were just unfortunate side effects of human nature. Nothing a routing protocol could fix.

Fast-forward to 2023: The Future is on fire

Now the Internet isn’t just carrying cat pictures and unsolicited email about Bitcoin investments. It’s the beating heart of banks, hospitals, water treatment plants, nuclear facilities, airports, toaster ovens, vibrators, and democracy itself. And it’s still riddled with holes large enough to drive a botnet through.

Adversaries seem to be having a field day. Why? Because they enjoy the unfair advantage of focus. They don’t need to get sign-off from Legal, pass ISO audits, or attend quarterly stakeholder alignment meetings about whether a risk register should be colour-coded. No. Attackers just attack.

Meanwhile, defenders are trying to hold the line with one hand while filling out compliance forms with the other and attending a workshop on “Building Synergies Between Cybersecurity and Cross-Sector Regulation”.

The result? Security by duct tape and burnout.

What if we actually designed a secure Internet?

Crazy idea, right?

Thomas Dullien (aka Halvar Flake) and others have poked at this puzzle for years: why, exactly, don’t we just… build a defendable Internet?

Their answer? Follow the money. Incentives are misaligned, upside down, and occasionally wearing a fake moustache. The people with the power to change things don’t have the motivation. The people with the motivation don’t have the power. And the people with both tend to get hired by Google and disappear into a black hole of NDA-bound silence.

By the time Black Hat Europe 2022 rolled around, the answer was clear: A defendable Internet is technically possible, but only with a complete industry makeover.

Right. Just like addressing global inequality, tackling the climate crisis, or getting rid of leaf blowers. Technically possible. Politically hilarious.

Let’s talk about the “Dark Side” (Hint: It’s not just hackers)

People love to talk about the “dark side” of the Internet like it’s a shadowy underworld populated by hoodie-wearing teens and rogue AIs. But the real dark side? It’s the stuff we don’t talk about. The impacts ignored, postponed, or hand-waved away with corporate speak and a slide deck.

Some modest questions, if I may:

  • Are the minds of those who think they’ve “won” the Internet—conquered markets, cornered attention, scaled to infinity—locked into that dopamine loop like a tech billionaire on a serotonin drought?
  • Has short-term thinking become the only thinking? Does “strategic foresight” now mean checking tomorrow’s stock price?
  • Are we pathologically incapable of planning beyond the next breach or shareholder meeting?
  • Is this just another legacy tech problem? You know the one—there’s never time to fix the foundations because the house is always on fire. We’ll upgrade… after the next incident.
  • Why is it so hard to look past the next breach, news cycle, or keynote announcement?
  • And if time can be sliced finer and finer, have we shaved it down to the microsecond? Is our digital world shaped by what fits into a sprint cycle, a click-through, a dopamine hit?

The real question

We ask, “Is a defendable Internet possible?”

The answer, increasingly, sounds like: Sure—just not this one.

Not with this economic system. Not with this incentive structure. Not with “security” defined as the thing you bolt on after the latest zero-day, not as a principle you design for.

So here we are. The defenders are tired. And the attackers are thriving. The Internet is everywhere. And the “dark side” isn’t just malware or misinformation—it’s the systemic inability to do anything meaningfully preventative.

Security theatre is easy. Structural change is not.