[discuss] Who is responsible for security

Roland Perry roland at internetpolicyagency.com
Sun Jan 19 09:06:08 UTC 2014


In message <6.2.5.6.2.20140117113038.0b800af8 at resistor.net>, at 12:04:53 
on Fri, 17 Jan 2014, S Moonesamy <sm+1net at elandsys.com> writes
>>And the measures that ISPs could take are not restricted to technical 
>>ones. ISPs tend to be over-represented on lists like this by their 
>>technical department.
>
>I don't think that there are ISPs [1] represented on this mailing list.

That's a pity if they aren't. ISPs make up an important part of the 
"private sector" stakeholder.

>>There's a lot ISPs could do by refraining to provide service to 
>>organisations of doubtful repute (that's the sales department), and 
>>co-operating more with law enforcement when it comes to identifying 
>>bad actors (that's the legal department).
>
>A company usually does not decline business from customers who will pay 
>for it.

Yes, that's the problem. They should decline to do business with 
criminals.

>Note that law enforcement also covers spy agencies.

It does, but better co-operation with the police (alone) would be very 
helpful.

> An ISP does not have much incentive not to collaborate with the 
>government, e.g. law enforcement, unless doing what is being asked will 
>cause a lost of revenue.

The main practical incentive is the time it will take them. On top of 
that is the propensity for legal departments to default to "no" (in case 
the disclosures cause the company to be sued).

>I was reading a European Union committee report which mentioned the following:
>
>  "Points out that both telecom companies and the EU and national telecom
>   regulators have clearly neglected the IT security of their users and
>   clients;"

The regulators are under-funded, and in many cases work at arms-length
from the normal police. Neither of these is helpful.

By the way, turning things a bit on their head, can I say I'm not 
speaking for myself, but for clients with the interests of vulnerable 
users at heart.
-- 
Roland Perry



More information about the discuss mailing list