As ISP landscapes evolve, what’s the impact on security?
The recent announcement by FCC Chairman Ajit Pai that the FCC intends to end Net Neutrality should has inspired much fierce debate, with a lot of rhetoric exchanged regarding the maintenance of a ‘free Internet’ versus allowing ISPs to ‘innovate.’ Internet-related legislation ranks among the most important issues of our time; simple access and throughput are essential, but so is content quality and overall information security that includes basic consumer protections.
How can this impact information security? The topic requires revisiting history to uncover the story of how we got here. A lot of it has to do with anti-trust: after all, it seems the biggest worry is that ISPs hold monopolies on broadband access, and without enforceable net neutrality would be unencumbered in their interest of higher profits. While a valid concern, that doesn’t necessarily mean that consumers are sure to be on the losing end of the proposition.
In the 1980’s AT&T controlled most of the telecommunications infrastructure in North America through its ownership of Bell Systems. Primarily voice traffic, it also controlled devices that accessed the network through its manufacturing subsidiary Western Electric. Beginning in 1974, lawsuits for the divestiture of these were pursued. Facing the possibility of losing the lawsuit, by 1984 AT&T proposed an alternative: give up ownership of the regional companies that comprised the Bell System; but retain Western Electric, Bell trademark rights, Bell Labs, and AT&T long distance. Interestingly, AT&T also requested that they be allowed to manufacture and sell computers, freeing it from an anti-trust consent decree that dated back to 1956. AT&T PCs were then featured prominently through the 1980’s, one even appearing in an Epcot exhibit although, by the time I saw it in 1992, it was severely obsolete.
Fast forward to the Telecommunications Act of 1996. Consumer data access had begun to figure very prominently into the market, and dotcom was in full swing, driving demand for both last-mile access and higher capacity network backbones. Concerns were being raised about market squabbling among network providers, which could result in some networks being cut off from the rest – the term Internet, an interconnection of many networks, was well established by then but sometimes not fully functional due to these disputes. Market competition was once again needed. The result was the establishment of Incumbent Local Exchange Carriers (ILEC) and Competing for Local Exchange Carriers (CLEC), representing the market for Internet Service Providers, and coining the term ISP. ILECs were required to sell services to CLECs at wholesale prices, then to be resold at different margins and bundled with additional value-add services. In 2000, there were approximately 15,000 ISPs.
Net neutrality is born
Then the dotcom bubble burst. With a diminished market between 2000 and 2010, the number of ISPs contracted by about 40% or more. Control of networks was consolidated along with that, negating much of the effects that the Telecommunications Act of 1996 had achieved. The idea of Network Neutrality was born, with concerns that ISPs would impose tariffs on startups like Netflix that used bandwidth like never before. In 2010 the FCC enacted the first Net Neutrality rules; the debate continued, with ISPs suing the FCC; in 2015 more Net Neutrality rules were put into effect, and ISP litigation continued.
Which brings us to our current state.
What ISPs have to gain
I heard a speaker on NPR the other day talking about how ISPs already enjoy a profit margin of over 95%. The actual profits, if figured in Cost of Goods and Services (COGS) versus revenues, are more like 97%, but that’s not a very accurate picture of the truth – if it were, ISPs would be the most profitable businesses in the history of the world! It costs an enormous amount to build fiber and copper networks. If Return on Investment Capital (ROIC) is used to compute actual profit margins, then Comcast’s ROIC over the last five years is only 4.5%. As a broadband analyst has pointed out about Google’s fiber network, “The problem is it costs a lot of money to climb all those poles and dig all those trenches to make it happen. You don’t make money in three years, but you make money in 10 years.”
Also, using Comcast as an example, their subscribership for cable programming is declining while data volumes for streaming services are increasing. They don’t currently have a way to price their data services based on usage, data caps notwithstanding. They obviously don’t want to have to continue to allow throughput regardless of data volumes; they’d prefer to make up for subscription losses with more tiers of throughput.
ISPs stand to gain much more ability to control markets in virtually any industry vertical if they have control over data volumes and throughputs. That is positive for them, but for everyone else, not so much.
What information security has to gain
Comcast has stated that if net neutrality is taken off the table, they’ll block torrent traffic. That riles many of those in favor of net neutrality; after all, torrent users want the same throughput regardless of data volumes, but the fact remains that up to 80% of torrent traffic represents intellectual property violation and as much as 20% of torrent use results in a virus or malware infection. One may wonder why ISPs don’t block torrent traffic regardless of net neutrality because of the capacity it requires, but that potential legal malaise is another topic. Suffice to say that information security and privacy would be enhanced if torrent traffic were blocked; it’s one of the four most common ways to catch a virus.
If networks were more highly valued due to consumer cost increases to use them, their resiliency would be of higher importance to ISPs. Whatever cable throughput data plan you have, their SLA is still “best effort,” i.e., no guarantees that you’ll get the throughput you’re supposedly paying for. If protections are designed into these networks so that they’re more resilient, such that DDoS can’t take them and their customers out, security wins. After all, our three pillars of security are Confidentiality, Integrity, and Availability.
What’s more, reinforcement of the Telecommunications Act of 1996 goals of increased competition among ISPs, with better SLAs and a focus on security as a value-add, could provide CLECs with a selling point: use the CLEC that bundles security services with the network. Partnerships with Managed Security Services Providers could be a potential area of growth.
Originally posted on CSO: https://www.csoonline.com/article/3239048/net-neutrality/net-neutrality-and-information-security.html
Dave Rickard, US Technical Director at CIPHER, has created and directed global security programs and frameworks, with 17 of his 25 years of IT experience primarily dedicated to information security best practices.