Senator Cardin’s Bill to Explore ISP Enforcement of Digital Security

By Jack Goldsmith
Thursday, December 9, 2010, 9:33 PM

One of many reasons why America’s digital networks are so insecure is that so many ordinary computers users do not take computer security – firewalls, up-to-date anti-virus software, and the like – seriously.  Insecure computers can be infiltrated by stealth and made part of a botnet that supports a denial of service attack or a spam attack that can deliver destructive malware.  (The United States has the most, or nearly the most, infected botnet computers in the world.)  In these and other ways, ordinary computer users generate significant third-party harms that they are not paying for and in fact usually don’t know about.  One possible fix to this problem (suggested in chapter 7 my colleague Jonathan Zittrain’s book, The Future of the Internet – And How to Stop It): Internet Service Providers – which are well positioned to know which computers are insecure – could deny or delay Internet access to computers that send spam or other suspicious computer probes into the network, or that are otherwise insecure.  This would help clean up the network and would have the important side-benefit of educating computer users about digital hygiene.  The security gains from ISP enforcement would be expensive for ISPs (and would likely be passed along to users in higher Internet access fees), however, and would require a government mandate to work.  Such a mandate would invariably have other downsides as well.

This is the background to a new Bill introduced today by Senator Cardin that proposes an “Internet and Cybersecurity Safety Standards Act.”  Building from the premise that the “Government and the private sector need to work together to develop and enforce minimum Internet and cybersecurity safety standards for users of computers to prevent terrorists, criminals, spies, and other malicious actors from compromising, disrupting, damaging, or destroying the computer networks, critical infrastructure, and key resources of the United States,” the Bill would require the Homeland Security Secretary, in collaboration with other agencies, to “conduct an analysis to determine the costs and benefits of requiring providers to develop and enforce minimum Internet and cybersecurity safety standards for users of computers . . . .”  The Bill further provides that in conducting this analysis, “the Secretary shall consider all relevant factors, including the effect that the development and enforcement of minimum Internet and cybersecurity safety standards may have on homeland security, the global economy, innovation, individual liberty, and privacy.”  The Bill requires the Secretary to issue a Report on the results of the analysis within one year.

Senator Cardin’s Bill is an important and sensible first step toward addressing a very serious problem.  I hope it becomes law.