By Matt Villano
November 1, 2005
In a mock courthouse earlier this year, the smack of a gavel opened a
case for the ages. Behind one bench, the defendants: Internet service
providers, on trial for not providing adequate security to their
customers. Behind the other bench, the plaintiffs: fictional companies
ravaged by distributed denial of service (DDoS) attacks. The jury:
hundreds of IT security professionals, packed into a conference room
at the Gartner IT Security Summit to watch it all unfold.
The plaintiffs argued that ISPs could do much more to improve security
by scanning subscriber computers, monitoring traffic and shutting down
suspicious network uses. The defendants claimed that performing such
scans would violate user privacy and that it would be impossible to
distinguish malicious traffic from legitimate e-mails.
Accusations flew. The plaintiffs equated ISP intransigence to that of
a homeowner whose property is dangerous but doesn't buy a fence to
keep others out. In response, the defendants said people should stay
away from dangerous property; that safety is a responsibility that
falls squarely on the individual. Next, in a rhetorical ploy, defense
lawyers asked jurors if any of them would be willing to stay at a
hotel that offered Internet access in exchange for the right to scan
all computers for security vulnerabilities. Not one member of the
audience raised a hand.
Around and around the two sides went, attacking each other like packs
of wolves. The interchange got so heated at times that people almost
forgot it was fake. Someday soon, however, this scenario could be
real. As security threats such as DDoS attacks, identity theft and
phishing continue to plague the Internet, ISPs find themselves under
increasing pressure from business and consumers to eradicate risks
before they get to the end users. Because ISPs control the pipes
through which information is delivered, many customers, including
CIOs, insist that service providers must play a more active role in
securing the traffic that they deliver.
"Right now, all ISPs provide is entry to the Internet, period," says
Stephen Warren, CIO of the Federal Trade Commission. "Believe me, it's
in their best interests to get all the crap off their lines."
As Warren implies, the time for action is now. If water utilities can
be required by state and local governments to deliver water that is
clean and acceptable to drink, why can't ISPs be required to deliver
data that is safe and threat-free? Such requirements would hold ISPs
accountable for cleaning up their networks and force them to monitor
traffic as it passes through their pipes for maliciousness of all
kinds. Regulating ISPs in this way also would relieve at least some of
the security burden from CIOs, freeing up more time, money and
resources for other areas.
But so far, those types of government regulations and industrywide
policies governing ISP security do not yet exist. In part, that's
because ISPs came of age in the Wild West ethos of the Internet, and
providers generally have been unwilling to spend the extra money and
resources to secure the middle of the information pipe for all of
their users. In addition, many ISPs think that if they become security
cops or anything more than traffic carriers, they will be legally
liable in the event of security breaches. They are also concerned
about censorship issues and blocking legitimate e-mails that look like
How valid are these concerns? Should ISP security be regulated much
like utilities (and to a lesser extent, the airlines) are now? Are
industrywide polices governing security even feasible? These were
among the questions that jurors considered as they deliberated over a
verdict at the Gartner mock trial. CIOs struggling to secure their own
networks must stand among those who consider these questions and look
for answers. After all, what's at stake is the viability of the
Internet as a medium for commerce, communication and business
connectivity into the 21st century and beyond.
"Security is something that everybody is accountable for=97everybody
including the ISPs," says Michael Vatis, an attorney at Steptoe &
Johnson, a law firm in New York. "There has to be a better way to
approach this than how we're doing it today."
The Wild Wild West
Much of the ISP industry's unregulated growth can be traced to the
Telecommunications Act of 1996, the first major overhaul of
telecommunications law in 62 years. The goal of the law was to create
a free-market economy in which any single communications company could
compete in any marketplace. According to Jonathan Zittrain, cofounder
of Harvard Law School's Berkman Center for Internet and Society, the
law and subsequent other FCC rulings opened the way for outfits
promising to provide Internet service. All one needed to become an ISP
was some cash, a few servers, the bandwidth to host real estate and a
marketing plan to bring in customers. David McClure, president and CEO
of the U.S. Internet Industry Association, estimates the number of
ISPs today to be more than 400.
