The emergence of the Internet as a critical infrastructure has put increasing pressure on governments to develop interventions to ensure information security. The problem is that there is very little empirical evidence on which to base those interventions. This project has been pioneered a quantitative comparative analysis of governmental involvement in Internet security across a large set of countries and explored its impact on one of the most urgent security issue in recent times: botnets. These are the networks of thousands, sometimes millions, of computers that are infected with malware which puts them under the control of criminals. Botnets are the platform for a wide variety of criminal businesses: spam, phishing, click fraud, banking fraud, extortion via ‘ransomware’, and the sale of rogue anti-virussoftware – to name but a few.
The study delivered several path-breaking findings. For example, close to 80% of the infected machines in botnets are located in the networks of Internet service providers, the firms that provide Internet access for consumers and businesses. Just 10 ISPs control around 30% of all infected machines worldwide. And 50 ISPs control almost half of the total global botnet population. This is remarkable, as there are more than 10,000 ISPs operating on the Internet. Also: these are not ISPs in faraway jurisdictions with lax law enforcement, but large companies in the most industrialized countries.
This makes the ISPs important control points for government interventions. Here, the study has found evidence that informal collaboration among telecom regulators in different countries can have substantial impact. We saw that countries who’s regulator has joined the London Action Plan have lower infection rates than other countries. Furthermore, laws to protect privacy seem to discourage ISPs from monitoring their networks and acting against botnets. Countries with more stringent privacy laws have higher infection rates. This does not mean that countries should reduce their privacy protections. In fact, we suspect that the ISPs are too risk averse in their interpretation of the laws. Regulators in those countries should collaborate with the ISPs to help them understand the ways in which they can mitigate security threats without risking breaching privacy laws. The countries where public-private collaboration has been most intense, Finland and Japan, also consistently have the lowest infection rates. All of this suggests that informal and collaborative approaches are effective and should be developed before attempts to introduce more formal legal requirements.