The role of the Internet Service Provider (ISP) in preventing the spread of viruses and other malicious content through the internet is a much-debated topic, with divergent views offered by service providers, customers, such as major websites, and facilitators in the form of security firms.
ISPs in the UAE claim that they cannot play the role of "copyright cops", while IT security experts insist that they (the ISPs) can increase awareness among their customers.
While the ISPs insist that they have updated networks but need companies and individuals to increase their security budgets, IT security companies claim that ISPs are in a unique position to closely monitor viruses thereby enabling secure networks. The country's Telecom Regulatory Authority (TRA), on its part, has set up its cyber security arm "aeCERT" to monitor viruses and attacks into the UAE.
Emirates Business spoke with the UAE's two ISPs as well as IT security companies to understand both sides of the story.
The panel consists of Khalifa Al Shamsi, Senior Vice-President, Consumer Marketing, etisalat; Walid Kamal, Vice-President-Technology Security and Risk Management, du; Guru Prasad, General Manager-strategic alliances and channel development at FVC (representatives for companies such as Google and Tipping Point); Frank Bunn, Product Marketing Manager, Symantec; and Judhi Prasetyo, regional channel manager at Fortinet Middle East.
Can an ISP be a "copyright cop" enforcing private rights to control the attack of anti-viruses on UAE networks?
Al Shamsi: The internet is constantly changing and is an ever-dynamic environment offering users a vast array of information and content that can be both useful and damaging to their computer security. Internet users the world over are under constant threat from viruses and attacks.
Etisalat provides free anti-virus and internet security software and other security measures. However, the lack of security-conscious home users not availing this software and the open nature of the internet creates a breeding ground for network security threats that may impact both etisalat and customers.
At etisalat, we can only encourage customers to protect their systems with the free anti-virus software provided to them.
Kamal: There is the TRA in the country and we respect their directives and policies on this front. There is no policy to restrict downloads and there is monitoring done on attacks and the use of bandwidth.
As an ISP, the bandwidth use has to be optimised without any restrictions.
We cannot stop individual file transfers or BitTorrent unless there is a directive from the TRA. Du can [and does] control websites with hacking tools, pornography, political content and websites not permitted for children under 18.
Prasad: ISPs are not willing to undertake any liability on behalf of the consumers.
They can mitigate the risks and therefore the liability remains with the consumer. ISPs can intervene in a limited manner but undertaking copyright protection is not the way out.
Bunn: ISPs are in a good position to provide a high level of security to protect their subscribers against malicious code and botnets. In fact, studies reveal that 70 per cent of subscribers assume it is the responsibility of the ISP to provide telecom lines and protect against malicious codes.
When this is not done, consumers prefer taking up service from competition.
This risk of losing customers can be avoided by providing a basic level of security. On the other hand, ISPs are bombarded with laws and regulations, as they have to balance data flow into their networks and protect national interests.
Prasetyo: Internet users worldwide are linked to each other through their local ISPs. The ISPs can have a "full view" of what is flowing through their "pipes" in real time. If there is any malicious content spreading in their "territory", they will be the first one to know. This makes it a priority for the ISP, especially in the Middle East, where this is no longer a monopoly.
How important is the role of an ISP in such an environment?
Al Shamsi: Customers can be subjected to a growing number of malicious threats, threatening the overall user experience. Meanwhile, operators can be impacted by support and network-management issues that result from denial-of-service (DoS) attacks, e-mail spam, viruses, Trojans and worms. Securing the network from malicious attacks without compromising free and open access to the internet is essential.
As a strong supporter of anti-piracy, etisalat constantly ensures that open access to the millions of bits of digital information passing through their portals does not pose a potential threat to its customer or lead to the distribution of obscenity over the network.
In its role as an information carrier, etisalat, therefore, takes all necessary steps in cutting down the free flow of any malicious content, thus keeping in line with the internet policy of the UAE's regulatory authority.