As ISPs grew helter-skelter, there was very little effort to
standardize security on any level. The only real attempt came in 2003,
when Congress passed the Controlling the Assault of Non-Solicited
Pornography and Marketing (Can-Spam) Act, which established
requirements for sending commercial e-mail, spelled out penalties for
spammers and companies whose products are advertised in spam, and gave
consumers the right to ask spammers to cease and desist.
The law has been less than successful so far. Ask any CIO about what
keeps her up at night and the general answer is security. Since 2003,
the number of security threats has skyrocketed, with the typical
suspects being viruses, spam, phishing scams and spyware. The new kid
on the block, the DDoS attack, complicates matters even more. In this
scenario, hackers use computer worms to take over vulnerable computers
on corporate networks around the world. Then they tie the computers
together through an Internet relay chat (IRC) server called a botnet.
Unified as one, the rogues (or zombies, as they're sometimes called)
set their sights on one particular corporate Web server, and
simultaneously bombard it with data requests until the burden brings
it down. These networks are responsible for 50 percent to 80 percent
of all denial of service spam, according to various estimates.
Even among CIOs who spend millions on security, actions to prevent
these threats breed nervousness. How do you know your firewall is
equipped with the latest intrusion prevention signatures? How do you
stop other threats such as viruses and spam? Most important, how do
you protect yourself against spyware programs that infect vulnerable
endpoints and turn them into zombie computers that launch DDoS attacks
upon command? Just when CIOs think they've got everything under
control, the hackers outsmart them and devise new ways to compromise a
"We are constantly bombarded," says Dewitt Latimer, deputy CIO at
Notre Dame University, where the challenges of an inherently open
academic network have him constantly on edge. "I find myself wishing
that ISPs would help us out a little bit, if for no other reason than
to eliminate a fraction of the security problems we worry about on a
Latimer adds that he assumes anything that is not on a private network
is insecure. But what if some of these issues were resolved before
traffic ever arrived at the network door? Since all external traffic
must, at some point, be transported over the Internet, many CIOs say
there's no better way to secure it than by securing the pipes
themselves. Because ISPs serve as the conduit for all traffic into and
out of a network, CIOs say these providers should be scanning
subscriber computers for viruses, monitoring traffic for active hack
attacks, and shutting down suspected network users immediately to
protect the safety and sanctity of the connection for everyone else.
Why ISPs Are So Hands-Off
Richi Jennings, an analyst with Ferris Research in San Francisco, says
that many ISPs wash their hands of these issues because such security
measures are neither cost-effective nor conducive to revenue
generation. For ISPs to be successful, they need volume, and resources
spent on filtering malware or scanning subscriber computers ultimately
affect the bottom line, Jennings says.
A perfect example of this philosophy is the ISP help desk. File a spam
complaint with an ISP and Jennings notes it can be days before you
receive a response, if you receive one at all. In most cases, he says,
the response is automated. Sure, the ISP could be filing complaints
away and pursuing them at a later time, but Jennings says that despite
recently publicized lawsuits in which ISPs sued spammers for violating
the Can-Spam Act and older state laws, most violations fly under the
radar, even after they're reported.
"Rather than expend resources to try and stop all of these threats,
most ISPs are taking the opposite approach and doing nothing,"
Jennings says. "It's just not a priority."
Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif.,
recently experienced this firsthand. After an attempted DDoS attack on
the county network, Dickey asked his ISP for incident reporting logs.
