SpamHuntress states in an Article entitled Why ISP’s don’t monitor and catch zombies:
But why don’t they?
They are in the business of making customers happy, period.
And customers who feel spied upon and vilified by their ISP aren’t happy.
I responded with:
I worked at a Business ISP. I never had a problem with a customer reporting a botnet issue to them. Nor was I restrained by the business/management from doing so directly.
The only real constraint I had was staffing/manpower related. The Service Provider was grossly understaffed to handle and followup on security incidents. I had to prioritize and respond on a time available basis, unless it was a major incident (credit card/finance related, phishing, pharming). Mostly every function at the Service Provider was bare bones.
The under-staffing was really economics driven. The Service Provider did not have proper incentives to care more about security issues effecting third parties.
The only way to solve problems like this (when the source of extreme pain to one party, is spread out thinly as a slight inconvenience to many), is to change the incentives.
Individuals and organizations should practice Information Security Lawfare against the sources. The Feds and the individual states should enact legislation to make this easier. After a few successful class-action lawsuits, I am pretty sue that the business liability insurance providers will require proper security programs of Service Providers and others as a condition of coverage.
Posted in Business, Economics, Information Security, Lawfare, Public Policy
RSS
