Seeing No Evil: Is It Time To Regulate the ISP Industry?

In a mock courthouse earlier this year, the smack of a gavel opened a case for the ages. Behind one bench, the defendants: Internet service providers, on trial for not providing adequate security to their customers. Behind the other bench, the plaintiffs: fictional companies ravaged by distributed denial of service (DDoS) attacks. The jury: hundreds of IT security professionals, packed into a conference room at the Gartner IT Security Summit to watch it all unfold.

The plaintiffs argued that ISPs could do much more to improve security by scanning subscriber computers, monitoring traffic and shutting down suspicious network uses. The defendants claimed that performing such scans would violate user privacy and that it would be impossible to distinguish malicious traffic from legitimate e-mails.

Accusations flew. The plaintiffs equated ISP intransigence to that of a homeowner whose property is dangerous but doesn’t buy a fence to keep others out. In response, the defendants said people should stay away from dangerous property; that safety is a responsibility that falls squarely on the individual. Next, in a rhetorical ploy, defense lawyers asked jurors if any of them would be willing to stay at a hotel that offered Internet access in exchange for the right to scan all computers for security vulnerabilities. Not one member of the audience raised a hand.

Around and around the two sides went, attacking each other like packs of wolves. The interchange got so heated at times that people almost forgot it was fake. Someday soon, however, this scenario could be real. As security threats such as DDoS attacks, identity theft and phishing continue to plague the Internet, ISPs find themselves under increasing pressure from business and consumers to eradicate risks before they get to the end users. Because ISPs control the pipes through which information is delivered, many customers, including CIOs, insist that service providers must play a more active role in securing the traffic that they deliver.

"Right now, all ISPs provide is entry to the Internet, period," says Stephen Warren, CIO of the Federal Trade Commission. "Believe me, it’s in their best interests to get all the crap off their lines."

As Warren implies, the time for action is now. If water utilities can be required by state and local governments to deliver water that is clean and acceptable to drink, why can’t ISPs be required to deliver data that is safe and threat-free? Such requirements would hold ISPs accountable for cleaning up their networks and force them to monitor traffic as it passes through their pipes for maliciousness of all kinds. Regulating ISPs in this way also would relieve at least some of the security burden from CIOs, freeing up more time, money and resources for other areas.

But so far, those types of government regulations and industrywide policies governing ISP security do not yet exist. In part, that’s because ISPs came of age in the Wild West ethos of the Internet, and providers generally have been unwilling to spend the extra money and resources to secure the middle of the information pipe for all of their users. In addition, many ISPs think that if they become security cops or anything more than traffic carriers, they will be legally liable in the event of security breaches. They are also concerned about censorship issues and blocking legitimate e-mails that look like spam.

How valid are these concerns? Should ISP security be regulated much like utilities (and to a lesser extent, the airlines) are now? Are industrywide polices governing security even feasible? These were among the questions that jurors considered as they deliberated over a verdict at the Gartner mock trial. CIOs struggling to secure their own networks must stand among those who consider these questions and look for answers. After all, what’s at stake is the viability of the Internet as a medium for commerce, communication and business connectivity into the 21st century and beyond.

"Security is something that everybody is accountable for—everybody including the ISPs," says Michael Vatis, an attorney at Steptoe & Johnson, a law firm in New York. "There has to be a better way to approach this than how we’re doing it today."

The Wild Wild West

Much of the ISP industry’s unregulated growth can be traced to the Telecommunications Act of 1996, the first major overhaul of telecommunications law in 62 years. The goal of the law was to create a free-market economy in which any single communications company could compete in any marketplace. According to Jonathan Zittrain, cofounder of Harvard Law School’s Berkman Center for Internet and Society, the law and subsequent other FCC rulings opened the way for outfits promising to provide Internet service. All one needed to become an ISP was some cash, a few servers, the bandwidth to host real estate and a marketing plan to bring in customers. David McClure, president and CEO of the U.S. Internet Industry Association, estimates the number of ISPs today to be more than 400.

As ISPs grew helter-skelter, there was very little effort to standardize security on any level. The only real attempt came in 2003, when Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act, which established requirements for sending commercial e-mail, spelled out penalties for spammers and companies whose products are advertised in spam, and gave consumers the right to ask spammers to cease and desist.

The law has been less than successful so far. Ask any CIO about what keeps her up at night and the general answer is security. Since 2003, the number of security threats has skyrocketed, with the typical suspects being viruses, spam, phishing scams and spyware. The new kid on the block, the DDoS attack, complicates matters even more. In this scenario, hackers use computer worms to take over vulnerable computers on corporate networks around the world. Then they tie the computers together through an Internet relay chat (IRC) server called a botnet. Unified as one, the rogues (or zombies, as they’re sometimes called) set their sights on one particular corporate Web server, and simultaneously bombard it with data requests until the burden brings it down. These networks are responsible for 50 percent to 80 percent of all denial of service spam, according to various estimates.

Even among CIOs who spend millions on security, actions to prevent these threats breed nervousness. How do you know your firewall is equipped with the latest intrusion prevention signatures? How do you stop other threats such as viruses and spam? Most important, how do you protect yourself against spyware programs that infect vulnerable endpoints and turn them into zombie computers that launch DDoS attacks upon command? Just when CIOs think they’ve got everything under control, the hackers outsmart them and devise new ways to compromise a network’s security.

