Internet service providers (ISPs) are important control points in the ongoing effort to control spam and botnets, according to a report from the Organisation for Economic Co-operation and Development (OECD).
The report — based on a global dataset comprised of 109 billion spam messages from 170 million unique IP addresses delivered to a spam trap during 2005-2009 — found that of the tens of thousands of ISPs that provide Internet access, the 200 ISPs that collectively hold nearly 90 per cent of the total market share in the wider OECD area account for more than 60 percent of all infected machines worldwide".
"Other service providers, such as hosting providers, university networks, corporate networks and application service providers contain a smaller share of all bots," the report said.
Further, the networks of just 50 ISPs account for around half of all infected machines worldwide.
While larger ISPs had, on average, fewer infected machines per customer than small ISPs, these smaller ISPs could have as much as a tenfold difference in the number of infected machines.
According to the report, measures that directly addressed end users who owned infected machines were useful, but had largely proven insufficient to reduce the overall spam problem.
"Security measures that address end users directly – including awareness raising and information campaigns – are useful, but they have proven to be insufficient to reduce the overall problem," the report reads. "Not because end users are incorrigible. Some surveys suggest that they do, in fact, increasingly adopt more secure practices, such as using anti-virus protection, a firewall, and automatic security updates for their software...
"The attackers, however, also adapt and innovate their strategies. The net result is an inadequate defense against malware infections: while the capabilities and practices of end users are improving, they lag behind the increasingly sophisticated threats of attackers."
While many ISPs were willing to improve their network security, the cost associated with doing so could prove a disincentive for these companies, many of which already competed in a highly cost- and price-sensitive market, the report found.
"Even if price does not seem to have a significant influence on security performance, from an ISP’s point of view, policy measures that affect costs (and all do directly and indirectly) are unfunded mandates and may be difficult to realise given this competitive environment," The report reads. "Thus, it may be necessary to think about innovative funding schemes for such programmes.
"Moreover, even if consumers cared about security, there are no adequate market signals that could reliably guide them towards better performing ISPs. Establishing a trusted rating system might be a tool to assist consumers in this regard.
"Current efforts to bring about collective action – through industry self-regulation, co-regulation, or government intervention – might initially achieve progress by focusing on the set of ISPs that together have the lion’s share of the market."
The findings are in line with local initiatives by the Internet Industry Association which has proposed a voluntary ISP spam code requiring ISPs to take action against customer computers that are sending out spam.
The code could also be jointly funded by industry and government, according to IIA chief executive, Peter Coroneos.
In October, the former deputy director and chief information officer of the US National Security Agency (NSA), Dr Prescott Winter, warned Australia and neighbouring countries such as Singapore needed to lead the push for global cybersecurity compliance between governments, large enterprises and telcos.