But so far, those types of government regulations and industrywide policies governing ISP security do not yet exist. In part, that’s because ISPs came of age in the Wild West ethos of the Internet, and providers generally have been unwilling to spend the extra money and resources to secure the middle of the information pipe for all of their users. In addition, many ISPs think that if they become security cops or anything more than traffic carriers, they will be legally liable in the event of security breaches. They are also concerned about censorship issues and blocking legitimate e-mails that look like spam.

How valid are these concerns? Should ISP security be regulated much like utilities (and to a lesser extent, the airlines) are now? Are industrywide polices governing security even feasible? These were among the questions that jurors considered as they deliberated over a verdict at the Gartner mock trial. CIOs struggling to secure their own networks must stand among those who consider these questions and look for answers. After all, what’s at stake is the viability of the Internet as a medium for commerce, communication and business connectivity into the 21st century and beyond.

"Security is something that everybody is accountable for—everybody including the ISPs," says Michael Vatis, an attorney at Steptoe & Johnson, a law firm in New York. "There has to be a better way to approach this than how we’re doing it today."

The Wild Wild West

Much of the ISP industry’s unregulated growth can be traced to the Telecommunications Act of 1996, the first major overhaul of telecommunications law in 62 years. The goal of the law was to create a free-market economy in which any single communications company could compete in any marketplace. According to Jonathan Zittrain, cofounder of Harvard Law School’s Berkman Center for Internet and Society, the law and subsequent other FCC rulings opened the way for outfits promising to provide Internet service. All one needed to become an ISP was some cash, a few servers, the bandwidth to host real estate and a marketing plan to bring in customers. David McClure, president and CEO of the U.S. Internet Industry Association, estimates the number of ISPs today to be more than 400.

As ISPs grew helter-skelter, there was very little effort to standardize security on any level. The only real attempt came in 2003, when Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act, which established requirements for sending commercial e-mail, spelled out penalties for spammers and companies whose products are advertised in spam, and gave consumers the right to ask spammers to cease and desist.