Though many ISPs keep these logs, Dickey's did not. So it was very
difficult for him to identify and fix the hole the hackers had used to
launch the attack (eventually he did patch it). Dickey declines to
name the ISP because he says he's generally happy with it, but admits
that the entire experience shocked him into realizing that security
wasn't as much of a priority for the ISP as he had been led to
Lawyers wonder if one reason ISPs shy away from security is a legal
one. According to Benjamin Wright, a Dallas attorney who participated
in the mock trial and specializes in Internet law, ISPs don't want to
guarantee security because that could conceivably put them at risk for
a negligence or invasion of privacy lawsuit. Wright alleges that
scanning subscriber computers could violate privacy laws even after
the packet leaves the desktop. Also, what happens if an ISP conducts a
scan and blocks 100 threats but misses one? Zittrain says that if ISPs
start taking responsibility for more than just carrying traffic, they
could be making themselves legally liable. No lawsuits have been filed
for this kind of negligence so far, but Zittrain says that an ISP
knowingly permitting a zombie computer to remain on its network, which
then wreaks havoc, could find itself sued. However, he doubts ISPs can
be held legally accountable unless they have promised to protect their
customers completely. "That's precisely why they're not promising
complete protection," Zittrain says.
Scanning isn't the only legal quagmire. Even if ISPs could scan all
incoming e-mail, it's nearly impossible for them to distinguish
between, for example, a computer being used in a DDoS attack and
legitimate Internet traffic such as the Weatherbug, which
automatically checks National Weather Service servers every five
minutes for regional weather updates. And just as ISPs can get
themselves into hot water for blocking legitimate e-mail from a
network, Zittrain says, they also can cause trouble when they are
overzealous in monitoring legitimate e-mail going out of a network.
"If a customer is sending out 25 messages a day and suddenly blasts
500, that's a red light that maybe they have a spam zombie in place,"
says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course
it also might be that the customer has just become [Parent-Teacher
Association] president and is using his work computer to send out some
personal e-mails. You just never know."
Down the road, perhaps the biggest security challenge could come from
the increased use of encryption. For instance, Vista, the new
Microsoft operating system that is expected to debut next year,
streamlines point-to-point encryption across the Internet. As a
result, ISPs and security vendors alike may have trouble determining
which e-mail packets are legitimate and which are malicious, possibly
giving hackers unmitigated opportunities to wreak havoc everywhere.
The ISPs say it's not as if they don't care about security. But
because they operate in a free-market economy, the decision to provide
security is one each provider makes individually. America Online,
Comcast, EarthLink and SBC - the four largest ISPs by number of
subscribers, according to a June 2005 market report from
JupiterResearch - all provide users with some rudimentary security
services in the form of standard e-mail filtering and antispyware
protection. EarthLink, SBC and some other ISPs also attempt to prevent
virus and worm outbreaks by blocking traffic through Port 25, the
server port used for simple mail transfer protocol, or SMTP,
transmissions. (For more on how this works, read "The First Line of
Defense". ) Many other ISPs provide additional security to specific
corporate customers at extra cost. And then there are those ISPs that
don't bother with security at all.
ISP executives say a more standardized approach to security would be
cost-prohibitive - and it might not be what their business customers
want anyway. "When you're dealing with security, there's simply too
much at stake for us to offer a one-size-fits-all solution that works
for everybody," says Stan Barber, vice president of engineering
operations for Verio, an ISP and a subsidiary of NTT Communications.
"What's important for one company might not be important for another,
and we need features that can scale."
You don't need to be a mathematician to see that this patchwork
coverage puts everyone at risk. With bits and bytes traveling from one
ISP's network to another, who's to say that a security threat stopped
by one ISP filter won't escape another network that doesn't filter or
does it inadequately? Gregg Mastoras, senior security analyst for
North America with the network security solutions provider Sophos,
says that once a threat gets past one ISP, it essentially has gotten
past them all. Mastoras adds that since information on the Internet
knows no borders, everyone is at risk. If the security that ISPs
currently offer is really as good as they say it is, this wouldn't be
a problem. Yet one just needs to look at the news today to know that
corporations are getting hit hard by all manners of malfeasant code.
The problem, says Mastoras, is that nothing exists to standardize
security across the ISP industry, making everyone in the industry
susceptible to the lowest common denominator.
