Should ISPs be accountable for overall Internet security?

Jonathan Yarden recently read an article about the role that Internet service providers (ISPs) play in making sure the Web stays secure. As an employee of a local ISP, he felt that the article failed to represent the ISP's side of things. Find out why he says ISPs shouldn't bear all of the responsibility for Internet security, and see why he says it takes a village to keep the Net secure.

While I typically pay little attention to the mainstream media's take on Internet security, I recently read an article on that I found particularly interesting. The article, an editorial titled "Seeing No Evil," discusses how involved Internet service providers (ISPs) should be with security, and it mentions a recent mock trial at the Gartner IT Security Summit, which pitted fictional ISPs against corporate "victims" of distributed denial of service (DDoS) attacks.

The debate over the relationship between ISPs, customers, and Internet security is definitely a complicated one. But as an employee of a local ISP, I feel I can offer some insight that may have been lacking in the article.

The article states a number of reasons why ISPs aren't doing more to protect customers. However, it fails to recognize that the Internet is a worldwide network, and that ISPs aren't—and shouldn't be—the only entities responsible for it.

For example, my organization's acceptable use agreement, which every customer signs, clearly explains that customers are responsible for keeping their own systems secure as part of their contract with us. Included in that agreement is the ISP's right to terminate access in the event of a security incident that affects the ISP.

We've lost many potential customers because of this inclusion. Many people refuse to sign a contract that explicitly gives the ISP the right to shut them off if they cause problems for the ISP or other Internet users.

The article seems to imply that CIOs are begging ISPs for better security, but it fails to point out that it goes both ways. Everyone needs to share the cost of Internet security. Consider what Internet security costs your organization—then think how expensive it is for an ISP that supplies access to thousands.

With flat-rate Internet access being the predominant pricing model, most ISPs offer security as a sales tool for individual users rather than corporate customers. But in my ISP experience, which spans close to 15 years, the mere mention of topics such as "customer responsibilities" and "termination of services for cause" can quickly kill a sale.

In spite of the many security measures that ISPs perform behind the scenes, such actions are rarely relevant to a sale. The average customer wants to know two things: How much does it cost, and is it reliable?

However, regardless of how much filtering and security that ISPs can and do provide behind the scenes, there's still a limit to their influence on the behavior of customers. ISPs can't force users to become more secure.

From the point where Internet access enters a company's network, the ISP can no longer dictate how the company uses that access. ISPs can't grant themselves any rights on equipment that isn't theirs. And customers' failure to implement Internet security places an ISP in the uncomfortable position of enforcing its right to immediately terminate the customer's access.

The ISP can't extend its role into the enterprise unless the client specifically allows it—and specifically pays for it. So, while I agree that ISPs can do more to improve Internet security, I question whether the CIOs of the world would even want us to.

I work on the Internet every day, and I frequently encounter situations that require me to take immediate action to stop Internet security issues. And that means that sometimes I have to cut off a customer in response to a security incident. While our acceptable use policy specifically gives us the right to disconnect service without warning, we still try to contact such clients to let them know about the problem.

For example, the latest batch of Sober e-mail worms led to the disconnection of dozens of customers, who—for one reason or another—failed to properly protect their networks and equipment. When we contacted those customers, not one of them was remotely aware that they had a problem—nor were they pleased that their Internet access was subject to termination due to such problems. I see plenty of "evil,"—and it usually comes in the form of ignorance and finger-pointing, rather than taking responsibility for one's own Internet security.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.