Should your ISP play a greater role in keeping you safe from malware, viruses and other web threats? One of Australia’s senior politicians seems to think so. In a column in The West Australian, Dan Tehan, Australia’s cybersecurity minister, wrote: “Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats.”
A companion news article in the same newspaper cited Tehan as arguing that “the onus is on telecommunications companies to develop products to stop their customers being infected with viruses”.
According to The Financial Review, Tehan told the British Australian Fintech Forum in London that “telcos and ISPs must take greater responsibility for ensuring their customers understand risks and said the government expects them to engage with the not-for-profit sector and SMEs – who may not have their own resources to establish protective measures – and offer them commercial products to identify and eradicate threats”.
Tehan’s government roles include assisting the prime minister on cybersecurity, so folks throughout Australia perked up when he said all this. However, it’s not clear if there’s an actual plan behind Tehan’s observations – or if there is, whether it will be backed by legal mandates.
In another speech to the British Chamber of Commerce, Tehan emphasized partnership and teamwork, saying that the Australian government wants to
… support the private sector to step up and provide… products that reduce the risk of malicious cyber activity and give users the choice to purchase additional security services… industry must be empowered to design and implement solutions the public want… telecommunications companies and ISPs can and should develop products which users can embed to build-in cyber security measures and reduce the risk of malicious cyber activity before it ever reaches the end-user.
There’s not a lot of “mandate” in that language. And Tehan swore he wasn’t talking about government-mandated content filtering (a major controversy in Australia several years ago). But, back home in Australia, some early reactions to the possibility of any new government interference weren’t kind.
In iTWire, Sam Varghese said, “Dan Tehan has just provided the country with adequate reasons as to why he should not be allowed anywhere near any post that has anything to do with online security.” Varghese added: “When it comes to detail, Tehan predictably goes missing.” Overclockers.com.au called Tehan’s comments “an attempt to be seen to be doing something when you have no clue as to what that ‘something’ is”.
Press reports suggest telecoms don’t yet know what if anything the government is cooking up. According to The Inquirer, “John Stanton, CEO of telecoms industry body the Communications Alliance, told Australian IT magazine IT News that he’d not had any contact from the government about its intentions.” iTwire elicited anodyne statements of cooperation from Telstra and Vodafone, two of Australia’s largest telecoms.
If you’re looking for something a bit more solid, it might be this: Tehan also discussed the Australian government’s move towards a posture of “active defence,” in which it “aims to disrupt malicious cyber activity using measures, such as blocking or diverting malicious traffic, to prevent problems before they occur”.
He said the government would more aggressively prevent government employees from visiting known malicious sites, and try to reduce legal roadblocks “that may be preventing the government and private sector from delivering” more aggressive cyberdefense services. That might mean poking some new exceptions into privacy laws against information sharing among government and businesses. But again, the devil’s in the details – and the details don’t yet exist.
John
You would thnk it would be in the ISP’s best interest to do this. After all, it helps protect their own network. A bonus would be happier customers, but they wouldn’t want that now would they?
Matthew Shapiro
How would you accomplish this? HTTPS encrypts all traffic. You’d have to MITM every HTTPS session, and that would require installing root certificates on ever end device or else Chrome et al would display the connection as compromised.
Additionally, what about false positives? The point of a communications network is to reliably deliver packets uncorrupted, not to decide which packets to deliver based on content — particularly when it’s nearly impossible to guarantee the recipient doesn’t WANT those packets, regardless of whether you think the content is “safe”.
Max
You could at least have some form of blacklist of known malicious or potentially dangerous sites and you can simply alert the customer when he visits such a site. With such a simple non-invasive measure you could probably prevent a significant share of malware infections.
apraetor
Can’t be done without root access to every end device; the ISP would need to install certificates on every device so that it could man-in-the-middle every HTTPS session without setting off alarms in Chrome/Firefox/Safari.
Lem
That would a game changer, and yet we all know that the bad guys would still figure out some way to get malware on consumer devices.
Mahhn
Dan Tehan misunderstands, maybe. If he means ISPs could “offer” firewall services, well anyone can, and plenty of IT service companies do. (Including Sophos – for free) It’s really up to the Consumer to want it.
To clear up “his” misunderstanding:
“Just as we trust banks to hold our money” You don’t expect your bank to control what you spend your money on, or when you can take it out. People make bad investments all the time, it’s not the banks fault. Just like it’s not the ISPs fault if someone goes to a malicious site.
“we trust doctors with our health” No, we trust doctors to give us advice and treat us, not stop us from falling down, eating junk food, or make us put on a coat to keep from catching a cold. Just like we don’t have an ISP stopping people from going any place they think they want to.
However, they could get their Cyber Sec hat on and Black Hole; malware sites, command and control servers, until they are cleaned up. Most of the work for that is already done by AV/Firewall companies, that could take the lead (be hired) to do that at a higher level. But not ever, ever, for political reasons/ blocking ideology. Only malicious software servers.
Wilderness
ISPs filtering obvious malicious traffic is really a no-brainer.
Mahhn
People need to remember, that if there is ‘filtering” that means that “all” traffic is monitored. I manage one of these filters, I see everything. You do not want some unknown Joe watching everything you do – yes this includes credit card numbers, medical data, all data uploaded and downloaded, every single hit. You may have nothing to hide, but you don’t want to let random people see everyone’s health data/banking/entertainment.
At work, you don’t have a choice, at home you should expect privacy.
apraetor
It’s a no-brainer that it’s impossible, you mean. The majority of web traffic is encrypted with HTTPS now; how do you propose inspecting those packets, short of manually installing root certificates on every client device?
Ed
I want a pipe. I don’t want a filter. I’ll manage my own security thank you.
GeorgeB
I believe ISP do not want to protect customers from malicious emails as it generates traffic ie money for them. Have been a Bigpond customer for many years and regularly have received fake Bigpond email trying to get you log in details. I can see nil reason why Bigpond should not protect their own customers from this.
Michael Marohn
I think there is a lot of valid points on the filtering issues, I know I have had issues in the past with an ISP blocking specific ports and like most of you, I would prefer to handle my own level of security. The problem is of course with the end users that don’t want the responsibility of managing any aspect of security and they would just assume give their credit card information to someone that they don’t know vs risk losing all of the data on the computer that they never back up. I think from the ISP side of thing that they should do some DNS level filtering to block unwanted & illegal website access for most end users. I wouldn’t expect an ISP to run anti-virus scans or SSL inspects, but I would hope at some point that they would allow the end users to say if they were only going to need basic access to the internet and they weren’t going to be playing games online, etc. I don’t think the goal is about being all inclusive for every single device on their network and protecting against every threat, but about taking the right step in the direction in saying that an ISP can offer more & do more to help protect their customers. Although I do agree that it’s a tricky topic because once you get started down a path you better understand the end result, in an ideal world you would put the responsibility on the end-user, but we in IT know that is rarely the case.
Mark
Yep. Another classic example of Government officials making a sweeping statement without actually understanding the technology that they are referring to. You have to ask yourself whether they just think that ISPs simply need to tick the “block all criminal/malicious/hacking traffic” in their system software.
Don’t get me wrong. The idea that ISPs could block all access to illegal content and malware/viruses is commendable but the technology just isn’t there at the moment. I manage corporate proxies. Filtering systems use backend databases of website categories in filtering policies and there are no products on the market that guarantee that every single website is categorised appropriately. I mean, how could they? You’d need an army of staff continually trawling the web viewing website content and there are hundreds of thousands of sites created every day (quick Google search)? And this is before you even start looking at the man in the middle HTTPS inspection issues