While I typically pay little attention to the mainstream media's take on Internet security, I recently read an article on CIO.com that I found particularly interesting. The article, an editorial titled "Seeing No Evil", discusses how involved Internet service providers (ISPs) should be with security, and it mentions a recent mock trial at the Gartner IT Security Summit, which pitted fictional ISPs against corporate "victims" of distributed denial-of-service (DDoS) attacks.
The debate over the relationship between ISPs, customers, and Internet security is definitely a complicated one. But as an employee of a local ISP, I feel I can offer some insight that may have been lacking in the article.
The CIO.com article states a number of reasons why ISPs aren't doing more to protect customers. However, it fails to recognise that the Internet is a worldwide network, and that ISPs aren't — and shouldn't be — the only entities responsible for it.
For example, my organisation's acceptable use agreement, which every customer signs, clearly explains that customers are responsible for keeping their own systems secure as part of their contract with us. Included in that agreement is the ISP's right to terminate access in the event of a security incident that affects the ISP.
We've lost many potential customers because of this inclusion. Many people refuse to sign a contract that explicitly gives the ISP the right to shut them off if they cause problems for the ISP or other Internet users.
The CIO.com article seems to imply that CIOs are begging ISPs for better security, but it fails to point out that it goes both ways. Everyone needs to share the cost of Internet security. Consider what Internet security costs your organisation — then think how expensive it is for an ISP that supplies access to thousands.
With flat-rate Internet access being the predominant pricing model, most ISPs offer security as a sales tool for individual users rather than corporate customers. But in my ISP experience, which spans close to 15 years, the mere mention of topics such as "customer responsibilities" and "termination of services for cause" can quickly kill a sale.
In spite of the many security measures that ISPs perform behind the scenes, such actions are rarely relevant to a sale. The average customer wants to know two things: How much do its cost, and is it reliable?
However, regardless of how much filtering and security that ISPs can and do provide behind the scenes, there's still a limit to their influence on the behaviour of customers. ISPs can't force users to become more secure.
From the point where Internet access enters a company's network, the ISP can no longer dictate how the company uses that access. ISPs can't grant themselves any rights on equipment that isn't theirs. And customers' failure to implement Internet security places an ISP in the uncomfortable position of enforcing its right to immediately terminate the customer's access.
The ISP can't extend its role into the enterprise unless the client specifically allows it — and specifically pays for it. So, while I agree that ISPs can do more to improve Internet security, I question whether the CIOs of the world would even want us to.
I work on the Internet every day, and I frequently encounter situations that require me to take immediate action to stop Internet security issues. And that means that sometimes I have to cut off a customer in response to a security incident. While our acceptable use policy specifically gives us the right to disconnect service without warning, we still try to contact such clients to let them know about the problem.
For example, the latest batch of Sober email worms led to the disconnection of dozens of customers, who — for one reason or another — failed to properly protect their networks and equipment. When we contacted those customers, not one of them was remotely aware that they had a problem — nor were they pleased that their Internet access was subject to termination due to such problems. I see plenty of "evil", — and it usually comes in the form of ignorance and finger-pointing, rather than taking responsibility for one's own Internet security.
Talkback
Hiding behind contracts is one way to deminish overall security. A common approach in the world of reduced liability. Overall it doesn't amount to much but at least the ones that profit from the profits get to point the finger of blame to those who are in no position to make a difference.
Are ISP's the only one to blame? Certainly not but at least they are the most likely first line of defence and they're in a position to make help understand certain vendors that things have gone far enough.
What's lacking still is the right amount of liability introduced into those levels that matter. All levels.
Security begins with the OS coders, and a fair amount of testing. Some OS makers are much more interested
in their bottom line than their customers. ISP's are limited as to the amount they can do to protect their users. Ultimately it all goes back to the coders boss and his desire to get the product on the shelves before it is fully tested.
No,if you please.The premise of an ISP is,in my opinion,soley to provide a person with access to the world of the Internet.A person or persons have to accept the responsibility to do as much as they can to protect their own systems.We,as consumers,want always to have someone else to protect them and as such carry no responsibility for themselves.This is wrong.To lay so much extra responsibilties upon the various ISP's,is,to me,too much of a "Big Brother" scenario.Forget not please that the more one expects ISP's to do will greatly increase your monthly access costs which are already overly-inflated.Thank you