Network Webcurity Wishlist? 512
breillysf asks: "I am a California-based network security attorney who has been asked by a senior US Senator to compile a list of the most important legal concerns facing network security administrators. He has a good feel for the government security issues (and lack there of), but he is concerned about what is going on in the front lines in the private sector. I thought the Slashdot crowd would have the best feel on the pulse of the current situation. Specifically, if you could ask Congress for help in the area of network and information security, what would you ask for? Or would you tell them to get out of the way?"
"For example, I tried to push for tax incentives for upgrades in network security measures, but the Senator replied that is dead in the water because we are now spending into a deficit. He would rather see insurance companies reward firms with lower premiums for enhanced security. But there are International legal issues, compliance issues, privacy complications, potential negligence liability exposure, lack of federal incident response, FOIA and anti-trust issues with info sharing, conflicting state and federal cybercrime and privacy laws, USA Patriot Act concerns, etc."
hailstorm and the like (Score:5, Interesting)
Consider this: ONE person/organization has EVERYONE'S personal and financial data online. This goes against all design architectures in both security AND engineering. A single point of failure. Imagine one bank in real life, with Barney Fife guarding it. Would you put your life savings there?
With more and more commerce occurring on the internet, the more important it is that there is some scheme to protect this important market. I am particularly concerned with one private company holding the public trust in their hands -- I am also very concerned about the government, for that matter, also holding this information!
Egress Filtering (Score:5, Interesting)
tell them (Score:5, Interesting)
people need to reliaze that crypto is available to anyone with the ability to use it...it needs help in getting the average joe to use it.
most people won't use PGP or something b/c it is too complicated. crypto needs to be built into office and internet apps from the ground up. strong crypto. stuff that can't be broken.
people need to feel secure about these things. i think the govt has a lot to offer in promoting pki and such to get this in the hands of everyone.
privacy is important. the govt needs to make a proactive effort to show that they believe in personal privacy and are willing to help make it happen online.
IPv6 and IPSEC (Score:5, Interesting)
Prevent monoculture (Score:2, Interesting)
just because they get exploited the most (Score:5, Interesting)
Exploits are still made against products that Microsoft secured over a year ago. And indeed, microsoft gets exploited the most because they are used by the vast majority of non-technical users. Can you imagine what would happen if 90% of the computer-owning people used linux? Every single hole in the OS would not only be explioted, but you could count on it being a LOT less likely that the average-joe user would *ever* update his software to fix the hole
As a recipient of a subpoena... (Score:5, Interesting)
One of these employees got bored with his coding tasks and, with no previous exposure to a broadband Internet connection, apparently decided to become a script kiddie on company time. From all outward appearances, he got pretty good at it, but one day it caught up with him: U.S. Marshals came into my office and served me with a court order that asked for many, many pieces of information that would tell them who had been cracking systems from our corporate network.
I had no problem turning this information over, as the other choice was to go to jail and let the hacker go free. However, I was appalled with the way the marshals treated me: they knew that I was just the sysadmin, not the perpetrator, but they still treated me like a criminal. When I told them that our NAT setup doesn't keep logs of every single outgoing connection from our network (as had been requested in the court order) they got really pissed off and started threatening me. At that point I told them that I was not going to do anything for them without talking to counsel, and they backed off.
So, the moral of the story here is that law enforcement needs to show more respect for sysadmins, and learn the difference between a network admin and a criminal on the admin's network. Treating everybody as though they are all guilty will only build resentment and get in the way of getting their precious case solved.
df
Re:Don't ban tools! (Score:5, Interesting)
Outlaw evil behavior, not the tools that enable that behavior. In many cases the tools have many, many more positive and educational uses than negative uses. In a lot of cases, the tools can be used to stop or examine criminal (cracking) behavior.
Say what you will about Steve Gibson [grc.com], but the
guy knows a little about network security. He gives an extended discussion [grc.com] on how he used the tools of the IRC-based DDOS trade to help oust some script k1dd13's that were hammering his site.