"We are constantly bombarded," says Dewitt Latimer, deputy CIO at Notre Dame University, where the challenges of an inherently open academic network have him constantly on edge. "I find myself wishing that ISPs would help us out a little bit, if for no other reason than to eliminate a fraction of the security problems we worry about on a day-to-day basis."

Latimer adds that he assumes anything that is not on a private network is insecure. But what if some of these issues were resolved before traffic ever arrived at the network door? Since all external traffic must, at some point, be transported over the Internet, many CIOs say there’s no better way to secure it than by securing the pipes themselves. Because ISPs serve as the conduit for all traffic into and out of a network, CIOs say these providers should be scanning subscriber computers for viruses, monitoring traffic for active hack attacks, and shutting down suspected network users immediately to protect the safety and sanctity of the connection for everyone else.

Why ISPs Are So Hands-Off

Richi Jennings, an analyst with Ferris Research in San Francisco, says that many ISPs wash their hands of these issues because such security measures are neither cost-effective nor conducive to revenue generation. For ISPs to be successful, they need volume, and resources spent on filtering malware or scanning subscriber computers ultimately affect the bottom line, Jennings says.

A perfect example of this philosophy is the ISP help desk. File a spam complaint with an ISP and Jennings notes it can be days before you receive a response, if you receive one at all. In most cases, he says, the response is automated. Sure, the ISP could be filing complaints away and pursuing them at a later time, but Jennings says that despite recently publicized lawsuits in which ISPs sued spammers for violating the Can-Spam Act and older state laws, most violations fly under the radar, even after they’re reported.

"Rather than expend resources to try and stop all of these threats, most ISPs are taking the opposite approach and doing nothing," Jennings says. "It’s just not a priority."

Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif., recently experienced this firsthand. After an attempted DDoS attack on the county network, Dickey asked his ISP for incident reporting logs. Though many ISPs keep these logs, Dickey’s did not. So it was very difficult for him to identify and fix the hole the hackers had used to launch the attack (eventually he did patch it). Dickey declines to name the ISP because he says he’s generally happy with it, but admits that the entire experience shocked him into realizing that security wasn’t as much of a priority for the ISP as he had been led to believe.

Lawyers wonder if one reason ISPs shy away from security is a legal one. According to Benjamin Wright, a Dallas attorney who participated in the mock trial and specializes in Internet law, ISPs don’t want to guarantee security because that could conceivably put them at risk for a negligence or invasion of privacy lawsuit. Wright alleges that scanning subscriber computers could violate privacy laws even after the packet leaves the desktop. Also, what happens if an ISP conducts a scan and blocks 100 threats but misses one? Zittrain says that if ISPs start taking responsibility for more than just carrying traffic, they could be making themselves legally liable. No lawsuits have been filed for this kind of negligence so far, but Zittrain says that an ISP knowingly permitting a zombie computer to remain on its network, which then wreaks havoc, could find itself sued. However, he doubts ISPs can be held legally accountable unless they have promised to protect their customers completely. "That’s precisely why they’re not promising complete protection," Zittrain says.

Scanning isn’t the only legal quagmire. Even if ISPs could scan all incoming e-mail, it’s nearly impossible for them to distinguish between, for example, a computer being used in a DDoS attack and legitimate Internet traffic such as the Weatherbug, which automatically checks National Weather Service servers every five minutes for regional weather updates. And just as ISPs can get themselves into hot water for blocking legitimate e-mail from a network, Zittrain says, they also can cause trouble when they are overzealous in monitoring legitimate e-mail going out of a network.

"If a customer is sending out 25 messages a day and suddenly blasts 500, that’s a red light that maybe they have a spam zombie in place," says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course it also might be that the customer has just become [Parent-Teacher Association] president and is using his work computer to send out some personal e-mails. You just never know."

Down the road, perhaps the biggest security challenge could come from the increased use of encryption. For instance, Vista, the new Microsoft operating system that is expected to debut next year, streamlines point-to-point encryption across the Internet. As a result, ISPs and security vendors alike may have trouble determining which e-mail packets are legitimate and which are malicious, possibly giving hackers unmitigated opportunities to wreak havoc everywhere.

The ISPs say it’s not as if they don’t care about security. But because they operate in a free-market economy, the decision to provide security is one each provider makes individually. America Online, Comcast, EarthLink and SBC—the four largest ISPs by number of subscribers, according to a June 2005 market report from JupiterResearch—all provide users with some rudimentary security services in the form of standard e-mail filtering and antispyware protection. EarthLink, SBC and some other ISPs also attempt to prevent virus and worm outbreaks by blocking traffic through Port 25, the server port used for simple mail transfer protocol, or SMTP, transmissions. (For more on how this works, read "The First Line of Defense" on Page 70.) Many other ISPs provide additional security to specific corporate customers at extra cost. And then there are those ISPs that don’t bother with security at all.

1 2 Page 1
Page 1 of 2
Download CIO's Winter 2021 digital issue: Supercharging IT innovation