Brian Krebs at the Washington Post reports on some ill-advised proposed legislation:

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks.

This is what happens when policymakers fail to separate problems from the technology that the problems are built upon. It’s roughly equivalent to observing that sports cars are involved in a lot of accidents and therefore banning sports cars from public roadways. Whenever possible, legislation should avoid even mentioning specific technologies, and instead should focus on the underlying problem (in this case, the inadvertent leaking of information by government employees/computers).

According to Wired’s Threat Level blog, the president of the Internet Security Alliance, Larry Clinton, blames many cyber security problems on individuals and businesses failing to take responsibility for the role they could/should play:

Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data.

“Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.”

As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”

Clinton goes on to say that the solution lies in government creating market incentives, and he promises a proposal from the Internet Security Alliance soon. It will be very interesting to see what they propose. As StopBadware board member Michael Barrett (CISO at PayPal) has pointed out, government involvement may be a necessary part of changing incentives and behaviors in an area where externalities are inevitable. At the same time, there are other ways to modify market incentives, as StopBadware and its partners have demonstrated over the last few years. The challenge for all of us working in this space is finding the right balance of public and private interventions.

Clinton himself points out one of the risks of trying to impose new market incentives in his explanation of why consumers don’t take credit card security seriously. As soon as government put the burden of liability on the credit card issuers, consumers no longer had the incentive to protect their card numbers. (Note: one problem with this example is it’s not clear what consumers would be likely to do differently if they were on the hook for unauthorized credit card charges.)

Another concern about imposing new incentives is reflected in StopBadware co-founder Jonathan Zittrain’s work: what happens to freedom (and, by extension, innovation) as the market increasingly values security?

There are no easy solutions here, but it’s clear that market incentives do, in fact, need to be changed, and that some combination of governmental and non-governmental will be required to make that happen. StopBadware and its partners have demonstrated some examples of the latter, showing that malware warnings, alerts about badware applications, and lists of infected hosting providers can encourage improved website security and better applciation behavior without limiting freedom. I look forward to seeing and weighing in on how ISA’s proposal complements what is being done, and can still be done, within the market.

For the last several months, some of the folks at Comcast have been working on a draft IETF document to inform ISPs about the role they can play in remediating bots on their customers’ computers. This is a tricky challenge: on one hand, ISPs are in a great position to detect bot activity, notify their customers, and potentially even block traffic. On the other hand, customers and net neutrality advocates don’t want ISPs mucking around with customers’ Internet use.

The document attempts to find a balance, encouraging ISPs to notify customers of bots and assist with remediation, while warning about some of the risks of more aggressive involvement (such as "walled gardens," in which users are cut off from most Internet access until they clean up an infection).

I wrote up a set of comments which I shared with the authors and now make available here.

Comcast isn’t just talking about this issue in theory. They recently launched a pilot program in Denver that inserts a warning message into web pages that a customer is trying to view if Comcast has detected bot activity on that customer’s account. It will be interesting to watch how this develops over time. How will customers react to the warnings? Will Comcast customers be tricked by fake warnings designed to look like the real ones? How will customers who learn that their computers are bot-infected go about getting them cleaned up? (Comcast offers some useful tools and information for this, as well as support forums. Will this be enough?)

There’s no question that ISPs have an important role to play in reducing badware on the Internet, and I commend Comcast for taking intiiative in this area. It will be interesting to see whether this proves effective and whether the potential side effects are able to be kept to a minimum.