While I typically pay little attention to the mainstream
media’s take on Internet security, I recently read an article on CIO.com that I
found particularly interesting. The article, an editorial titled “Seeing No Evil,”
discusses how involved Internet service providers (ISPs) should be with
security, and it mentions a recent mock trial at the Gartner IT Security
Summit, which pitted fictional ISPs against corporate “victims” of
distributed denial of service (DDoS) attacks.

The debate over the relationship between ISPs, customers,
and Internet security is definitely a complicated one. But as an employee of a
local ISP, I feel I can offer some insight that may have been lacking in the
article.

The CIO.com article states a number of reasons why ISPs aren’t
doing more to protect customers. However, it fails to recognize that the
Internet is a worldwide network, and that ISPs aren’t—and shouldn’t be—the only
entities responsible for it.

For example, my organization’s acceptable use agreement,
which every customer signs, clearly explains that customers are responsible for
keeping their own systems secure as part of their contract with us. Included in
that agreement is the ISP’s right to terminate access in the event of a
security incident that affects the ISP.

We’ve lost many potential customers because of this inclusion.
Many people refuse to sign a contract that explicitly gives the ISP the right to
shut them off if they cause problems for the ISP or other Internet users.

The CIO.com article seems to imply that CIOs are begging
ISPs for better security, but it fails to point out that it goes both ways. Everyone
needs to share the cost of Internet security. Consider what Internet security
costs your organization—then think how expensive it is for an ISP that supplies
access to thousands.

With flat-rate Internet access being the predominant pricing
model, most ISPs offer security as a sales tool for individual users rather
than corporate customers. But in my ISP experience, which spans close to 15
years, the mere mention of topics such as “customer responsibilities”
and “termination of services for cause” can quickly kill a sale.

In spite of the many security measures that ISPs perform
behind the scenes, such actions are rarely relevant to a sale. The average customer
wants to know two things: How much does it cost, and is it reliable?

However, regardless of how much filtering and security that ISPs
can and do provide behind the scenes, there’s still a limit to their influence
on the behavior of customers. ISPs can’t force users to become more secure.

From the point where Internet access enters a company’s
network, the ISP can no longer dictate how the company uses that access. ISPs can’t
grant themselves any rights on equipment that isn’t theirs. And customers’
failure to implement Internet security places an ISP in the uncomfortable
position of enforcing its right to immediately terminate the customer’s access.

The ISP can’t extend its role into the enterprise unless the
client specifically allows it—and specifically pays for it. So, while I agree
that ISPs can do more to improve Internet security, I question whether the CIOs
of the world would even want us to.

I work on the Internet every day, and I frequently encounter
situations that require me to take immediate action to stop Internet security
issues. And that means that sometimes I have to cut off a customer in response
to a security incident. While our acceptable use policy specifically gives us
the right to disconnect service without warning, we still try to contact such
clients to let them know about the problem.

For example, the latest batch of Sober e-mail worms led to
the disconnection of dozens of customers, who—for one reason or another—failed
to properly protect their networks and equipment. When we contacted those customers,
not one of them was remotely aware that they had a problem—nor were they
pleased that their Internet access was subject to termination due to such
problems. I see plenty of “evil,”—and it usually comes in the form of
ignorance and finger-pointing, rather than taking responsibility for one’s own
Internet security.

Miss an issue?

Check out the Internet Security Focus
Archive
, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter
, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.