Tools like L0pht-crack, the NT password cracker tool, I couldn't have convinced my execs that a company password policy was necessary and passwords like 'password01' were unnacceptable.
Just like we don't ban sledgehammers and bolt-cutters even though they can be used to break padlocks, we shouldn't ban network tools either.
2 words: limited liability (Score:2, Interesting)
My only wish would be specific legislation proposing limited liability in cases where a 3rd party piece of software was used and an exploit found and used against said software before a security warning is made known, or security patch is made available by the vendor.
If the administrators have done their job and have all their software up to the best spec they can, but are subjected to liability against themselves for an error in a piece of software they put their trust in.. it's bad news.
Especially if the client dictates the software to be used for securing the data... man, it's just bad karma.
In the meantime, keep using multiple levels of security. Screw the overhead if you've got sensitive data...
Technologists Vs. Politicians (Score:2, Interesting)
Or would you tell them to get out of the way?
Maybe that's a good idea: let the technologists work it out. Was it a politician who developed the first firewall, IPSec, NIDS, etc.? I don't think so.
While there is a social element to breaking networks, the solutions to these problems should NOT legislation (IMHO). Making something illegal or applying manditory monitoring does nothing to stop those who intend to circumvent/ignore those measures.
Network security should be left in the hands of thoses most capable. If any body or government should look to tackle the 'issues' - real issues - of network security, I think it should be a body of technologists and people who really do have an understanding of what network security really means.
Thank you.
Re:Egress filtering (Score:3, Interesting)
What about multihomed hosts where one ISP doesn't know about the other's addresses? I was administering such a setup once, and it was extremely useful that the ISPs didn't do egress filtering!
Also, although I agree it's generally good practice, this isn't something I'd want the government regulating. It sets a bad precedent, and they'd try to regulate all sorts of other aspects of network administration where they should not be sticking their noses.
Think again (Score:1, Interesting)
The public is presently being trampled by corporations because the public assumes that they are free to do things that are pretty common-sense alright. IE, buy a CD and make a copy of it for your car, or for backup in case your cds get stolen (say you own 200 CDS, at $15ea, and they get stolen. That's $3000!!! Now think of those 400 disc changers and how easy it is to grab one of those if you broke into someones house). While you feel (and it is) perfectly morally alright to copy cds for your own personal use, companies are trying to ERODE these rights. All the while, the public (slashdot, etc al.) whines about this in forums, sighting 'fair use' clauses of old laws that may or may not apply. The fact of the matter is, the DMCA is a new law, and it doesn't matter if its contrary to those old laws, it supersedes it. What IS needed is a law stating that content sold to the mass consumer CANNOT be encrypted in a way to prevent copying. Something proactive.. Then let the RIAA go to court with the government and try to overturn the law. But they cannot, because they work under the law.
My main gist is that theres some things that people just take for granted, and want the government to 'stay the hell out of their lives'. But without proactive laws, they will soon find those things they take for granted outlawed due to somebody pushing the ball the other way.
Re:Security (Score:2, Interesting)
Have the goverment set up standards and rateing for security in software (IE what DOD has done.)
Decent suggestion.
Require ALL O/S's, EMail, Firewall, and etc. Meet or exceed the rateing and put on their software package what Security rateing does the software have.
BAD. Bad, bad, bad, bad, BAD. This is what the proposed SSSCA was supposed to do - regulate software design. Regulating software design is a TERRIBLE idea, as it leads to the issues we are just now starting to see - software that's legal in one country is illegal in another. Another issue is the very idea of a logo/rating program - it would favor the commercial sector to an unhealthy degree. With the fact that all OSS has release schedules of NIGHTLY, keeping the software in check with the legislation would be nigh impossible and significantly impinge the ability of open developers to work on a project if they need government approval to release a new stepgap build.
Read. My. ASCII. NO. SOFTWARE. REGULATION.
-Lx?
