Consumer-ISP Security Notification and Remediation Strategies: An International Analysis

Posted: 19 Mar 2018

See all articles by Nathaniel Fruchter

Nathaniel Fruchter

MIT Internet Policy Research Initiative; Massachusetts Institute of Technology (MIT) - Computer Science and Artificial Intelligence Laboratory (CSAIL)

Steven Bauer

Massachusetts Institute of Technology (MIT) - Laboratory for Computer Science (LCS)

Date Written: March 14, 2018

Abstract

Malware and other sources of malicious activity are becoming more prevalent on home networks. In addition to traditional PC-based malware, new classes of threats (e.g., botnets of Internet of Things, or IoT, devices engaging in denial of service attacks) have emerged. Many of these threats are opaque for an end user. Unless a user is appropriately notified about a threat (e.g., via consumer anti-virus or commercial intrusion detection mechanisms) or the user notices degradations in service quality, threats may go undetected. Put another way, these threats may cause their harms without causing noticeable performance problems for the infected end-user. Since network security threats generate negative externalities on a local scale (e.g., malware entering a corporate network), as well as for the greater Internet ecosystem (e.g., botnets in a DoS), a number of stakeholders have championed a range of network security notification and remediation schemes as useful strategies to combat these new types of emergent threats.

This paper reviews the efficacy and potential of both past and proposed end-user notification schemes. It begins by tracing the origin of notification schemes from other Internet security governance initiatives (such as the anti-spam push) and those that emerged following large, defining security events such as the Conficker worm. Next, it catalogs 13 prior and current notification and remediation schemes enacted across various jurisdictions and contexts in the U.S. and abroad. These schemes are evaluated in terms of their scope, similarity, efficacy, and applicability.

We conclude that, while some prior schemes may have been effective in the past, existing initiatives and standards work on notification is often rooted in an older threat landscape that does not scale well beyond the older “one modem-one PC” home network paradigm, and hence does not address the challenges confronted in an IoT world.

A common theme in notification and remediation schemes is their dependence on timely notification to end-users of threats, along with actionable remediation advice appropriate to the threat. Implementing this paradigm in today’s novel threat landscape will require cooperation across the multiple stakeholders that need to be involved in sharing information and in implementing the actions required by any proposed scheme. The chain of stakeholders is diverse and includes network operators, ISPs, standards bodies, governments, equipment providers, consumers, and various alliances of these groups.

We discuss key technical and policy issues that must be resolved in order to ensure a trusted notification and incentive-compatible remediation scheme is in place to address these threats effectively. By highlighting existing schemes that effectively act at the intersection of stakeholder interests, we show that meeting the two notification and remediation goals is possible if future designs are rooted in the lessons of existing schemes.

Keywords: security, cybersecurity, internet, telecom

Suggested Citation

Fruchter, Nathaniel and Bauer, Steven, Consumer-ISP Security Notification and Remediation Strategies: An International Analysis (March 14, 2018). TPRC 46: The 46th Research Conference on Communication, Information and Internet Policy 2018. Available at SSRN: https://ssrn.com/abstract=3140875

Nathaniel Fruchter (Contact Author)

MIT Internet Policy Research Initiative

32 Vassar St
32-G806
Cambridge, MA 02139
United States

Massachusetts Institute of Technology (MIT) - Computer Science and Artificial Intelligence Laboratory (CSAIL) ( email )

Stata Center
Cambridge, MA 02142
United States

Steven Bauer

Massachusetts Institute of Technology (MIT) - Laboratory for Computer Science (LCS) ( email )

United States

Register to save articles to
your library

Register

Paper statistics

Abstract Views
54
PlumX Metrics