Security threats Toolkit

With ISPs like these, who needs enemies?

Andrew Donoghue ZDNet.co.uk

Published: 06 Dec 2004 13:40 GMT

BT sees its role as a service provider as a purveyor of raw bits. It is capable of protecting you from DDOS attacks but only if you stump up extra cash to pay for it. 'We can protect you but it won't come cheap' -- the last time I heard an ultimatum like that it was coming from the cigar-chomping lips of Tony Soprano.

But surely Cable & Wireless must have a slightly more responsible attitude - -after all, Yu had singled them out for praise following Betfair's DDOS incidents earlier this year? Nope. Director of incident response for Cable and Wireless Richard Starnes pretty much concurred with BT's Regnault.

"We get put into this position that ISPs should do more to promote anti-spam and antivirus, We should do, but we're going to charge for it. We're a business and we have to support our shareholders and keep our employees in jobs. We're not going to do that by giving our services away for free." Inspiring attitudes from two of the UK's leading service providers.

ISPs don't want to take a proactive approach to security until they're forced. Why go to the trouble of eradicating a security threat for free when you can charge your customers a premium instead? Altruism is a dirty word to some corporations, they harp on about social responsibility when it suits them but at the end of the day, as Starnes points out their first duty is to the "shareholders". Much the same attitudes prevailed when the first moves towards Victorian sanitation roused the anger of those building city infrastructure. It's not our business what people do with their waste, said the builders: to see what happens when such ideas prevail, visit any shanty town. Is that what BT and C&W want?

It might seem tough to ask for better corporate citizenship when the only people really suffering from DDOS are gambling sites, but this is not a matter of personal morality. What hits a bookie today could hit the NHS online booking system tomorrow, and that could lose more than money.

The agency which should be leading the charge here is Ofcom -- the communications watchdog. At the moment, Ofcom is understandably reluctant to get involved in the messy, constantly evolving world of Internet regulation but that might be about to change. There is a clause in the Communications Act under which Ofcom operates that says the watchdog has some responsibilities when it comes to stopping abuse of electronic networks. Ofcom could use this clause to get ISPs to take responsibility for DDOS attacks and malware -- if it's serious about regulating the electronic environment for the benefit of all.