In a mock courthouse earlier this year, the smack of a gavel opened a case for the ages. Behind one bench, the defendants: Internet service providers, on trial for not providing adequate security to their customers. Behind the other bench, the plaintiffs: fictional companies ravaged by distributed denial of service (DDoS) attacks. The jury: hundreds of IT security professionals, packed into a conference room at the Gartner IT Security Summit to watch it all unfold.
The plaintiffs argued that ISPs could do much more to improve security by scanning subscriber computers, monitoring traffic and shutting down suspicious network uses. The defendants claimed that performing such scans would violate user privacy and that it would be impossible to distinguish malicious traffic from legitimate e-mails.
Accusations flew. The plaintiffs equated ISP intransigence to that of a homeowner whose property is dangerous but doesn’t buy a fence to keep others out. In response, the defendants said people should stay away from dangerous property; that safety is a responsibility that falls squarely on the individual. Next, in a rhetorical ploy, defense lawyers asked jurors if any of them would be willing to stay at a hotel that offered Internet access in exchange for the right to scan all computers for security vulnerabilities. Not one member of the audience raised a hand.
Around and around the two sides went, attacking each other like packs of wolves. The interchange got so heated at times that people almost forgot it was fake. Someday soon, however, this scenario could be real. As security threats such as DDoS attacks, identity theft and phishing continue to plague the Internet, ISPs find themselves under increasing pressure from business and consumers to eradicate risks before they get to the end users. Because ISPs control the pipes through which information is delivered, many customers, including CIOs, insist that service providers must play a more active role in securing the traffic that they deliver.
“Right now, all ISPs provide is entry to the Internet, period,” says Stephen Warren, CIO of the Federal Trade Commission. “Believe me, it’s in their best interests to get all the crap off their lines.”
As Warren implies, the time for action is now. If water utilities can be required by state and local governments to deliver water that is clean and acceptable to drink, why can’t ISPs be required to deliver data that is safe and threat-free? Such requirements would hold ISPs accountable for cleaning up their networks and force them to monitor traffic as it passes through their pipes for maliciousness of all kinds. Regulating ISPs in this way also would relieve at least some of the security burden from CIOs, freeing up more time, money and resources for other areas.
But so far, those types of government regulations and industrywide policies governing ISP security do not yet exist. In part, that’s because ISPs came of age in the Wild West ethos of the Internet, and providers generally have been unwilling to spend the extra money and resources to secure the middle of the information pipe for all of their users. In addition, many ISPs think that if they become security cops or anything more than traffic carriers, they will be legally liable in the event of security breaches. They are also concerned about censorship issues and blocking legitimate e-mails that look like spam.
How valid are these concerns? Should ISP security be regulated much like utilities (and to a lesser extent, the airlines) are now? Are industrywide polices governing security even feasible? These were among the questions that jurors considered as they deliberated over a verdict at the Gartner mock trial. CIOs struggling to secure their own networks must stand among those who consider these questions and look for answers. After all, what’s at stake is the viability of the Internet as a medium for commerce, communication and business connectivity into the 21st century and beyond.
“Security is something that everybody is accountable for—everybody including the ISPs,” says Michael Vatis, an attorney at Steptoe & Johnson, a law firm in New York. “There has to be a better way to approach this than how we’re doing it today.”
The Wild Wild West
Much of the ISP industry’s unregulated growth can be traced to the Telecommunications Act of 1996, the first major overhaul of telecommunications law in 62 years. The goal of the law was to create a free-market economy in which any single communications company could compete in any marketplace. According to Jonathan Zittrain, cofounder of Harvard Law School’s Berkman Center for Internet and Society, the law and subsequent other FCC rulings opened the way for outfits promising to provide Internet service. All one needed to become an ISP was some cash, a few servers, the bandwidth to host real estate and a marketing plan to bring in customers. David McClure, president and CEO of the U.S. Internet Industry Association, estimates the number of ISPs today to be more than 400.
As ISPs grew helter-skelter, there was very little effort to standardize security on any level. The only real attempt came in 2003, when Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (Can-Spam) Act, which established requirements for sending commercial e-mail, spelled out penalties for spammers and companies whose products are advertised in spam, and gave consumers the right to ask spammers to cease and desist.
The law has been less than successful so far. Ask any CIO about what keeps her up at night and the general answer is security. Since 2003, the number of security threats has skyrocketed, with the typical suspects being viruses, spam, phishing scams and spyware. The new kid on the block, the DDoS attack, complicates matters even more. In this scenario, hackers use computer worms to take over vulnerable computers on corporate networks around the world. Then they tie the computers together through an Internet relay chat (IRC) server called a botnet. Unified as one, the rogues (or zombies, as they’re sometimes called) set their sights on one particular corporate Web server, and simultaneously bombard it with data requests until the burden brings it down. These networks are responsible for 50 percent to 80 percent of all denial of service spam, according to various estimates.
