DDoS Attacks: The Changing Legal and Regulatory Landscape
In the United States, at least, the public-at-large and the Federal government have begun to see Internet service providers as utilities rather than just another consumer service. In 2015 the Federal Communications Commission (FCC) approved regulations that treated Internet service providers more like public utilities. Internet service providers are bound by Net Neutrality laws, which basically dictate that ISPs must treat all traffic equally, i.e., they cannot discriminate about which traffic they deliver or how fast they deliver it.
Marketplace Demand for DDoS Protection
Meanwhile, enterprises are increasingly frustrated by the rising sea of distributed denial of service (DDoS) attacks, and they are looking to their Internet service providers for assistance in tackling this problem. Just like everyone wants clean water delivered to their taps, consumers and businesses want “clean pipe” Internet delivered to their networks.
Because the FCC views ISPs much like other utilities, we may reach a point where the government imposes industry regulations to force Internet service providers to block distributed denial of service traffic. However, that seems less likely now, given the Trump administration’s bias toward fewer industry regulations.
Regardless of the political arena, customers expect their Internet service provider to deliver “clean pipe.” Ultimately, when deciding about whether ISPs should block DDoS traffic, it may be that enterprise and consumer demands have more influence than government regulation. The business landscape may require ISPs to provide DDoS protection, if only to protect themselves from litigation. A November 2016 opinion article on Law360.com stated the following:
“As the mode and scale of these [DDoS] attacks evolve, so too will the legal landscape and standard for duty of care. In the event of a major DDoS attack that significantly disrupts internet connectivity, providers of fee-based internet services could face lawsuits alleging that the provider’s vulnerability to such an attack was negligent.”
ISPs Response to DDoS Threat
How all of this will shake out remains to be seen. Whether an ISP charges a premium for DDoS Protection or includes it as a free value-add service may vary. Corero surveys have found the enterprises demand DDoS Protection and many are willing to pay for it. It seems that ISPs would be wiser to adopt a pro-active approach—one that also gives a competitive advantage— rather than risk being sued by a customer or penalized by the government.
For their part, ISPs do indeed want to keep out the bad (DDoS) traffic and deliver good traffic because any bad traffic drags down their network performance. However, Some ISPs have been reluctant to embrace new DDoS mitigation technology, for fear of breaking the Net Neutrality laws. At Corero we feel strongly that ISPs can block DDoS traffic without violating Net Neutrality laws, simply because DDoS traffic is inherently “unlawful” and therefore falls outside the realm of Net Neutrality.
Blocking bad traffic was not easy until recently, with the advent of anti-DDoS technology solutions that make it possible to not only discern the difference between bad traffic and good traffic, but also to automatically block the bad traffic. It’s now easier than ever for ISPs to deliver traffic that is free from DDoS.
For more information, contact us.