Who Should Be Responsible For Botnet Removal?
Dr. Adam J. O'Donnell asks, "Who should bear the burden of de-fanging botnets?" in an editorial on ZDnet.
With botnets becoming more and more difficult to identify and shutdown O'Donnell is concerned that no one is really taking care of the problem so he's proposing that there needs to be financial mechanisms similar to those used to restrict air pollution.
The system would involve a mutually determined cap on the volume of malicious content the parties would deem acceptable to send to one another. Providers who are able to more effectively control outbound malicious traffic, through expenditures on personnel and products, can recoup those costs through the sale of credits associated with the difference between their level of outbound malicious content and the agreed-upon cap. Providers who don’t police their traffic are forced to buy credits from those who do, which in turn puts a price on their lack of responsibility. Eventually, the provider may choose to expose this cost of security to the end user, with rebates or special offers extended to users who keep their systems clean and never cause a problem. The end users in turn are incented to keep their machines clean.
Getting buy-in from all necessary parties, building a monitoring infrastructure, setting prices, assembling a market, and maintaining a clearinghouse for credit trades would be pretty damned hard, however. I don’t think this is a practical idea, though it does make for a fun thought experiment.
O'Donnell is right about one thing, it sure wouldn't be practical. Providing a financial incentive like this is far too complex and I doubt it would catch on. Also is any amount of malicious content an acceptable amount? I believe ISPs need to be required to develop better and more reliable methods to detect infected systems and should then block all traffic from their systems until the customer has called support to say the infection has been removed.
[Who should bear the burden of de-fanging botnets?]