Even among CIOs who spend millions on security, actions to prevent these threats breed nervousness. How do you know your firewall is equipped with the latest intrusion prevention signatures? How do you stop other threats such as viruses and spam? Most important, how do you protect yourself against spyware programs that infect vulnerable endpoints and turn them into zombie computers that launch DDoS attacks upon command? Just when CIOs think they’ve got everything under control, the hackers outsmart them and devise new ways to compromise a network’s security.
“We are constantly bombarded,” says Dewitt Latimer, deputy CIO at Notre Dame University, where the challenges of an inherently open academic network have him constantly on edge. “I find myself wishing that ISPs would help us out a little bit, if for no other reason than to eliminate a fraction of the security problems we worry about on a day-to-day basis.”
Latimer adds that he assumes anything that is not on a private network is insecure. But what if some of these issues were resolved before traffic ever arrived at the network door? Since all external traffic must, at some point, be transported over the Internet, many CIOs say there’s no better way to secure it than by securing the pipes themselves. Because ISPs serve as the conduit for all traffic into and out of a network, CIOs say these providers should be scanning subscriber computers for viruses, monitoring traffic for active hack attacks, and shutting down suspected network users immediately to protect the safety and sanctity of the connection for everyone else.
Why ISPs Are So Hands-Off
Richi Jennings, an analyst with Ferris Research in San Francisco, says that many ISPs wash their hands of these issues because such security measures are neither cost-effective nor conducive to revenue generation. For ISPs to be successful, they need volume, and resources spent on filtering malware or scanning subscriber computers ultimately affect the bottom line, Jennings says.
A perfect example of this philosophy is the ISP help desk. File a spam complaint with an ISP and Jennings notes it can be days before you receive a response, if you receive one at all. In most cases, he says, the response is automated. Sure, the ISP could be filing complaints away and pursuing them at a later time, but Jennings says that despite recently publicized lawsuits in which ISPs sued spammers for violating the Can-Spam Act and older state laws, most violations fly under the radar, even after they’re reported.
“Rather than expend resources to try and stop all of these threats, most ISPs are taking the opposite approach and doing nothing,” Jennings says. “It’s just not a priority.”
Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif., recently experienced this firsthand. After an attempted DDoS attack on the county network, Dickey asked his ISP for incident reporting logs. Though many ISPs keep these logs, Dickey’s did not. So it was very difficult for him to identify and fix the hole the hackers had used to launch the attack (eventually he did patch it). Dickey declines to name the ISP because he says he’s generally happy with it, but admits that the entire experience shocked him into realizing that security wasn’t as much of a priority for the ISP as he had been led to believe.
Lawyers wonder if one reason ISPs shy away from security is a legal one. According to Benjamin Wright, a Dallas attorney who participated in the mock trial and specializes in Internet law, ISPs don’t want to guarantee security because that could conceivably put them at risk for a negligence or invasion of privacy lawsuit. Wright alleges that scanning subscriber computers could violate privacy laws even after the packet leaves the desktop. Also, what happens if an ISP conducts a scan and blocks 100 threats but misses one? Zittrain says that if ISPs start taking responsibility for more than just carrying traffic, they could be making themselves legally liable. No lawsuits have been filed for this kind of negligence so far, but Zittrain says that an ISP knowingly permitting a zombie computer to remain on its network, which then wreaks havoc, could find itself sued. However, he doubts ISPs can be held legally accountable unless they have promised to protect their customers completely. “That’s precisely why they’re not promising complete protection,” Zittrain says.
Scanning isn’t the only legal quagmire. Even if ISPs could scan all incoming e-mail, it’s nearly impossible for them to distinguish between, for example, a computer being used in a DDoS attack and legitimate Internet traffic such as the Weatherbug, which automatically checks National Weather Service servers every five minutes for regional weather updates. And just as ISPs can get themselves into hot water for blocking legitimate e-mail from a network, Zittrain says, they also can cause trouble when they are overzealous in monitoring legitimate e-mail going out of a network.
“If a customer is sending out 25 messages a day and suddenly blasts 500, that’s a red light that maybe they have a spam zombie in place,” says Don Blumenthal, Internet Lab Coordinator at the FTC. “Of course it also might be that the customer has just become [Parent-Teacher Association] president and is using his work computer to send out some personal e-mails. You just never know.”
Down the road, perhaps the biggest security challenge could come from the increased use of encryption. For instance, Vista, the new Microsoft operating system that is expected to debut next year, streamlines point-to-point encryption across the Internet. As a result, ISPs and security vendors alike may have trouble determining which e-mail packets are legitimate and which are malicious, possibly giving hackers unmitigated opportunities to wreak havoc everywhere.
The ISPs say it’s not as if they don’t care about security. But because they operate in a free-market economy, the decision to provide security is one each provider makes individually. America Online, Comcast, EarthLink and SBC—the four largest ISPs by number of subscribers, according to a June 2005 market report from JupiterResearch—all provide users with some rudimentary security services in the form of standard e-mail filtering and antispyware protection. EarthLink, SBC and some other ISPs also attempt to prevent virus and worm outbreaks by blocking traffic through Port 25, the server port used for simple mail transfer protocol, or SMTP, transmissions. (For more on how this works, read “The First Line of Defense” on Page 70.) Many other ISPs provide additional security to specific corporate customers at extra cost. And then there are those ISPs that don’t bother with security at all.