Further, we also encourage the use of copyrighted material and advocate anti-piracy due to the threat and danger of virus attacks through file sharing and its adverse impact on various industries.
Kamal: Du has the technology and the solutions to look for patterns of viruses. This controls hackers to a limited extent as they are always ahead of us. Customer downloads, for example, cannot be controlled.
When botnets give information to our systems, the behaviour of the network changes. This helps us advise customers. We are also initiating talks with the TRA to stop cyber crime by setting up policies in the UAE.
As an ISP, we have been cautious in protecting the network from viruses, malicious worms and targeted attacks. They are blocked at the gateway level. There are attacks happening on a daily basis and hackers are kept under "suspected watch", and blacklisted, and in some cases specific countries are monitored.
Botnets have been the highest in 2009 and also attacks on vulnerable systems.
Malware was also a highlight in terms of hacking personal information.
Last year, there were also a lot of attacks on the UAE from Europe and China.
Some aggressive attacks happened on December 25, 2009, from Russia.
Bunn: This again depends on the laws of different countries. Users and content coming into the network is relevant today. Laws must be clear about content flow and its blockage. For example, if an individual drives a Porsche and exceeds the speed limit, who should be blamed? The road, the vehicle or the driver?
Technically, an ISP can put up blocks but legally there are a lot of clarifications.
Users have also to be kept happy as they could choose another ISP; therefore it's a challenging situation.
Higher bandwidth being made available to users is becoming another challenge since this increases infections as the speed of attacks also intensifies.
Prasad: There are two sides to the coin – moral and economic benefits. On the one hand, the ISP is protecting the right of the customer, while on the other it has to make money. This can be done by providing better services to the consumers and eliminating viruses blocking networks. aeCERT, the cyber security arm of the TRA, can help educate on protection of networks.
ISPs can also start by providing a basic level of security packages at low or subsidised rates. Educating customers will enable them upgrade to buy the entire Internet suite. They must use the internet in this direction and make investments in identifying malicious attacks.
This can be done on network-based malicious attacks. Even individual file sharing or BitTorrent can be controlled, as there is technology available to do that, and their bandwidth can be offloaded. Malicious content can affect bandwidth performance.
Prasetyo: BitTorrent and many other file-sharing applications can be controlled and Fortinet implements that technology in the UTM devices used by service providers. The question is whether the ISPs activate the rule to block, monitor, or pass those applications. The configuration of the device depends on the policy of each ISP. This depends on the security policies in place and can differ from one ISP to another, from one country to another.
There's a lot of debate on an ISP playing a role of a "copyright cop". This is also called security versus privacy. Some people don't like to be monitored by their ISP, but on the other hand, some users hope that their ISP can help them by sanitising the network.
I believe we should really concentrate on preventing the spread of destructive payloads such as virus, trojans and malware. The ISP can play a key role here since they have the full view of the network in their territory.
This can be also seen as a potential way to increase ARPU (Average Revenue Per User) for the ISPs by offering the "filtering" and "sanitising" as value-added services.
Is consumer and enterprise awareness on cyber security an issue?
Kamal: Du has started initiatives on this front and with the TRA and, with the introductions of aeCERT, the maturity of consumers will increase.
Even at the enterprise level, security budgets must get management support.
Without the right allocation of budgets, they are failing. They have to start realising that security is an enabler for the business. Even at the consumer level, they are not investing in original security products but prefer buying pirated copies.
Prasad: On the regulatory front, copyrights could be taken up. This is not there yet across the region. Copyright violations could be supported by preventive legislations and awareness spread about violations.
On the threat landscape, consumers must be made aware of the exposure level.
Google can find out, to an extent, the use of malware.
Email, web security and data leakage are areas in which Google works on actively. We still find it difficult to work with consumers and enterprises, as security budgets are still low. Globally, it is at 10 per cent or more, while in the Middle East it is still lower. Security companies are raising publicity on that front.
Keep up with the latest business news from the region with the Emirates Business 24|7 daily newsletter. To subscribe to the newsletter, please click here.