Revoking Net Neutrality could mean sweeping changes for cybersecurity

On December 14, 2017, the Federal Communications Commission (FCC) voted to end what has been commonly known as Net Neutrality, the details of which can be found in my previous blog post.

A number of people have connected with me and asked what this means for the security industry, which is a good question. There are many elements to security that require internet connections, from malware protection through to home alarm systems that include video surveillance.

Malware protection, such as ESET’s, provides protection both on- and offline. When a device is online it may be receiving updates, checking URLs or files for reputation, scanning files in the cloud, or using other cloud-based technology to keep the device safe. Malware outbreaks can happen quickly, so the real-time security updates and intelligence being received and utilized by the device could be critical to detecting and blocking an attack.

If types of traffic are assigned differing priorities either for competitive advantage or because a vendor is willing to pay for prioritized speed, there is, potentially, a delay being introduced into the distribution of updates or real-time cloud-based protection. Imagine the scenario where an Internet Service Provider (ISP) allows a security company providing malware protection the option to pay for their traffic to be prioritized and a lower priority level imposed on all other providers. When antimalware companies are protecting tens or hundreds of millions of devices, this could put many devices and their users’ critical data at risk.

Maybe a better way of visualizing this scenario is by an analogy. When a toll road is built next to a regular highway, you as the driver can make the decision to switch to the toll road that has less congestion, you as the consumer are in control. Revoking Net Neutrality might produce the opposite effect: imagine that only supercars can travel on the toll road because the manufacturers of these cars paid for the right to enable you to travel faster. While the decision as to what type of car to purchase is completely yours, there may be a limitation in that you are not able to afford an expensive supercar. This limits your ability to use certain roads as effectively as other drivers.

A security vendor may decide that the importance of time-sensitive updates is critical for the protection of their customers and pay additional fees to have their traffic prioritized, this being a cost that will undoubtedly be passed on to the consumer or business using the service. Alternatively, the consumer may be offered a service where they can choose to have traffic of certain types, such as security-related traffic, to be prioritized and received faster.

As mentioned in my previous blog post, many ISPs have publicly stated that there will be no change in the service they offer despite the change in legislation, and that they are committed to delivering a service based on net neutrality.

So why the concern? The net neutrality regulation protected the internet against anyone attempting to manipulate traffic speeds for profit or other purposes. It guaranteed that all traffic would be treated equally and freely, and this is a condition that should be protected.