Regulate the internet


The security of the internet could be greatly improved by expenditures by ISPs and infrastructure providers on better security.

Many good and worthy things would result from a more secure internet. Since self regulation has not emerged, the security situation on internet today is a "tragedy of the commons". The internet industry's savings of $1 on security is costing the rest of society $100.

Federal regulation of internet services is overdue. Cost of bandwidth would increase modestly, for all carriers, equally, and the benefits to the economy will exceed the costs.

Federal regulation of the internet should include the following, as a minimum.

1. ISPs prohibited from routing packets from their zone or subnets containing source address not in their subnet. 

2. Know your Customer regulations, making ISPs and carriers liable for damages for acts by their subscribers if they do not document minimal compliance to know their customer sufficiently to control behavior originating on their nets.

3. Some minimal logging of IP traffic.

4. Some minimal real-time monitoring for hacker activity patterns like repeated port scanning of multiple remote addresses

5. Put security measures into IPv6 as originally conceived.

6. Mandatory adoption dates for IPv6 soon, like within 24 months, and sunset date for IPV4 for large carriers first, followed in stages by smaller carriers.

Telcos have no incentive to improve security of the free internet. Their incentive is to drive businesses to secure private links. Likewise they have no interest in a well-performing internet, that would provide clear IP telephony.

At this late date it is crystal clear that large telecomms companies, mass media content providers actively want to screw the small business sector from participating in e-commerce, telephony, or content distribution. And the software companies who are beholden to enterprise clients also have little interest in a secure internet.

If the internet were secure we could all have a static IP address and run our entire home or business marvelously, with it. You could run a webserver, FTP server or online commerce from your home. You could run an open telephone or videoconference connection, which anybody could call, anytime just as they can now connect with a telephone. These things are impractical today because the firewall is 1000 times more expensive and complex than the application itself. Again, the software industry fosters environments requiring very high intelligence, high complexity at every endpoint on the network, i.e. servers and firewalls.

When big business is bitten by hackers, Pres. Clinton and all his cronies in the telecoms and banking industries, pretend concern. Meanwhile, nothing is being done to fundamentally fix the internet. 

Let's talk about why the government sector wants the internet to be insecure: to maintain their absolute grip on the banking system and commerce in this country, which is the key to easy collection of taxes. 

If citizens could conduct business over the internet, we might stop driving to the bank and exchanging pretty pieces of paper. That might result in the government sector shrinking below the present 35% of the GNP. So, they need hordes of thieves and vandals, keeping the internet insecure.

Effective mechanisms making attacks impossible are preferred over regulations that end with law enforcement. Human monitoring and enforcement, and after-the-fact remedies are inferior solutions. 

Here are three quite different choices.

1. measures that make it mechanically difficult or impossible to spoof, hack, intrude, etc. such as firewalls, end-to-end encryption, smartcards, biological authentication, or licensing and regulation of routers to enforce policies such as source address authentication.

2. measures that make it impossible to commit crimes without being recorded or detected, such as logging and monitoring systems, but which are easy for clerks of low intelligence to trace the individual an prosecute, and which have high percentage of prosecution e.g. IRS withholding at source. 

3. measures that make it impossible to get away with crimes without leaving some kind of evidence but which require expensive investigation an evidence gathering, and can only be enforced on small percentage of violations. 

Obviously, today's internet is focussed on the third category, and this is highly unfair to individuals, and to millions of small and medium businesses. It's all based on very unequal protections. 

Recent IETF measures to address DDOS are vivid proof the industry can self regulate when it wants to.

* Todd F. Boyle CPA
* Kirkland WA (425) 827-3107
* XML accounting, web ledgers, BSPs, ASPs, whatever it takes