In the second of a two-part analysis of Internet service providers' culpability in the growing number of compromised computers, experts say it's time ISPs do more -- and some are -- to stem damages from botnets. Part I of the series examines why that's a bad idea.
New botnets are appearing at a near-unstoppable rate of more than 150,000 a day, according to some recent studies, leading many security managers and legal experts to increase the volume on their calls for Internet service providers to be liable for damages resulting from distributed denial-of-service attacks.
ISPs are being asked to monitor for abusive traffic patterns, block machines and ports participating in DDoS attacks and even scan user machines for basic security controls. While the carrot in this argument is improved Internet health, the stick is legal negligence and expensive liability payouts if a company suffers damages.
While some ISPs like AmericaOnline have beefed up their security with free antivirus, spyware and SPIM protection, more is being asked of carriers like Verizon, MCI and AT&T.
"The courts will recognize soon that a baseline expectation of reasonable care can be provided by ISPs systemically to reduce the impact of spreading exponential mass infections, without a reduction in privacy," said Kimberly Laris, IT controls manager with the Timberland Co. of New Hampshire.
A paper written and published last year by Doug Lichtman and Eric Posner of the University of Chicago Law School said ISPs should be held accountable much in the same way restaurant and bar owners must control the behavior of employees. Common law tort liability should encourage ISPs to enhance their security.
"Service providers control the gateway through which Internet pests enter and reenter the system. As such, service providers can help to stop these pests before they spread and to identify the individuals who originate them in the first place. ISPs should be required by law to engage in these precautions," the paper said.
Opponents, however, fear that liability will force ISPs to be overly thorough in their monitoring of network users. Erring on the side of caution would reign, and access for "marginal subscribers" would be cut off, the paper said. Also, the fear is the ISP liability would reduce any incentives users have to be vigilant on their ends. But managers like Laris believe that tactics like ISPs stripping malware in transit is more than a good gesture, it restores bandwidth and throughput speeds, keeping customers happy and themselves out of courtrooms.
"ISPs may not relish making an initial investment to reduce malware transfer. However, the community of ISPs receives the benefits of investing in security: reduced unwanted traffic, improved performance, reduced costs of managing escalating customer complaints, lost revenue to competitors and possibly fewer legal costs from defending against proposed lawsuits," Laris said. "ISPs may soon point to other ISPs as being part of the Internet community's problem if they are not participating as part of the solution by stripping malware traffic."
Meanwhile, carriers like AT&T are offering security-in-the-cloud services where perimeter functions like firewall and IDS monitoring are outsourced to the carrier. AT&T CISO Ed Amoroso said recently that calls for increased ISP vigilance are not always clear and across-the-board statutes may not be possible. Clear SLAs must be established that spell out what traffic should be filtered.
"We try to take this broad notion of 'a carrier should do more' and channel it to things that make sense and are reasonable," Amoroso said.