The FCC’s recent revocation of Net Neutrality rules is proving to be a controversial issue among consumers, privacy advocacy groups, and businesses. Everyone seems to be speculating that the impacts of deregulation will be far-reaching. Pro Net Neutrality folks are anticipating internet service providers (ISPs) to swiftly start tiering service options, allowing higher-paying customers to receive faster and more secure service. Further, they feel it’s likely ISPs will use the disappearance of rules to mine to-be-unencrypted consumer data.
Those on the other side say the deregulation will allow for greater competition among providers that will ultimately benefit consumers, and some in the cybersecurity realm argue that the loss of forced neutrality will offer ISPs the opportunity to clamp down on malicious traffic through traffic filtering of P2P sites or apparent botnet command and control.
It’s yet to be determined what impacts will emerge, and there’s not much individuals or non-ISP businesses can do about the changes once they do take effect. It’s not like security pros can make changes to the organization’s cybersecurity strategy to counter any negative outcomes—ISPs will ostensibly do what they’re going to do and what the market will tolerate.
It’s much too early to tell what will happen, but let’s suppose for a minute that ISPs do decide to tier services—much like what consumers get with cell provider services (more, less, or unlimited data), oil change services (basic oil change vs. premium), or even hair cutting services (basic cut vs. wash, cut, color, and styled blow dry). This is a reasonable assumption in a capitalist market. The result will be, just like with other tiered service options, that consumers must decide what they want or are able to pay.
Companies that earn higher profit margins will have greater choice. The likes of Apple, Alphabet, J.P. Morgan Chase, and Berkshire Hathaway have the leeway to decide if they want to pay for lightening-fast throughput to their web domains and whether they want to pass on the higher costs to consumers or absorb extra costs as a competitive advantage. Smaller and/or less profitable companies, however, might not have such choices. If they don’t currently have the revenue to pay higher fees and don’t have enough of a steady customer base to defer costs, there may be no option but to resort to slower internet service.
Without getting into a political debate (we’re a security events company, not a political organization and we wish to remain that way), this is how a capitalist market works, and the U.S. is a capitalist country. And though this scenario might be fine for our Netflix/Hulu/Amazon Prime subscriptions, where and how we purchase goods online, or read the news, where does this leave antimalware, antivirus, DDoS protection companies (assuming the ISPs won’t take care of that for free), or others that impact business and consumer cybersecurity?
Let’s say, for a minute, that a malware protection company is trying to issue critical OTA updates to its customers, scanning a device for possible malicious activity, or inspecting the traffic going to and coming from a set of user devices. The difference between the “slow lane” and the “fast lane” could mean widespread compromise or complete avoidance. Bigger, established companies might say the risk of failing customers is too high to purchase a slower internet option.
Startups, though, may not have that option. And if there’s one thing we know about the security tools market, it’s that new, innovative vendors are popping up all the time. The nature of security tools is that a security person (or group of people) becomes frustrated by the lack of ability to do X, Y, or Z with what she/he/they has/have in the tools arsenal and goes off to build a solution to fix that problem. This is how the first firewalls, IDSs, you name it, were invented and it will continue to be the way products (of all sorts) emerge.
Though some companies are smart, clever, and lucky enough to secure investor capital to further develop products, that funding may be stretched thin, and sometimes inventors strategically choose to operate without debt. The validity of a product is not necessarily dependent on the funding options chosen, but in the case of security tools, if they can’t be found, accessed, or work properly because of limited internet bandwidth, we could see a tremendous shift in the market.
It might mean that a “fast pass” simply becomes a cost of doing business. But not everyone can be the fastest. Someone will always win, and if customers are in jeopardy because of the vendor’s internet access, the winner will neither be the customer nor the vendor—which could have a real impact on the market and people who rely on security tools to stay safe. Which is to say, all of us.
To learn about emerging tools and technologies, or how to use existing tools in new ways, attend InfoSec World 2018, March 19-21, 2018.