The internet is fundamentally broken.
The question now is: what can we do? The answer is messy, expensive, and occasionally involves telling very powerful people that their business model is morally questionable.
Accepting the obvious
First, acknowledge the unpleasant truth: there is no quick fix. Security is not a feature to be bolted on after launch; it is a mindset, a discipline, and a budget item that competes poorly with shiny new apps and quarterly profits. Anyone promising a “secure internet in six months” is either deluded, lying, or hoping to sell you a consultancy package. Acceptance, at least, costs nothing.
Building things to last
Historically, we have treated digital infrastructure as ephemeral. IoT devices with permanent vulnerabilities, legacy protocols held together with hope and glue, software libraries maintained by single volunteers with full-time jobs, these are the hallmarks of our civilisation.
To create a defendable internet, we need hardware and software that are patchable, auditable, and resilient. Systems could survive decades, not quarters. Open standards could be the norm, not a marketing slogan. The digital foundations we lay today are to be capable of standing the test of time, and relentless curiosity from people who like poking at things that are not theirs.
Fixing incentives
The internet is a tragedy of incentives. Vendors profit from shipping first, not shipping safely. Users click “accept all” because reading terms and conditions is a form of medieval torture. Governments fund offensive cyber capabilities while hoping resilience will magically appear as a side effect.
Restructuring incentives is essential. Companies could face meaningful consequences for shipping insecure products. Open-source projects that underpin critical systems deserve sustainable funding, not burnout-driven heroics. And security could be a selling point, not an afterthought buried in legalese.
Regulation, but intelligently
Yes, regulation can help, but only if it is clever. GDPR-style fines alone are a weak incentive. Effective regulation would mandate maintenance windows, enforce minimum security standards before shipping, and encourage international cooperation. Cybercrime does not respect borders, so resilience standards should not either.
Of course, resistance will be fierce. Change always meets pushback, especially when it threatens profits or prestige. But maintaining the status quo is a choice, a circus that happens to be on fire.
Humans, realistically
Humans are both the problem and the solution. Users cannot memorise dozens of passwords or navigate cryptic warnings. Organisations cannot assume breaches will never happen. Education can be grounded in reality by making secure choices the default, training people to recognise anomalies rather than panicking over every notification, and embedding security thinking into organisational culture.
Slow, yes. Expensive, perhaps. But much faster than waiting for humans to become rational overnight.
Planning for the inevitable
Even if every one of the above steps succeeds perfectly, breaches will occur. Systems can be designed with compromise in mind. Segmentation, redundancy, rapid detection, and honest post-mortems are all more effective than hoping attacks will never happen. Resilience is about recovery as much as prevention.
Conclusion
Building a defendable internet is unglamorous and will frustrate executives, politicians, and users alike. Yet the alternative, continuing to rely on hope, duct tape, and human error, is simply not tenable.
The path forward is clear if unappealing: design for durability, fix the incentives (reward congruent behaviour), regulate intelligently, educate realistically, and plan for compromise. It will be messy and expensive, and it will require acknowledging that our current internet is, frankly, a glorious mess.
Start taking these steps seriously, and we might finally move from sandcastles on quicksand to structures that actually stand a chance. And that, however slowly, is worth the effort.