How to Protect Yourself in the OK Corral
ISPs may not be able to get away with this free-market approach for
long, if only because pressure from government, industry and consumer
groups is growing. This May, the FTC said it would soon ask ISPs to
make sure that their customers' computers haven't been hijacked by
spammers with plans to create botnets. Though ISPs are not required to
comply, the FTC suggested that service providers should identify
computers on their networks that are sending out large amounts of
e-mail and quarantine them if they are found to be zombies. One final
recommendation from the FTC: Internet providers should route all
customer e-mail through their own servers (as opposed to allowing
individual users to route e-mails through their own servers).
ISP executives are optimistic that the industry can regulate itself.
Dave Jevans, chairman of the Anti-Phishing Working Group, says a
number of ISPs have already banded together to discuss security best
practices. If the industry can't improve security on its own, there's
always the possibility of regulating it through state or federal
legislation, but that's something that most in the ISP industry firmly
oppose. Howard Schmidt, president and CEO of R&H Security Consulting
and a former official with the Department of Homeland Security, agrees
that legislation is not the answer, saying that most ISPs would simply
pass the cost of compliance along to users in the form of increased
monthly and annual fees.
For Schmidt, there is another way. He suggests that government
facilitate change simply by wielding its own purchasing power. If, for
instance, government agencies offered ISPs a 10 percent premium to
provide reliable security services across the board, Schmidt believes
the agencies could get ISPs to comply in exchange for the extra cash.
This change, in turn, could have a trickle-down effect that improves
the situation for business customers and CIOs alike.
"With the government being a large purchaser of IT services, they have
the ability to say, "Here's what I'm willing to pay for,' and actually
pay for it," Schmidt says. "Having controls built in as part of
government projects gives you the side benefit of making it happen for
In the meantime, the SANS Institute, a private security education
organization, is planning to evaluate ISPs on the way they handle
security and release an ISP Security Report Card this month. Alan
Paller, director of research for SANS, says this card will outline the
steps CIOs can take to seek a greater level of security from their
ISPs. (For more on this, see "ISP Essentials," this page.) In
addition, Jennings, the Ferris Research analyst, says CIOs should
combine whatever basic protections their ISPs offer with a customized
security infrastructure comprising hardware and software for a
multilayered approach that incorporates two or three antivirus engines
(at the perimeter and on the desktop machines), a firewall, intrusion
prevention software and any other functions that specifically suit an
One area in which Paller says CIOs can advocate for better security
from ISPs is through their service-level agreements, or SLAs.
Traditionally, these performance contracts with the ISPs loosely have
covered issues such as uptime and maintenance or support. However,
Paller suggests that CIOs should consider at least trying to get their
ISPs to agree to incorporate security metrics such as virus scanning,
DDoS monitoring and incident reporting, as well.
SLA clauses, however, are no panacea. Bob Paarlberg, CIO at
Royster-Clark, an agri-business company, says that putting security
into an SLA will do nothing but lull CIOs into complacency=97not exactly
a state that engenders secure networks. "Our SLA is that we don't sign
a long-term agreement," Paarlberg quips. "If you do a good job for us
this month, you earn the business from us next month. That's it."
Ultimately, Paarlberg contends, the best way to get ISPs to tackle
security is to force them to bake-in additional security by law. Just
look at what happened in the airline industry. Years ago, scanning
passengers for security threats was the responsibility of individual
airports. The result, of course, changed our nation forever:
Terrorists took advantage of the weak points in the system, and
successfully orchestrated the attacks of Sept. 11, 2001. In the
aftermath, the federal government created the Transportation Security
Administration to set policy for securing air travel nationwide.
Today, whether you're traveling from Baltimore, Md., or Billings,
Mont., you and everyone else on your flight are screened the same way,
and by and large, the system is a lot safer than it was before.
"At the end of the day, ISPs need to be held accountable for more of
these violations," Paarlberg says. "If they're going to continue to
bring threats to our doorsteps, something must be done."
Matt Villano is a freelance writer and editor based in Half Moon Bay,
Calif. Send your comments to Executive Editor Alison Bass at
InfoSec News v2.0 - Coming Soon!