Network News

X My Profile
View More Activity

The Carrot & Stick Approach to Internet Pollution

Lawmakers on Capitol Hill are once again debating whether to extend a soon-to-expire ban on taxing consumer access to the Internet. Proponents of such a ban say they want to keep the Internet free from the shackles of regulation, and that the lack of said regulation is what has helped the Web grow and mature to its current powerhouse status as a major driver of the U.S. economy.

But by some measures, the lack of oversight and regulation is precisely the reason that some of the world's largest Internet service providers and Web hosting firms can get away with failing to police their own networks for security threats that jeopardize the health and stability of the Internet as a whole.

Study after study show that ISPs in the United States lead the way in providing connectivity to computers that are a major source of malicious activity online, from bot-infected, spam-spewing PCs to compromised computers acting as download sites for malicious software or hosts for phishing Web sites. While it is true that some network providers do a much better job than others in cleaning up problem sites and PCs that are part of their networks, in far too many cases problematic customers are allowed to pollute the Internet for weeks or even months at a time.

Experts say it often costs ISPs more to field a support call from a customer seeking help in cleaning up a virus-infected PC than the provider will make from that customer in an entire year. The result is that -- unless problematic customers are consuming way more than their share of Internet bandwidth -- network providers often find it more cost-effective to simply ignore problematic customers.

I'm not suggesting that taxing online access is the way to fix this problem. But perhaps the time has come for Congress to at least hold out the threat of more government involvement in this space as a means of encouraging Internet providers to do the right thing on security.

Government can be most effective in areas where the free market fails to address a problem. Pollution, for example, is a scourge that economists like to call an "externality," or a market failure that happens when a transaction generates a cost that is not necessarily paid by the buyer or seller, but rather by society as a whole.

The problem with externalities is that businesses that do the right thing -- in this example, invest in non-polluting technologies or take active steps to clean up polluted areas -- are at a market disadvantage as long as their competitors are not required to do the same.

Several years ago, the U.S. entertainment industry won passage of the Digital Millennium Copyright Act, a controversial law that -- among other things -- requires ISPs to take offline any Web site or content that makes available copyrighted content without permission from the content owners. The law holds ISPs free from liability provided that they respond and remove the offending content within a short time of receiving legal notice, usually 24-48 hours.

The DMCA is a far from perfect law, but this particular notice-and-takedown provision has proven to work. I'd wager that the mere threat of instituting a similar provision for infected PCs and malicious Web sites would be enough to galvanize a fair number of ISPs to take action.

What might that action entail? A number of ISPs, notably Cox Communications and a fair share of the Canadian-based providers, have instituted a practice known as the "walled garden." This approach basically attempts to alert problematic users to invaders within their machines by confining users -- temporarily or permanently -- to a small portion of the Web where they can go to retrieve the tools and instructions needed to clean up their machines.

Would this approach work to help consumers rid their machines of the most advanced malware out there today? Perhaps not. Would it measurably help reduce the pollution of the Internet by spam, malicious Web sites and denial-of-service attacks? Almost certainly.

Either way, it is time for policymakers to consider this increasingly obvious fact: In order to address the global problem of cyber crime, which disproportionately targets U.S. consumers and businesses, our country is going to need to foster more cooperation among network providers, law enforcement and regulators in other nations. But without a more concerted effort to clean up the Internet pollution problem in our own backyard, the United States will only hinder efforts to enlist other nations (e.g. Russia) in fighting this battle.

By Brian Krebs  |  October 18, 2007; 10:20 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Russian Business Network Responds
Next: Stock Spammers Pump It Up With MP3 Files

Comments

According to this report: http://www.net-security.org/secworld.php?id=5545
the US has the highest infestation of bots.

Yes, please, do turn on the "walled garden".

Posted by: anon | October 18, 2007 10:56 AM | Report abuse

Mr. Krebs downplays the operational problems that malware-infected PCs cause for network providers. It's not just expensive to disinfect grandma's machine, it's often close to impossible without a technician on-site. USD$30/month cable modem subscriptions can't possibly cover unlimited Windows technical support, no matter how much customers may wish it.

Walled gardens are a good solution but there are customers who will complain viciously if they get caught in one, whether they are at fault or not. Customer contracts have to be changed to reflect the ISP's intention to wall off machines suspected of infection. Business or dedicated-line customers will have to pay extra to guarantee that their access will never be suspended even if their systems are temporarily infected, and to accept the responsibility to send SMTP mail (a common malware function, not needed by the general customer population who use their provider's mail servers).

You can bet ISPs will get criticized no matter what they do, but especially if they restrict services (like SMTP) or charge more.

I'm bothered that Mr. Krebs is in favor of using the legislation hammer on network providers whose customers are probably ignorant or at fault, but doesn't mention any culpability for the owners of those PCs, or for Microsoft. After all, MacOS X, Linux, *BSD, and other operating systems are nearly immune from this Internet-polluting malware.

Microsoft gets its cash, the end-user enjoys cheap high-speed Internet access, the hostile parties send their spam or phish their credit card numbers, yet it is the ISP who becomes the criminal for not stopping 100% of the malware?

Posted by: Network Operator | October 19, 2007 6:32 PM | Report abuse

I'm not sure what the problem is that you're trying to solve. I'm being serious. Yeah, there's problems out there. There will always be problems on a public network. But any of your solution will be worse than the disease you're trying to treat.

Spam? Won't fix that problem.

Copyrighted material? Not even sure that's a problem except to a handful of wealthy media companies.

pwnd machines? A problem that you can't possibly solve with any kind of control or tax on ISP's.

Just let it alone. Get incompetent congress and our idiot president far away from it. I would rather the worst excesses than let our government "fix" the problem.

Posted by: Ombudsman | October 21, 2007 12:38 PM | Report abuse

We are already taxed on our Internet use through the FCC, State taxes, and right-of-way charges.

To further tax the consumers' use of the Internet would be just another criminal action by our government; but not unusual, since we already pay tax on taxes for gasoline, liquor and cigarettes - to name a few.

When is the general populous going to get angry enough to speak out as one against our loss of freedoms and siphoning of our sweat, blood and years of our life in the form of the money we give up to the government for wars we don't want and salaries we don't need to be paying?

Posted by: Llew | October 21, 2007 2:31 PM | Report abuse

"I'd wager that the mere threat of instituting a similar provision for infected PCs and malicious Web sites would be enough to galvanize a fair number of ISPs to take action."

That's such a lovely thought, Bk!

Posted by: Rick | October 23, 2007 3:34 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company