Cyber Accountability: Should ISPs Quarantine Bad Users?

As Congress figures out how to legally and appropriately secure critical infrastructure like power plants from cyber attacks, another set of arguments about cyber accountability is percolating. In a soon-to-be-released report, the Center for Strategic and International Studies will call on individual Internet service providers (ISPs) to "quarantine" its users who regularly or routinely (accidentally) introduce malware and viruses into their networks. ISPs have largely neglected this hygienic task because it violates a key value premise of the technology -- namely, that everyone should have equal access to the Internet. Comcast has started to experiment with so-called "segregation" in a Denver-based pilot project.

This is a hot-button political issue. Many see it as a way down the road to violate net neutrality itself; others believe that people with less social capital will inevitably access less-secure sites or sites that clog up the data lines or something along these lines.

Without dismissing those concerns, there really is a simpler way to interrogate the premise: who's accountable for protecting the domain? The government? (The NSA?) The service providers? Or people who use it? Can Comcast charge customers who regularly update their anti-virus software less than those who don't? Can the security incentives be aligned with the financial incentives the market imposes without violating people's rights?

CSIS's reports on cyber security are extremely influential throughout the government and they influence policy. According to one of the report's authors:

[T]he theme of the report is that we still think as if this was a stand-alone world, where mainframes and PC's stood in splendid isolation, only tenuously connected by some cranky dial-up connection. Fiber optic, broadband, cloud - they all mean that it is better to think in terms of one big, interconnected device, or one big collective federation.  Like any federation, you need rules and safeguards to protect individuals, but the pioneer days are over.
Folks don't like to hear this.

Yesterday, Consumer Watchdog notified the world that it had accessed Rep. Jane Harman's home WiFi connection in Washington, D.C. They did this as a way of criticizing Google for its Street View data-collecting methods, which apparently sucked in data from WiFi systems across the world, by accident, Google says.

Here's where the concept of cyber hygiene matters: who bears responsibility for Jane Harman's WiFi connection? I'd argue that Harman is responsible. Virtually every router or piece of software that allows you to create a WiFi hub also provides an easy way to secure the hub. Many people don't bother to secure their hubs, setting up open data networks and then complaining when people have the temerity to point out (or exploit) the open data.

"The media is turning an opportunity to educate WiFi users about basic data protection into a overwrought privacy invasion narrative, which is particularly sad considering a) Street View is such an awesome, helpful service and b) Google did the RIGHT thing and publicly acknowledged that it had pulled in some of this data and then immediately deleted all of it," is how one friend of mine who works at a competing news site put it.

I agree.