In August 2016, one of the world’s largest botnets implemented a distributed denial of service (DDoS) attack that smothered vast swathes of the US internet, including consumer giants like Amazon, Airbnb, Github, HBO, Twitter and Paypal. Dubbed Mirai, this particular horde of bots was made up of hundreds of thousands of smart appliances – binding everything from fridges and kettles, to televisions and baby monitors, to its ferocious will.
Mirai was supposed to be a turning point. In the wake of the attack, the FCC published a new set of rules for internet service providers (ISPs) compelling these firms to secure their customers’ data against cyberattacks – the logic being that these companies, equipped with the ability to map and monitor reams of traffic across their wiry domains, would act as a gigantic firewall against similar attacks in the future. Almost as soon as they were to come into force, this new rulebook was torn up in March 2017 by the new, Trump-appointed leadership of the FCC.
Only slowly have other jurisdictions embraced the opportunity in mandating increased cybersecurity responsibilities for ISPs. In Canada, for example, Bill C-26 is intended to strengthen reporting requirements for ISPs surrounding cyberattacks, while in Australia similar reforms are being considered in the wake of the devastating hack of telco Optus. In the UK, meanwhile, new legislation in the form of the Telecommunications (Security) Act (TSA) imposes new requirements on broadband providers to secure their supply chains against hostile nations like Iran, Russia and China, while proactively monitoring their networks for suspicious activities. Even so, says UK and Ireland lead for Trend Micro Bharat Mistry, the new act is just “enforcing really basic cyber hygiene for telecoms providers”.
In the meantime, cybercrime is only getting worse. Between March 2021 and February 2022, for example, there were 153 million new malware samples – a 5% increase on the previous year according to a recent report from Comparitech. By 2025, global cybercrime damages are expected to cost up to $10.5trn annually which, according to AT&T, represents the biggest transference of economic wealth in history.
As such, calls are increasing for ISPs to join the coalition of corporate IT departments, bug bounty hunters, cybersecurity firms and national governments currently manning the defences against hackers. They could contribute so much more to the fight against cybercrime, argues Mistry. “At the moment, they only provide a basic service,” he says. “They’ll do some basic blocking, like porn sites and things like that. But it’s not very sophisticated – and it’s not very clever.”
What ISPs could achieve in cybersecurity
Mistry isn’t alone in calling for ISPs to step up. According to the World Economic Forum, broadband providers are in a ‘consequently privileged position in being able to tackle head-on some of the strategies deployed by cyber criminals.’ Where better, in other words, to protect internet users from third-party cyber threats than at their front door?
Some ISPs have begun to take action unilaterally. Australia’s Telstra, for example, is currently collecting data on traffic flows to identify phishing campaigns, forwarding the reports to the Australian Cybersecurity Centre (ACSC) and blocking suspect domains. ISPs could also inform customers directly when they’ve been hacked, and how severely. However, explains Andrew Kernahan, providing such information to the public could be embarrassing for providers.
“We can clearly understand the need for transparency and to help customers,” explains the head of public affairs at the UK’s Internet Service Providers Association. Even so, “a message from your provider to say you’ve been in breach or been hacked is almost an admission of failure, that something’s gone wrong. That’s why I don’t think we’ve seen that many of these cases, because the provider thinks it’s their job to sort that out behind the scenes.”
These sorts of messages could also be misconstrued as phishing attempts and scare members of the public, suggests Kernahan. “Would you trust a message from your provider or purporting to be from your provider saying you’ve been hacked, click here to clean it up and sort it out?” he says.
Current legislation does not mandate ISPs to do any of this, at least not in the UK. While the TSA stipulates the length of time ISPs should hold on to data and basic supply chain hygiene, these regulations do not extent toward enforcing blanket protection for users against cyberattacks. This is down to a number of reasons, starting with the level of personal freedom internet users naturally expect (see, for example, the ongoing debate in Canada about the privacy implications of Bill C-26).
“What it comes down to is how much control you want the ISP to have and whether you want to have that full freedom, not of speech, but of information,” says Mistry.
Alternative ISP cybersecurity frameworks
Another argument goes that government regulators are not sufficiently agile to create legislation quickly enough to remain up to date with a field as fast-moving as the internet. So says Adrian Wan, senior manager of policy and advocacy at the Internet Society, an NGO specialising in boosting the internet’s overall cyber hygiene. Allowing top-down regulations by governments risks locking in outdated methods, he argues.
“When network operators make decisions, they are agile, responding to real-time needs as they see the landscape change all the time,” says Wan. Government legislation, by contrast, will always trail behind.
The Internet Society has put forward a framework to mitigate these risks. Dubbed the Mutually Agreed Norms for Routing Security (MANRS), the guidelines concentrate on improving the routing system, the process by which a computer selects a path to access one or more networks. Systemic security issues about how traffic is routed on the internet make it a relatively easy target for cybercriminals. It’s been around since 2014.
‘MANRS helps reduce the most common routing threats and increases efficiency and transparency among ISPs and peering relationships,’ wrote Wan in a recent Internet Society blog post. It does this by outlining a set of principles that focus on the strategic actions ISPs should take to protect consumers from common online crimes. That includes providers acting collectively with peers to identify and respond to known threats, increasing awareness of the dangers of poor cyber hygiene among stakeholders (including customers), and working more closely with manufacturers and hardware and software vendors to increase minimum levels of security.
“By joining MANRS, it means that ISPs take certain concrete actions to secure their networks and also to do their part to help others secure theirs as well,” says Wan.
So far, 275 network operators and 45 internet exchange points have signed on to the proposal to tighten ISP cybersecurity responsibilities. The US government is also increasingly open to such reform. In February, the FCC opened up its own inquiry, partly triggered by an entreaty from the Department of Defense citing the MANRS proposals, into how the sector might better secure network routing protocols. One major US ISP, however, remained reticent about the prospect of future changes.
“Verizon agrees with nearly all other commenters that the global nature of Internet routing means the United States cannot unilaterally solve its inherent security vulnerabilities,” said the company in a filing it made to the FCC. “Mandating adoption of any particular set of technologies or standards would be counterproductive or even harmful.”
In the meantime, says Mistry, ISPs can take actions now that better safeguard users, beyond the scattered blocking protocols they already have in place. While there’s a balance to be struck between the security and the freedom of the user online, it shouldn’t stop the sector from making basic, beneficial improvements. “There’s got to be some minimum baseline that they should be putting in,” he says. Ultimately, argues Mistry, “you have to have safeguards in place that are not charged at a premium. It needs to be part of the service.”