A first pass look at the issue of net neutrality might not immediately bring to mind concerns around cybersecurity, but we shouldn’t ignore the logical security implications of fundamentally reclassifying the Internet. Let’s level set a little bit, for net neutrality doesn’t appear to be a simple issue for most, but it’s actually not that complicated. The FCC previously classified the Internet as a telecommunications system, which is defined by Congress as allowing users to transmit “information of the user's choosing to and from endpoints specified by the user without making any changes to the user's information.” That definition places the Internet alongside other telecommunications systems like the telephone. And it implies a whole bunch of regulatory behavior. The FCC has now passed the proposal of chairman Ajit Pai to reclassify the Internet as an information service. There’s a whole line of analysis that points out why this is wrong as well as plenty of commentary and discussion online about it. There’s no doubt that conversation will continue, but that’s not what this post is about. I’m here to ask how this change affects cybersecurity. With this change, the role of ISPs on the Internet will shift away from providing open access to providing filtered and tiered services. It won’t come overnight, and we can’t know for sure what specific changes will occur, but it’s a very reasonable assumption that ISPs will start interfering with content. That interference might involve:
- qualitative changes to speed (i.e. Netflix pays for priority),
- specific service fees (i.e. customer pays for access to Facebook), and
- censored content (i.e. no adult content, no conservative/liberal content, no foreign content)
All of these kinds of actions might happen today in a variety of ways, but they cannot legally be implemented by the ISPs themselves. In other words, the Internet was fundamentally open, and these kinds of restrictions were pushed to the edges. Let’s talk about the impact on cybersecurity.
Loss of Transparency
With ISPs controlling what gets transmitted and how, Internet users will lose much of the transparency required to effectively build secure services. In yesterday’s Internet, when I send a packet, I have a reasonable set of expectations about how it should behave. There’s a level playing field, up to a specific point, and that reality allows me to build defenses around behavioral assumptions. The new changes remove that threshold and allow ISPs to create a host of un-level playing fields. There are clear service implications here, but there are also security implications. The ability for vendors to secure their applications will be situation-dependent based on the ISP and what control they’re exerting. An application running in my home will be on a different “Internet” than at work or at a coffee shop or at a friend’s house. How do I test for these myriad environments? The end result is that significant expansion of the attack surface that security practitioners need to consider.
The Death of Encryption
If the ISPs aren’t required to pass traffic unaltered, they can simply stop end-to-end encryption entirely or for specific use cases. They can require that they be able to decrypt traffic passing through their equipment so they can mine data for profit, driving the potential for disclosure of sensitive data. They can charge more for passing encrypted traffic, making secure data transmission a premium service. Think about ISPs offering a tier of service that allows for VPNs, for example. If you’re an individual, you might have to pay for the service to just get the opportunity to connect via VPN. If you’re a business, right now, the ability to encrypt traffic to all your customers is inherent in the structure of the Internet, but that would change. An app developer or vendor might very well be required to pay more to ISPs to allow for secure traffic. Worse would be the ability for ISPs to decrypt and re-encrypt traffic, undermining confidentiality and integrity en masse. These threats might not be at the forefront of the net neutrality discussion, but they’re definitely part of the outcome. The implications of these changes won’t be fully understood for some time. Proponents would hope that we’ve all forgotten about this debate when some of the more obvious changes come to fruition. Security might not be at the top of the list, but it’s clearly going to suffer over time.