Will the end of net neutrality be a security nightmare?

The end of net neutrality might mean third-party browser tracking, the deprivatization of online transactions, spyware on your phone, and more. At least that’s what Dr. Kenneth Williams claims.

Williams is director of the American Public University System (APUS) Center for Cyber Defense. When asked how net neutrality’s end could cause all this doom and gloom, the explanation requires a few steps: “When net neutrality ends, [antimalware software] providers are now at a higher cost to service providers,” he begins. This, in turn, could raise the cost of internet access for users who want to maintain the data safeguards their internet service provider (ISP) used before.

“The cost is going to go up if you choose those, but if you’re a user that [doesn’t] care to pay the fee,” Williams continues. “Either you pay or you just go without. When you go without, there’s a risk not only to you but anyone who connects to you and sends an email to you because the virus [would be] going around all over.”

In other words, the security Armageddon hinges on a lot of what-ifs. Even Williams admits his prediction is a little far-flung: “If someone says it’s very much a stretch, then there’s a plausible argument to that because I can’t prove that at this moment.”

“The regulatory environment is really confused”

In fact, there’s little the security industry can prove right now regarding the threat implications of net neutrality’s demise. Ask Henry Sienkiewicz, chief innovation and revenue officer at Secure Channels, what will happen, and he says, “Nobody knows. The regulatory environment is still really confused.”

In a way, confusion has been a good word for net neutrality all along. Passed by the Federal Communications Commission (FCC) April 13, 2015, the policy barely had time to get off the ground before the FCC voted it out December 14, 2017. As of this writing, around 50 US Senators are working to overturn this decision.

Net neutrality has viable public support, but support doesn’t equal clarity. Many remain confused about what net neutrality is and how its demise could alter the web, especially when it comes to data security. Can that change be accurately predicted?

For Williams, it comes down to how antivirus software receives updates: “Malware providers do constant updates to our phones all the time,” he says, but these updates require bandwidth–the core issue behind net neutrality. The policy was put into place to prevent ISPs like Comcast or Verizon from charging companies extra when they use more.

Debate over whether the internet is a utility

“The question is: [Is the internet] a public resource?” Sienkiewicz says. “Like the electrical grid or the gas grid or the water grid, is the internet a utility or not a utility?” The government regulates the selling of electricity and water, so if internet access is a utility, government would understandably regulate its sale as well.

So what does this have to do with information security? Well, if internet access is a utility, Sienkiewicz explains, Title II of the Communications Act of 1934 “require[s] carriers to balance the commercial, the marketplace, public safety, universal access, [and] privacy…in a way that doesn’t expose a critical infrastructure to unacceptable risks.” If it isn’t, regulation falls under Title I, which doesn’t offer the same protections.

“If it is being regulated as a Title I,” Sienkiewicz says, the next question is, “How will the FCC ensure that the carriers–and the ISPs in turn–are going to fully enable organizations to actually properly safeguard their environment?”

State actions might complicate security picture

To make regulation even more complicated, states are now getting involved. On January 22, Montana became first in the nation to pass its own net neutrality law, separate from any federal decision.

Again, the way this impacts information security goes back to whether you see the internet as a utility. Sienkiewicz explains: “Utility companies are regulated at the state level,” so it’s perfectly possible for individual states–like Montana–to pass their own legislation. He also says laws like Montana’s will be “technically very complex to actually enforce.”

If more states splinter off and create their own rules, the country could wind up with a European Union-type situation, where overarching security requirements cover the whole region with different countries still enforcing their own: “Will we end up getting a California emission control standard, [for example], as a way to provide the standard for internet traffic?” Or, he suggests, ISPs might wind up completely pulling out of states where local laws are onerous.

Of course, some might ask why internet security simply doesn’t just revert back to the way it was before. Sienkiewicz says that’s problematic: “Prior to the net neutrality regulations, the networks were not a very pristine environment.” If you think about the organic way in which early internet providers were created, it’s easy to understand why the landscape might have been messy–or at least not an ideal to go back to.

Net neutrality or no net neutrality, data security will remain a challenge

According to Sienkiewicz, “The question is how do we ensure that the networks and the carriers have some type of responsibility for ensuring security to all of the end users? The individual end users don’t necessarily have the wherewithal to manage all of the incredibly increasing amount of threats. For those who could contend that prior to the regulations it was a clean environment, I would say that assertion is misplaced.”

How will the end of net neutrality affect data security? That question will have to wait until we know how it will affect the actual internet first. The good news is all those scare stories about spyware aren’t as well grounded. “You have to make these decisions based on fact,” Sienkiewicz contends, and in security terms, there aren’t a lot of those available yet. Yes, a shift from Title II to Title I would change what ISPs are legally required to do. Williams is right when he says some companies may cut security budgets to pay for extra bandwidth, but to quote Sienkiewicz, “[C]o-mingling net neutrality and cybersecurity per se may be a bit of a red herring.”

In the meantime, Sienkiewicz says, businesses and users have to be mindful of their own data security: “Organizations have to take personal responsibility for this, as well as the providers taking personal responsibility. All of them have to take personal liability for these things. Until the regulatory environment changes, I don’t know where we will go.”