Mar16
eCrimes and an Internet Tax posted by Rick Howard
Filed in: Internet Tax
I am in London this week getting ready to kick off the eCrimes
conference. This is my second trip out here for this great event. I get
to travel to London, burn my tongue senseless on some very hot Thai
food (I highly recommend the Mango Tree, but I may have to go through several therapy sessions to recover) and spend the week seeing customers.
The marketing folks have me on the treadmill today. I am facilitating a discussion with Eli Jellenc, the Manager of the iDefense International Cyber Team, at breakfast this morning with about 25 CISOs. We are going to touch on these topics:
- Targeted attacks by criminal organizations
- Invasive government activity (e.g., monitoring)
- Hacking of mobile hardware devices
- Increases in corporate espionage
- Distribution of malware via social networking sites
- Outsourcing software development to foreign countries
I am then presenting during the 9:20 a.m. keynote slot behind Paul
Hoare, the Senior Manager of UK's SOCA (Serious and Organized Crime
Agency). I am giving the Reader's Digest version of the iDefense
patented Trends Briefing -- it should be a "hoot." If you are in town,
let me know. I am buying the beer.
But, none of this is what I want to talk about today. During the RSA conference two weeks ago, Microsoft's Scott Charney suggested
that an Internet tax might be a way to reduce the cost of implementing
a vaccination-like program for consumer-infected Malware machines. This
type of program would be similar to how parents vaccinate their
children before sending them to school. He suggested that the Internet
Service Providers (ISPs) might be the designated vaccinators, scanning
and cleaning machines before they let "grandma's" machine access the
Internet. Charney noted that the business world already does this
today. Many enterprises scan computers on the fly every time someone
accesses their corporate networks. If a computer does not pass a scan,
the user cannot access the company network. In his RSA speech, Charney
asked, who does that for the consumer?
Of course, the ISPs have no incentive to do that kind of thing today. What's in it for them? Charney suggested that the government could compel the ISPs to conduct such scans as part of their business license requirements. He was not naive enough, though, to suggest that this was a no-cost operation for the ISPs. In order to offset those costs, Charney suggested an Internet tax -- an added cost to consumers in order for the ISPs to pay for the vaccination program.
Well, you would have thought that Charney publicly advocated the buying and selling of babies for slave labor. Everybody jumped in to say why this was a "horrible" idea, including Gartner's John Pescatore, Qualys' Wolfgang Kandek, ESET's Randy Abrams and nCircle's Andrew Storms.
After reading their reasons, it seems to me that some of these folks
had not understood Charney's suggestion in context. They reacted to the
tax idea without understanding the reasoning behind the tax; they
knee-jerked against the general principal of an Internet tax, as if
there could be no possible reason to hinder their God-given rights to
free use of the Internet. This all appears short sighted to me.
As Charney pointed out in his speech, "We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it's a public safety issue and do it with general taxation."
Computerworld quotes Microsoft statistics: "there are 3.8 million infected botnet computers worldwide, 1 million of which are in the U.S. They are used to steal sensitive information and send spam and were a launching point for 190,000 distributed denial-of-service attacks in 2008."
Clearly, we have a problem. Using ISPs as vaccinators is a wonderful idea; paying for it is problematic. An Internet tax may fit the bill, but we should all start getting used to the idea that running and securing this great experiment in connecting the world is not free.
