How internet service providers can defend the undefendable
23 Jul 2020|

On the whole, the internet has been a tremendous boon for society, but it has also exposed all of Australia—our people, our economy and our government—to sources of unexpected danger from across the entire planet. Criminals, crooks and scammers in other countries can now reach out and hurt us by stealing our data, our identities and our money, and by disrupting our businesses. And although these crimes can be perpetrated in cyberspace, our justice system is historically designed for the physical world and these criminals are usually beyond the reach of our laws.

When it comes to national security, cyber operations are now one of the main ways that states engage in strategic competition to gain advantage without warfare.

The entirety of online Australia is subject to attack, but the sad truth is that only a minority of Australian people and organisations are able to defend themselves. According to the latest official figures, a new cybercrime is reported to Australian authorities every 10 minutes—a staggering statistic given that perhaps less than a third of these crimes are actually reported.

Even large businesses are not immune from online dangers. This year alone BlueScope Steel, transport company Toll Holdings and brewer Lion Australia have had their operations interrupted by ransomware. If large operations are not immune, how are the 98% of Australian businesses with fewer than 20 employees to cope?

An ASPI International Cyber Policy Centre report released today examines ‘Clean Pipes’, the concept that internet service providers (ISPs) offer enhanced levels of default security to their customers.

Some of the most effective security interventions in recent decades have involved providing ‘invisible’ security—security that is delivered by default to end users without requiring any skills or work on their part. These default protections have occurred at many different layers in our computing and communication infrastructure.

For example, one of the ways that operating systems manufacturers such as Microsoft and Apple have made their products more secure is through automatic updates that allow security improvements to be distributed without requiring any user intervention. Building on top of these operating system improvements, browser manufacturers have built systems (Google’s Safe Browsing and Microsoft’s Defender SmartScreen, for example) that warn users before they head to dangerous sites. These initiatives aren’t perfect, but Google’s transparency report states that its Safe Browsing service issues five to 10 million warnings a week to users.

Our ISPs are well placed to implement similar initiatives that improve the security of millions of Australians without their needing to be cybersecurity experts. Conceptually, this requires that ISPs positively identify threats, have some ability to proactively deal with them (such as warning users, blocking attack traffic or removing bogus traffic), and be able to adjust their responses dynamically as the environment changes.

ISPs already have some of these systems in place to protect their own networks and, to a greater or lesser extent, already use that capability to protect their customers. So this is not a case of building an entirely new system to protect Australians. Until now there’s been no widespread belief—among either ISPs or their customers—that providing enhanced default security to customers was an ISP’s job, and nor has any obligation or regulation been imposed by government. In the absence of any expectation or obligation, the investments needed to provide a more secure service haven’t been made.

This hands-off approach to security may have been appropriate for the early days of cyberspace, but as the internet has become increasingly important and the consequences of online crime and interference have become more dire we need more robust protections. The Australian government should drive greatly expanded adoption of Clean Pipes to provide more effective protection across more ISPs—protecting more Australians more effectively. The key advantage of this approach is that it provides advanced scalable protection for the millions of Australians who cannot provide for their own online security.

Recently announced government funding of over $35 million to develop a ‘new cyber threat-sharing platform’ and over $12 million towards ‘strategic mitigations and active disruption options’ could certainly assist in the implementation of a Clean Pipes program. Without an injection of government funds and leadership, it’s likely that the status quo will continue.

Australian governments don’t have a stellar track record of explaining their internet initiatives to the public. To avoid Clean Pipes being mired in unnecessary controversy, government actions and communications should maintain a clear focus on protecting users, and keep copyright enforcement and removal of abhorrent material to their own separate mechanisms.

Clean Pipes is an idea whose time has come. Everyone involved in delivering services on the internet needs to accept an obligation to protect their users.