At a keynote during the Cloud Security Alliance’s 2012 Congress (CSA), a panel of security experts beat up on Verizon, as an ISP, as the conduit of malicious activity. The question that precipitated the attack was: what responsibility do infrastructure providers have in ensuring the security of the Internet, and how does that play into national security?
It was amazing that, with the exception of Verizon, each of the panelists stated that the role of the government was to determine what Internet security was. This is much different than the current consensus that government’s role in Internet security is to help coordinate security. Further, most of the panelists suggested that legal issues involved in security had made contract compliance too burdensome. So let’s break these issues down.
There is robust debate on the Hill about the role the U.S. government will have in Internet security. Key for infrastructure providers is the discussion about whether they are “critical infrastructure” subject to possible security regulations from the Department of Homeland Security or Department of Defense.
An increased role for the Federal government would represent a shift from the current contract based regulation of the Internet. However, the discussion at the CSA Congress appears to reflect a change in risk tolerance among Internet players. In the past, each Internet player has recognized that doing business on the Internet involved a significant amount of risk. Moreover, each player was able to determine its own risk tolerance, and purchase materials, or configure its network, to reflect that tolerance.
Both of these positions mean that security trumps all other issues. It is important to understand that these discussions are not just, or primarily, around things like firewalls, but involve very sensitive issues like deep packet inspection. The tradeoffs that these decisions involve are deep, and the Internet community needs to ask: does security trump all other concerns?
I was also shocked by discussions about how “troublesome” compliance is with the security provisions of contracts. Particularly shocking was the comment that it was just too hard and time consuming to have lawyers send out cease and desist letters, and go to court. This argument goes to the very heart of the legal system we have developed that uses due process and the judicial system as a firewall against overreaching. The argument that was made was the same argument that Big Content made last year during SOPA and PIPA : defending their rights was just too hard, so due process rights needed to be reduced.
Are we at a point where security trumps over 200 years of our agreed upon balance between property rights and personal protection? I don’t think so. The security rhetoric needs to be amped down, and a sense of “fair play” restored. We need to take reasonable steps to prevent theft and other bad acts, but also understand that perfect protection may not be feasible. The answer to this is not to impose martial law on the Internet. The answer is to recognize that our judicial, and private contracting, system is resilient enough to balance the relevant priorities and let people make informed decisions.