FCC’s Net Neutrality Rules May Make Internet Service Providers Reluctant to Block Malicious Traffic

Recent federal regulations to maintain fairness online by compelling internet service providers to treat all web traffic equally could have unintended consequences when it comes to defending networks against cyberattacks.

A recent example of such a scenario took place in late October, when a massive distributed denial of service (DDoS) attack — when hackers hijack a network of internet-connected devices and use them to inundate a target with so much traffic it’s knocked offline — hit domain name service provider Dyn, taking down Twitter, Spotify, Reddit, SoundCloud and large portions of the internet across the U.S. The massive botnet used to attack Dyn was made up largely of poorly secured Internet of Things (IoT) devices like webcams, smart thermostats and DVRs.

In the days after, Virginia Democratic Sen. Mark Warner sent a letter to FCC Chairman Tom Wheeler expressing concern over net neutrality rules contained in last year’s Open Internet Order, which bar internet service providers from prohibiting the attachment of “non-harmful devices” to their networks.

“It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be harmful to the “network” — whether the ISP’s own network or the networks to which it is connected,” Warner wrote. “While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.”

Though the FCC’s net neutrality rules give ISPs the ability to manage their networks with the intention of “ensuring network security and integrity, including by addressing traffic that is harmful to the network” for “cyber security purposes” and specifically lists DDoS attacks as one such scenario, providers may still be reluctant to do so for fear of suffering FCC enforcement action as a result, according to Eric Burger, director at Georgetown University’s Security and Software Engineering Research Center.

“The nature of the Dyn attack was such that if an ISP blocked the traffic, they would likely see enforcement action for blocking the traffic,” Burger told InsideSources. “Why? Because the traffic looked like legitimate video. There is no way a slapped industry being accused of impairing video traffic would then go and impair video traffic that seemed at the time to be legitimate.”

The computer science professor said while the attacks occured outside of the FCC’s jurisdiction and there was little the agency could do itself in terms of defense, its net neutrality rules could make ISPs shy about intervening and blocking traffic in future attacks, even if they suspect it’s malicious.

“In other words,” he continued, “the Open Internet rules could have been part of the problem here, not the solution.”

After the FCC’s October open meeting Wheeler briefly addressed Warner’s concerns, saying he believes the Open Internet Order gives ISPs adequate space to maneuver in the event of future attacks.

“The Open Internet Order allows for reasonable network management, which clearly gives leeway to be able to deal with issues like this,” Wheeler said, adding he plans to formally respond to the concerns expressed by Warner, who sits on the Senate Select Committee on Intelligence and co-founded the Senate Cybersecurity Caucus.

Earlier this year, Wheeler listed cybersecurity as a first priority for the agency ongoing as it rolls out new privacy rules for internet service providers and performance standards for the next generation networks like 5G, but others at the FCC doubt the agency’s secruity prowess.

“There are other agencies that have a more well-defined space, legally speaking, and more well established expertise,” Republican FCC Commissioner Ajit Pai said after the same meeting, Morning Consult reported.

Pai descibed the FCC’s role with regard to cybersecurity as “relatively circumscribed” and “consultative” as opposed to “setting forth uniform rules that would apply to an entire industry.”

Follow Giuseppe on Twitter