Net Neutrality's demise may open the door to overdue cybersecurity improvements.
Before you send me hate mail, let me reiterate my opposition to FCC’s repeal of Net Neutrality this week. I deplore it. It was bad for consumers, bad for site owners, and bad for the Internet. I submitted comments directly to FCC months ago and signed the EFF letter to FCC.
Hopefully a future administration or Congress (or court ruling) will restore Net Neutrality, but for now the damage is done. Yet there may be a silver lining. When FCC set aside Net Neutrality, it also stripped Internet Service Providers (ISPs) of a favorite excuse for turning a blind eye to malicious Internet traffic.
For years industry groups and experts have urged ISPs to block malicious Internet transmissions “upstream” before they enter the global backbone and reach their victims. There are many such opportunities for ISPs to make the Internet more secure, but they blamed Net Neutrality for their inaction.
Perhaps the biggest such opportunity is distributed denial-of-service attacks (DDoS) where a botnet unleashes a flood of packets at a victim site to overwhelm its servers and knock it offline, or packets that appear to originate from the victim’s servers that trigger an unwanted flood of responses. In the first scenario the ISP could recognize an anomalous uptick in packets addressed to one destination and take action to slow or block them. In the second scenario the ISP could detect forged source IP addresses and take similar preventive action.
ISPs could disrupt other threats with predictable network patterns too, including phishing, brute force password guessing, malware propagation, border gateway protocol (BGP) traffic hijacking, and botnet command-and-control. As with DDoS, an ISP can intervene by blocking, slowing, or redirecting malicious packets before they reach their intended victims.
A Russian traffic hijack this week is a good example. Global traffic was suspiciously rerouted to an unknown Russian provider by exploiting weak BGP procedures. The incident was entirely preventable had ISPs verified authenticity of new BGP route announcements, instead of erring on the side of maximizing network traffic.
ISPs like to blame Net Neutrality when asked to crack down on suspicious network behavior. To block or throttle evil packets could violate its requirement to treat all traffic equally, or at least that’s what their executives and lawyers often claim.
When they were hammered by a series of devastating DDoS attacks, US banks asked FCC to declare that Net Neutrality rules “do not and should not act as a legal barrier for ISPs to block malicious traffic transiting their systems.” FCC didn’t take action, enabling ISPs to hide behind the shield of Net Neutrality to justify inaction against DDoS perpetrators.
Sadly, FCC relinquished much of its authority over ISPs with this week’s ruling. They didn’t just repeal Net Neutrality, they reclassified ISPs into a different category, so they are no longer Title II regulated utilities. So we can no longer ask FCC to punish irresponsible ISPs. Instead consumers must demand better cybersecurity from our Internet providers. Contact your ISP today!
With this week’s repeal of Net Neutrality, our ISPs have lost their excuse. It’s time for them to start taking their responsibility as Internet gatekeepers seriously, and no longer turn a blind eye to malicious network behavior in the name of Net Neutrality.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.