The end of net neutrality might mean third-party browser tracking, the deprivatisation of online transactions, spyware on your phone, and more. At least that’s what Dr. Kenneth Williams claims.
Williams is director of the American Public University System (APUS) Center for Cyber Defense. When asked how net neutrality’s end could cause all this doom and gloom, the explanation requires a few steps: “When net neutrality ends, [anti-malware software] providers are now at a higher cost to service providers,” he begins. This, in turn, could raise the cost of Internet access for users who want to maintain the data safeguards their Internet service provider (ISP) used before.
“The cost is going to go up if you choose those, but if you’re a user that [doesn’t] care to pay the fee,” Williams continues. “Either you pay or you just go without. When you go without, there’s a risk not only to you but anyone who connects to you and sends an email to you because the virus [would be] going around all over.”
In other words, the security Armageddon hinges on a lot of what-ifs. Even Williams admits his prediction is a little far-flung: “If someone says it’s very much a stretch, then there’s a plausible argument to that because I can’t prove that at this moment.”
“The regulatory environment is really confused”
In fact, there’s little the security industry can prove right now regarding the threat implications of net neutrality’s demise. Ask Henry Sienkiewicz, chief innovation and revenue officer at Secure Channels, what will happen, and he says, “Nobody knows. The regulatory environment is still really confused.”
In a way, confusion has been a good word for net neutrality all along. Passed by the Federal Communications Commission (FCC) April 13, 2015, the policy barely had time to get off the ground before the FCC voted it out December 14, 2017. As of this writing, around 50 US Senators are working to overturn this decision.
Net neutrality has viable public support, but support doesn’t equal clarity. Many remain confused about what net neutrality is and how its demise could alter the web, especially when it comes to data security. Can that change be accurately predicted?
For Williams, it comes down to how antivirus software receives updates: “Malware providers do constant updates to our phones all the time,” he says, but these updates require bandwidth–the core issue behind net neutrality. The policy was put into place to prevent ISPs like Comcast or Verizon from charging companies extra when they use more.
Debate over whether the Internet is a utility
“The question is: [Is the Internet] a public resource?” Sienkiewicz says. “Like the electrical grid or the gas grid or the water grid, is the Internet a utility or not a utility?” The government regulates the selling of electricity and water, so if Internet access is a utility, government would understandably regulate its sale as well.
So, what does this have to do with information security? Well, if Internet access is a utility, Sienkiewicz explains, Title II of the Communications Act of 1934 “require[s] carriers to balance the commercial, the marketplace, public safety, universal access, [and] privacy…in a way that doesn’t expose a critical infrastructure to unacceptable risks.” If it isn’t, regulation falls under Title I, which doesn’t offer the same protections.
“If it is being regulated as a Title I,” Sienkiewicz says, the next question is, “How will the FCC ensure that the carriers – and the ISPs in turn – are going to fully enable organisations to actually properly safeguard their environment?”
Net neutrality or no net neutrality, data security will remain a challenge
According to Sienkiewicz, “The question is how do we ensure that the networks and the carriers have some type of responsibility for ensuring security to all of the end users? The individual end users don’t necessarily have the wherewithal to manage all of the incredibly increasing amount of threats. For those who could contend that prior to the regulations it was a clean environment, I would say that assertion is misplaced.”
How will the end of net neutrality affect data security? That question will have to wait until we know how it will affect the actual Internet first. The good news is all those scare stories about spyware aren’t as well grounded. “You have to make these decisions based on fact,” Sienkiewicz contends, and in security terms, there aren’t a lot of those available yet. Yes, a shift from Title II to Title I would change what ISPs are legally required to do. Williams is right when he says some companies may cut security budgets to pay for extra bandwidth, but to quote Sienkiewicz, “[C]o-mingling net neutrality and cybersecurity per se may be a bit of a red herring.”
In the meantime, Sienkiewicz says, businesses and users have to be mindful of their own data security: “Organisations have to take personal responsibility for this, as well as the providers taking personal responsibility. All of them have to take personal liability for these things. Until the regulatory environment changes, I don’t know where we will go.”