A couple of weeks ago, I was blogging about whether or not cybersecurity should be managed, or overseen, from the White House. The Obama administration during the campaign was in favor having a cabinet level post, a so-called Cyber-czar. Leaving aside whether or not this was merely a campaign promise, is there a case that can be built for having government oversight of cyber health?
We all know that botnets are a big problem and users need to have their PCs cleaned. The question becomes this -- who is responsible for cleaning up the botnet malware mess? Let's take a look at some options.
- Users should do it.
This is the obvious choice. If a user gets their PC infected with malware, they ought to be the one to clean it up. Seriously, people need to get serious about their PC security and run firewalls and antivirus programs. If you get infected, clean up after your mess and do something about it.
The drawback to this is that many users just don't know that their PCs are infected. They may notice a performance degradation but they don't attribute it to malware. Worse still, even if they knew that their systems were compromised, many (most?) home users lack the expertise necessary to clean their systems up. How many home users even know about botnets? And the harm they can do? How many know how to download (or pay for) the latest antivirus updates?
More still, many users have unlicensed software running on their computers. Maybe they don't want to connect to central servers for updates for fear of being turned in and the possible recriminations. Thus, while users ought to be responsible for this, it's completely unrealistic. And in the meantime, bots continue to damage the internet and make the rest of us miserable.
- ISPs should do it.
Do ISPs enable users to wreak havoc? Well, it depends. ISPs simply enable a user to connect to the web and it's up to the user to keep their system maintained. Toyota sends me regular updates to bring in my car for tuning (and I know my warranty is expired... enough already!). But they don't actually stop me from driving my car or show up at my door requiring me to bring in my vehicle (they just wait for me to eventually bring it in and charge me twice as much for repairs that I need).
An ISP could in theory shut a user down. They could also detect spammy behavior from a user's infected system and make the effort to clean it up.
But from the ISP point-of-view, this isn't particularly practical. ISPs have slim profit margins; if they start cleaning up after a customer, they're like to have to clean up after them over and over and over again. That destroys the profit model for that customer.
Secondly, detection of anomalous behavior and subsequently requiring a customer to clean up is a mine field. If a customer is paying for service and their ISP shuts them off, a customer can just go somewhere else. This doesn't solve the problem at all.
Next, the ISP actually has to detect that anomalous behavior. This requires very detailed record keeping of user-traffic and content inspection and starts to raise privacy concerns. Do you want your ISP keeping user-specific tabs on your traffic patterns? I don't mean collective patterns, I mean specific user traffic patterns. People got upset when Comcast started throttling bit torrents; I wonder how people would react if they started content inspection and logging.
So, while it's certainly a noble cause to think that ISPs are going to do this, again, it's also unrealistic. And unprofitable. There isn't a big motivation for them to do it en masse.
More to come in my next post.