A few ideas (Score:2, Interesting)
Second: Congress needs to do some serious thinking about common-carrier issues for the internet. It seems reasonable to say a phone or cable company, for instance, cannot preferentially transmit information while blocking traffic from another source. Problem is, this is what we count on to block probes and flood traffic. Please try to keep RIAA, MPAA, and other intellectual property thugs out of these deliberations!
Third: it seems Dubya and his cronies don't have a really good idea how to handle security. Ask them for details on how a redundant govnet will increase security before giving them lots of money to hand out to their favorite contractors.
Fourth: push available technology. NSA with SEU Linux is a great idea. How about pushing IPv6 and IPSEC, for instance by including it in communication RFPs? That would increase the availability (from virtually nil) and help work out the bugs. How about specific funding to increase the security of notoriously insecure government computers hooked up to the net? The GAO will tell you, after they finish laughing, how well secured government nets are.
I also like the idea of computer security scholarships. Are these still around after the change in administration?
Re:Wiretap law problems, lack of knowledgeable peo (Score:1, Interesting)
In some areas, particularly National Security areas, we should give the SAs the ability to take well-defined countermeasures to counteract attacks, including tracing DoS attacks and making contact with their sources. Consider a "hack-back" capability - yes, there are "collateral damage" concerns, especially where DDoS attacks are involved, but those companies and individuals should be held liable for their poor security anyway. Give government SAs the ability to knock attackers off the Net, if they need to, in well-defined circumstances.
Other suggestions: pay the system administrators more. You're losing people to contractors at an alarming rate - and the trend toward contractors doing SA duties for federal agencies frightens me (and I'm a contractor).
Set up standard security training, and make ALL Federal SAs take it, and pass. Keep it up-to-date, and have annual refreshers. This industry IS changing that fast.
Mandate periodic security audits of all federal agency IT systems, and punish the branches that fail them repeatedly. By "periodic" I mean more than once a year - otherwise, you're not keeping up.
The US Government should be capable of the most effective anti-intrusion response. Do what it takes.
Establish a clear policy for who investigates and prosecutes computer intrusion and attacks. A quick browse over the Web will show the anguish people have when they get attacked and nobody seems to care - things haven't improved much from Clif Stoll's day (read The Cuckoo's Egg for details). Somehow, make the government guys stop fighting and arguing for jurisdiction and DO SOMETHING that shows results. Not just going after idiots like Mitnick - effective operations against people like those guys from Moscow who've been blackmailing British banks.
Above all, establish some limited liability for negligence. A computer network should be treated like any other publicly-connected conveyance - if I fall on the sidewalk in front of your house because you haven't maintained it, I can sue you. If I get DDoS attacked by a dozen computers on your network, I should be able to make you pay (something, even if it's not much) for your stupidity and culpability in not keeping your systems up to date and secure. IF you can show you were fighting back, then you're off the hook - but if you were blind, deaf, and dumb, you should share the pain.
But then, these are just MY opinions....
Re:Holding Companies Liable (Score:3, Interesting)
No, we just want to be able to sue software companies for glaring holes in hastily rushed out the door to meet this months balance sheet and we'll patch it later after we crush the competition products. Think products that are badly made with defects (weak ball joints that break off when you hit the first pothole, or piss in the coffee), not because they are misused (driven too fast or spilt in your lap). If Ford et al could make machines w/o ANY liability for safety & industry standards and got in a hypercompetitive winner-take-all market where it comes to a) make it safe b) make a buck, they would take option b) everytime and do anything for the sake of competition and profitability, leaving dead bodies strewn down the highway.
Establish standards of harm (Score:1, Interesting)
I would advocate that organizations do not have an interest in maintaining security since there have not been cases that establish harm caused by inadequate security. Most security breeches could have been prevented had the organization implemented well-known technical controls (keeping software patched, maintaining a firewall, keeping antivirus software up-to-date). Therefore, the organizations failed in their duty to protect their systems, which led to a breech that caused harm to a third party (customers, other ISPs, etc). These situations are similar to organizations that fail to safeguard physical assets that led to harm to a third party.
Negligence lawsuits tend to be the solution to these problems. The lawsuits force organizations to reimburse injured parties thereby causing the organization to be more proactive in their safeguards.
