The Federal Communications Commission (FCC) is asking for help in developing a "Cybersecurity Roadmap," an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments.
The one piece of advice I will offer the commission is to begin measuring the responsiveness of Internet service providers (ISPs) and hosting companies in quashing malicious threats that take up residence on their networks. This is an imperative first step to prevent attacks on the Internet infrastructure, in addition to making the Internet a friendlier place for users.
The FCC said that it is seeking comments on how to proceed with the roadmap, which is part of the commission's National Broadband Plan to roll high-speed Internet services to more Americans.
The commission made the request at almost the same time as the Pew Research Center's Internet & American Life Project issued its finding that more than half of Americans disagree with federal efforts to expand broadband deployment, an effort for which the Obama administration has allocated more than $7 billion. The Pew report came as the FCC was releasing data showing that most Americans who are paying for high-speed access aren't getting anywhere near the Internet speeds they've been promised.
Here's my proposal: Instead of spending billions to squeeze even more people onto already overloaded high-speed lines, the commission should spend its resources trying to improve the security, privacy and satisfaction of people already using these networks.
The FCC now collects reams of data every month about how well the major phone companies serve their customers, measuring the quality of the services they provide by keeping track of and publishing a myriad of data points, such as the frequency of dropped calls and customer complaints. Yet, the commission largely has no reliable data with which to measure whether ISPs (many of them phone companies as well) are taking any concrete steps to make their high-speed pipes less hospitable to online threats.
For tens of millions of consumers, one of the greatest hidden "costs" of being online is dealing with seemingly incessant attacks from scammers, spammers and malicious software. Spam costs U.S. businesses and consumers more than $42 billion annually, according to 2009 estimates by Ferris Research, and Symantec now tells us that spam accounts for roughly 90 percent of all e-mail.
We hear a great deal about the cyber threat from nations such as China and Russia, but the truth is that the United States is the world's largest exporter of cybercriminal-friendly resources. Computer security firm Sophos notes that the United States continues to be the largest single source of spam, spewing more than 13 percent of junk e-mail worldwide.
According to anti-spam group Spamhaus.org, ISPs and hosting providers in the United States are by far the most popular havens for spammers, more than three times worse than China, the second country on the list.
American ISPs and hosting companies also are the top breeding grounds for sites hosting malicious software. According to an automated monitoring system set up by the University of California, Santa Barbara, U.S. based hosting providers account for seven of the world's Top 10 most malicious networks. UC Santa Barbara's rating system is unique in that it not only counts the percentage of hosts that are found to be malicious, but it also takes into account how long problematic sites persist at each hosting provider.
U.S. providers also consistently host the largest number of phishing Web sites -- counterfeit bank and e-commerce sites designed to trick people into revealing their financial and personal information: A review of the monthly statistics from Phishtank.com, a volunteer-led group that monitors phishing sites, shows the same seven U.S.-based hosting providers among the world's top 10 "phishiest" networks.
A number of other groups monitor Internet badness from a variety of unique perspectives. While there are no shortage of groups—mostly volunteer-led -- that track badness on the Internet, few measure ISP reputation from more than one particular vantage point. What is needed is a single place that gathers together information from various, trusted sources of reputation data to build a well-rounded and timely picture of which ISPs and hosting providers have the most work to do in cleaning up their networks.
ISPs serve a vital role in connecting Americans to the rest of the world, and consumers increasingly are relying upon them to deliver a growing number of traditional non-Internet services, including television, radio, telephone and video conferencing. I cannot emphasize enough that it should never be acceptable for Internet providers to abide customers who pollute the Internet for weeks and months on end.
The idea should not be to punish ISPs because they have customers whose computers are turned into spam zombies by a virus, or because they host compromised Web sites that are used in online scams: All providers face these problems. Yet currently, there is little—if any—accountability ISPs that allow these problems to fester and spread to other networks.
U.S.-based ISPs and hosting providers can be shamed into taking corrective action when publicly confronted with the magnitude of malicious activity resident on their networks. I believe that the FCC must help foster this type of awareness, simply by dedicating a portion of the funding it will receive as part of its broadband rollout efforts to gathering and publishing data on providers that are consistently the top sources of Internet evils originating in the United States.
Internet security experts constantly warn that our nation has much to lose from a potential cyber attack on our critical infrastructure, and the FCC's own request for comments acknowleges that issue. If that day ever comes, and unless our Internet providers clean up their act, most of the attacks will probably originate right here in our own backyard.
CSOonline contributor Brian Krebs previously covered security for the Washington Post. He blogs at www.krebsonsecurity.com.