ISP executives say a more standardized approach to security would be cost-prohibitive—and it might not be what their business customers want anyway. “When you’re dealing with security, there’s simply too much at stake for us to offer a one-size-fits-all solution that works for everybody,” says Stan Barber, vice president of engineering operations for Verio, an ISP and a subsidiary of NTT Communications. “What’s important for one company might not be important for another, and we need features that can scale.”
You don’t need to be a mathematician to see that this patchwork coverage puts everyone at risk. With bits and bytes traveling from one ISP’s network to another, who’s to say that a security threat stopped by one ISP filter won’t escape another network that
doesn’t filter or does it inadequately? Gregg Mastoras, senior security analyst for North America with the network security solutions provider Sophos, says that once a threat gets past one ISP, it essentially has gotten past them all. Mastoras adds that since information on the Internet knows no borders, everyone is at risk. If the security that ISPs currently offer is really as good as they say it is, this
wouldn’t be a problem. Yet one just needs to look at the news today to know that corporations are getting hit hard by all manners of malfeasant code. The problem, says Mastoras, is that nothing exists to standardize security across the ISP industry, making everyone in the industry susceptible to the lowest common denominator.
How to Protect Yourself in the OK Corral
ISPs may not be able to get away with this free-market approach for long, if only because pressure from government, industry and consumer groups is growing. This May, the FTC said it would soon ask ISPs to make sure that their customers’ computers haven’t been hijacked by spammers with plans to create botnets. Though ISPs are not required to comply, the FTC suggested that service providers should identify computers on their networks that are sending out large amounts of e-mail and quarantine them if they are found to be zombies. One final recommendation from the FTC: Internet providers should route all customer e-mail through their own servers (as opposed to allowing individual users to route e-mails through their own servers).
ISP executives are optimistic that the industry can regulate itself. Dave Jevans, chairman of the Anti-Phishing Working Group, says a number of ISPs have already banded together to discuss security best practices. If the industry can’t improve security on its own, there’s always the possibility of regulating it through state or federal legislation, but that’s something that most in the ISP industry firmly oppose. Howard Schmidt, president and CEO of R&H Security Consulting and a former official with the Department of Homeland Security, agrees that legislation is not the answer, saying that most ISPs would simply pass the cost of compliance along to users in the form of increased monthly and annual fees.
For Schmidt, there is another way. He suggests that government facilitate change simply by wielding its own purchasing power. If, for instance, government agencies offered ISPs a 10 percent premium to provide reliable security services across the board, Schmidt believes the agencies could get ISPs to comply in exchange for the extra cash. This change, in turn, could have a trickle-down effect that improves the situation for business customers and CIOs alike.
“With the government being a large purchaser of IT services, they have the ability to say, ‘Here’s what I’m willing to pay for,’ and actually pay for it,” Schmidt says. “Having controls built in as part of government projects gives you the side benefit of making it happen for private companies.”
In the meantime, the SANS Institute, a private security education organization, is planning to evaluate ISPs on the way they handle security and release an ISP Security Report Card this month. Alan Paller, director of research for SANS, says this card will outline the steps CIOs can take to seek a greater level of security from their ISPs. (For more on this, see “ISP Essentials,” this page.) In addition, Jennings, the Ferris Research analyst, says CIOs should combine whatever basic protections their ISPs offer with a customized security infrastructure comprising hardware and software for a multilayered approach that incorporates two or three antivirus engines (at the perimeter and on the desktop machines), a firewall, intrusion prevention software and any other functions that specifically suit an organization’s needs.
One area in which Paller says CIOs can advocate for better security from ISPs is through their service-level agreements, or SLAs. Traditionally, these performance contracts with the ISPs loosely have covered issues such as uptime and maintenance or support. However, Paller suggests that CIOs should consider at least trying to get their ISPs to agree to incorporate security metrics such as virus scanning, DDoS monitoring and incident reporting, as well.
SLA clauses, however, are no panacea. Bob Paarlberg, CIO at Royster-Clark, an agri-business company, says that putting security into an SLA will do nothing but lull CIOs into complacency—not exactly a state that engenders secure networks. “Our SLA is that we don’t sign a long-term agreement,” Paarlberg quips. “If you do a good job for us this month, you earn the business from us next month. That’s it.”
Ultimately, Paarlberg contends, the best way to get ISPs to tackle security is to force them to bake-in additional security by law. Just look at what happened in the airline industry. Years ago, scanning passengers for security threats was the responsibility of individual airports. The result, of course, changed our nation forever: Terrorists took advantage of the weak points in the system, and successfully orchestrated the attacks of Sept. 11, 2001. In the aftermath, the federal government created the Transportation Security Administration to set policy for securing air travel nationwide. Today, whether you’re traveling from Baltimore, Md., or Billings, Mont., you and everyone else on your flight are screened the same way, and by and large, the system is a lot safer than it was before.
“At the end of the day, ISPs need to be held accountable for more of these violations,” Paarlberg says. “If they’re going to continue to bring threats to our doorsteps, something must be done.”