I would think that the reason why we haven't seen more of these cases is the difficulty in establishing 'harm'. I would advocate that a law that defined harm to include downtime, tangible damages (ie destruction of physical assets), labour costs, and lost revenue; could go a long way in encouraging these lawsuits. Additionally, it would provide metrics that insurance companies could use in establishing risk profiles.
While I hate the concept of lawsuits, I think it is ridiculous that large ISPs, Microsoft, and others, can blame the victim - when they were the ones that failed to implement common security controls (egress filters, buffer overflow checks, etc).
With Regards,
I am Bob
Re:Egress filtering (Score:2, Interesting)
-dcviper (Cisco Certified Network Associate)
Government funded research open sourced (Score:3, Interesting)
Make all government-funded development work open-sourced.
Re:So what would you have the government do? (Score:3, Interesting)
Simple. Inform consumers of what we pros already know. Before using passport, you must read the 24 point disclaimer on the web page:
"WARNING. ALL INFORMATION STORED IN THIS SERVICE MAY BE ACCESSIBLE BY CRIMINALS."
Call it truth in advertising or whatever, but be sure that NO ONE can call their product secure unless it is.
Re:What I Really Want (Score:3, Interesting)
A lot more useful than any regulation or a thousand laws IMO.
MY suggestions (Score:2, Interesting)
2) Make it absolutely legal to defend my property (servers, IP address space, etc) through any means available (NULL routing, reverse hacking, packet amplifiers, RBL, etc...)
Re:Holding Companies Liable (Score:3, Interesting)
This is a tough one. I've always been rather upset that software includes a disclaimer that says they are not responsible for whether or not the software works. I think that's bullshit. But, on the other hand, am I willing to pay more to get that disclaimer taken away? That's another part of the reality. If companies are more financially responsible, the prices are going to go up. That's what has happened in every other industry, for example automobiles, private planes, etc.
Maybe that's a side effect of a maturing industry. But it also means the small mom & pop shops(aka Free Software) is going to die. Funny thing is that usually big businesses push for these regulations for exactly this reason. It's pretty easy for a company like GM to pay to follow all the government safety regulations on cars. It's difficult for a new startup who has to build all that testing and reporting infrastructure from scratch.
Re:So what would you have the government do? (Score:4, Interesting)
I work at a bank. We have bi-annual audits, and if we screw up , the FDIC and other FEDERAL government agencies can shut us down. Literally. They can take away our charter as a bank, they can fine us, etc.
I would say that leaving customer credit card information out in the open (meaning where hackers can get to it) is not only irresponsible, but also criminal. Make it a federal crime punishable by 10 years imprisonment and $100,000 fine per infraction, and then audit the hell out of anyone who accepts credit cards.
This will force companies who want to trade online to REQUIRE their software vendors to CONTRACTUALLY guarantee that their software offerrings cannot, under any circumstances, be breached by unauthorized personnel.
This is already standard practice in the banking software industry, and it's usually one of the first things we talk about when reviewing potential software.
Yes it's expensive, yes it's a pain, and yes it's required for the long-term stability of the banking industry.
As far as what congress can do now: give more money to the executive branch for cyber-crime law enforcment.
Related: For shipping companies to include 100% insurance in all shipments. Maybe that way they'll be more careful. And make it a violation of Federal law not to insured all packages 100%. Also, fine them if they don't pay the insurance settlements immediately. Like to the tune of $1,000 per violation per day late.
People in America should not have to have a law degree in order to not feel at the mercy of multi-billion dollar corporations.
These companies will complain and say that this will hurt their industry and the economy as a whole, but I say that's the opposite: If you have reliable shipments and safe payment systems, the economy will just ooze along nicely.
No new laws (Score:3, Interesting)
Wish: Don't solely care for damages (Score:2, Interesting)
A good Example here is the DOSed University. Universities or others that run a free community service (like IRC servers) get virtually zero help when their system (or even their whole networks) get blasted off the net by some DOS script kiddy, while OTOH armies of FBI agents start running when Yahoo or Amazon is in trouble.
