January 25, 2018 | By Stone Tillotson
Although many voiced concern over the Federal Communications Commission's December vote to repeal "net neutrality," others believed the action could improve our cybersecurity protection. Shane Tews, a visiting fellow at the American Enterprise Institute (AEI), explained why. Her position rested primarily on longstanding telecom industry practices for blocking and throttling network traffic when necessary to protect quality of service. Identifying and limiting network traffic that appears to be malicious or excessive is often performed to protect the integrity of the wider network or to derail cyberattacks. Tews argued that banning these practices (and claimed the FCC's 2015 net neutrality rules did), effectively made it "open season" for any group that wanted to launch a denial of service attack against the United States. She wrote:
[...] the best ways to mitigate a cyberattack such as a DDoS attack is to throttle, block, and potentially prioritize traffic for a specific reason, all forbidden [practices]....
Tews suggested that the repeal of net neutrality would allow Internet Service Providers (ISPs) to respond more effectively to emerging cyberthreats, mitigate any incipient regulatory overreach, and encourage industry innovation. Her views echoed that of the AEI and formed part of their argument which helped to successfully repeal the prior net neutrality requirements.
IISP Analyst Stone Tillotson: "Since emerging as a public policy issue, net neutrality has consistently fueled heated debate. Much of it was driven by the core principles of 'no blocking' and 'no throttling,' and the consequences they entail. A complete ban on traffic blocking, throttling, and degrading would indeed have undermined one of the best tools ISPs have to mitigate cyberattacks, especially distributed denial of service (DDoS) attacks, but the FCC was not so Draconian in their (now defunct) 2015 order. From Report 15-24, Paragraph 112:
[...] broadband providers may implement network management practices that are primarily used for, and tailored to, ensuring network security and integrity, including by addressing traffic that is harmful to the network, such as traffic that constitutes a denial-of-service attack [....]
The 2015 rules expressly allowed ISPs to undertake steps to reasonably manage and protect their networks. To paraphrase an oft repeated admonition, the FCC didn't intend net neutrality to be a suicide pact. In each rule from the 2015 order, the FCC specifically exempted 'reasonable network management' from the ban. A cursory reading would seem to rebut all arguments forwarded in the AEI paper about net neutrality's impact to the cybersecurity landscape. Over the seven years preceding the December 2017 repeal, the rules were first partially and then later fully adopted, without any of the speculated consequences having been observed. The AEI paper might make for good lobbying, but from dire, non-existent consequences to elusive, hypothetical gains, their real message seems to be 'fear, uncertainty, doubt,'"
For further reading
- AEI report: https://www.aei.org/publication/repealing-net-neutrality-implications-cybersecurity/
- FCC's 2015 net neutrality rule: http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0312/FCC-15-24A1.pdf