The Organization for Economic Cooperation and Development
(OECD) has released new research into the role that broadband Internet Service Providers (ISP) around the world can play in helping to mitigate the impact of Botnet's
infected computers), which SPAMMERS abuse to spew out approximately 83.4% of all junk email
(Symantec’s MessageLabs 2009 data).
Over the period 2005-2009, between 60% to 74% of all infected computers
(i.e. SPAM sending IP
addresses worldwide) were located within networks of around 200 ISPs
in the wider OECD area. However just 50 ISPs account for half of all infected machines and the vast majority of these are legitimate providers.
Thankfully many ISPs claim that their organisations already have practices in place to tackle spam/botnets, where they contact and in some cases quarantine customers whose machines are infected with malware. Virgin Media
UK has done this before, as have a few others. However the OECD warned that this practice is not as widely adopted as it could be, doesn't catch enough infected computers and no data is available to show its true effectiveness.
The study said:
There are indications that ISPs only deal with a fraction of the infected machines in their networks. For example, in an earlier study we found that a large ISP with over 4 million customers contacted around 1,000 customers per month (Van Eeten and Bauer 2008). Typical estimates of security researchers put the number of infected machines at around 5% of all connected machines at any point in time (Moore et al. 2009).
This would translate into about 200,000 infected machines for this specific ISP. Even if we reduce the estimated infection rate to 1%, that still implies 40,000 infected machines. This stands in stark contrast to the 1,000 customers that the ISP claimed to be contacting – even when we optimistically assume that all contacted customers are either willing and able to clean up their infected machine or are being quarantined.
Previous research would indeed predict such a discrepancy between ISP efforts and the actual number of infected machines. Some reports went as far as arguing that ISPs have “no incentive” to disconnect infected machines from their networks (House of Lords, 2007). Other studies claimed that small ISPs may have some “weak positive incentives”, but that large ISPs “enjoy a certain impunity” and only “face limited economic incentive to clean up their act” (Anderson et al. 2008).
Our own work is slightly more positive about the incentives of ISPs, but also signals significant areas where these are lacking or too weak to trigger security improvements (e.g., Van Eeten and Bauer, 2008)."
In other words, broadband ISPs don't have enough incentive
to scale up their mitigation efforts in a way that would match the problems true size. However there is apparently no firm research available to either refute or confirm this claim.
To be fair, most UK ISPs operator off fairly thin profit margins and already have a huge weight of new government regulation bearing down upon them. In addition the report claims that ISP support costs can quickly outweigh the profit margin for a subscription. Sadly some of the third party (not OECD) suggestions for resolving this
are quite controversial.
1. Asking governments to force ISPs to assume more responsibility (liability for infected machines could be assigned to the ISPs).
2. Impose statutory damages on ISPs that do not respond promptly to requests for the removal of compromised machines.
3. Subsidise the clean-up of infected machines, in what the author calls a public health approach to cybersecurity (Clayton 2010).
The final option would overcome the incentive problem, although we can't imagine many governments taking that rout. The report also admits that the problem itself, ultimately, isn't the ISPs fault. Ignoring the hackers themselves, Customers must take the bulk of responsibility for failing to keep their systems both secure and up-to-date.
As it stands this issue is unlikely to be resolve anytime soon, after all it's been a problem that governments and ISPs have tried and failed to tackle ever since dialup internet first became popular (15 years ago). On the other hand I'm sure we'd all feel a lot happier about the internet if SPAM was no longer such an annoyance. A LOT HAPPIER.