In November 2013, the President’s Council of Advisors on Science and Technology (PCAST) submitted a public report to U.S. President Barack Obama. The report, Immediate Opportunities for Strengthening the Nation’s Cybersecurity, provides key insights from a more comprehensive but classified assessment of the Nation’s cybersecurity needs and opportunities.
The purpose of the report is twofold:
- To point to areas where executive (i.e., governmental) action can accelerate progress toward protecting the nation’s information systems and assets, and
- To recommend a number of approaches to encourage greater adoption of secure practices in the private sector (i.e., without additional mandates imposed by federal law).
If there is one overarching message of the report, it’s that cybersecurity cannot be achieved through a set of static precautions. Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses. What’s more, public agencies as well as private businesses have to get away from the “compliance check box” mentality and adopt a continuous improvement process to harden their security measures.
The role of ISPs for cybersecurity
Given the “hub-like” position of Internet Service Providers (ISPs), the report acknowledges that these companies are “well-positioned to contribute to rapid improvements in cybersecurity through real-time action.” According to the report:
Internet Service Providers (ISPs) are well-positioned, both technically and by their relationship with their customers, to contribute to rapid improvements in cybersecurity that exploit dynamic, real-time response possibilities. The ISPs control the actual connection of their customers to the Internet—the so-called first hop. As just one example, ISPs are uniquely able to do ingress validation, checking that the connected machine is identifying itself honestly. In some situations, ISPs have both the means to detect compromised machines quickly (for example, machines recruited into a botnet) and the ability to do something about them—for example, to notify the customer and provide options for fixing the problem. Lacking both a legal obligation to act and any protection against subsequent liability, however, such action by ISPs is quite rare. This needs to be changed.
The report’s authors make two recommendations that pertain specifically to ISPs:
- The Federal Government should establish policies that describe the desired behavior by ISPs as best (or minimum-acceptable) practices.
- The National Institute of Standards and Technology (NIST) should work with ISPs towards establishing standards for voluntary measures by which ISPs can alert users and direct them to appropriate resources when their machines or devices are known to be compromised.
As for the first recommendation above, I’m not so sure the federal government has to come up with policies that describe the desired behaviors of ISPs when it comes to cybersecurity. Rather, I think market forces will dictate which ISPs are successful based on their security practices. If a Service Provider does not implement good policies on its own, customers will vote with their feet and turn to other, more security-conscious providers, and the first company must step up, or face the negative impact to their business.
Moreover, there is a growing trend (borne out of compliance requirements for Sarbanes-Oxley and other mandates) for companies to press their third-party vendors such as ISPs to verify their level of preparedness for a cyber-attack. Enterprises use their vendor risk management programs to verify the veracity of security measures and other controls implemented by cloud Service Providers. If the measures are found to be seriously lacking, the enterprises will likely find alternative vendors.
ISPs can (and should) deliver clean traffic to customers
I do agree with the one point the report makes—about ISPs being in a position to improve their clients’ security posture by stepping up and delivering clean Internet traffic to service subscribers. In this day and age, there is no reason for an ISP to pass along malicious or unwanted traffic to its clients.
For example, with a deployment of a Corero First Line of Defense solution, Service Providers are enabled to deliver the performance, connectivity and security that their customers demand.
Do ISPs have an obligation to deliver clean Internet traffic? I believe they do. In addition to that, the smart Service Provider will figure out that this can be a value-added service that is a competitive advantage and possibly even a source of new revenue.