Law enforcement should
- consider gangs of electronic vandals (like IRC war clans) organized crime and prosecute them accordingly
- consider attacks and damage against public and community institutions a heavily aggravating element during sentencing (so the yahoo hacker will have to serve less or equal time as the guy who DOSes a university IRC or some poor
- allocate prosectution resources in a way that they can give equal priority to the finding of a script kiddy regardless if he DOSes Boeing or the Younameit Community College Web Site.
f. (who thinks that script kiddies who 'packet' IRC servers (and such, whole Networks) for such childish reasons as to take over a competing clan's channel are one of the lowest forms of life, somwhere between the cholera germ and the common spammer).
The onus needs to be on companies, not the hacker (Score:2, Interesting)
The most important thing. (Score:3, Interesting)
One thing, though, *is* different: the absence of an a clear geographic location for things and people on the net. This can only be dealt with through international cooperation. I would advise your Senator not to try and push for unilateral measures, as seems to be the norm in the US with this administration, because that would make it far more difficult to iron-out differences in the future.
My wishlist (Score:2, Interesting)
Oye, ad-hoc thoughts...
A trivial definition of curtilage. Namely I own my boxes, I own my networks, I own the services that are offered. I have the right to dictate how those boxes, networks, and services will be used, since I am the one who paid for and built them. If you have any questions about this stance, subscribe to something, some day... the fact that I may be a "home user" or "major provider" should not make any difference.
Right now, any arbitrary, anonymous vendor has more rights to my stuff than I do via EULA "at any time" clauses. In some cases, any anonymous box has more legal rights to my stuff than I do. And finally, even the lowest end-user has the ultimate legal right to bind us to any legal agreement they're dumb enough to click on, even if they have no authority to make such a consent. All of this because curtilage is largely undefined, and where it is, it is grossly inconsistent.
The lack of curtilage is exemplified on two basic fronts.
a) Easter eggs in software. A product is offered with a specific functionality, e.g. an "office suite". The suite will often contain undisclosed and very irrelevent "features" that are flat-out undesired. Q.V. any package that may use resources that are not directly related to their explicit purpose - an application may attempt to "report home" to the vendor and STEAL network services. Or, things as trivial as packages that modify your browser's start page. Huh? Sorry, such things are outside the scope of intent, and violate turf.
b) If I initiate a packet stream that produces an effect that is explicitly against the intent of a service provider - namely, unauthorized utilization of bandwidth (theft of service), unauthorized utilization of CALs (theft of service), unauthorized utilization of CPU cycles (theft of service), unauthorized utilization of storage devices (theft of service... realize that all of the aforementioned are regularly "leased" by companies for serious cash), insertion of data, deletion of data, modification of log files... I go to jail. Some other idiot does that exact same thing because "you can make your sex life better," it's called Spam. Sorry, that should be trespass, tampering, theft of service, and anything else that applies to the results of an "evil packet stream". The exact same events occur, Period.
Other stuff - present "opt-in spam" laws fail, since the definition of "opting in" requires no authentification by the end user. First case and point - No user in our organization is authorized to subscribe (opt-in) to any mail list, and they don't. Yet we regularly get junk sent to them, all claiming to be "opt-in". That'd be a neat trick. Second case and point - it's quite trivial for me to subscribe you, Mr. Arbitrary Email Address, to any spam list I want. No effort is required of these "opt-in" lists to validate the authenticity of the request.
Culpability for negligence / intent. Code Red & Nimda demonstrated two very big things. a) Microsoft sucks, and b) Most users and admins are typhoid maries. The patch against the CRV vector had been out for quite a long time before CRV came to town. Fine. Then, it hit, and spread like crazy. It made the news... it made ALL the news. And to this day, there are still boxes out there that are spreading it, boxes that are actively attacking our systems. If a user gets an outlook virus, and that macro sends itself to everyone, fine - the first time, there's no intent. But when that user keeps using that box, day after day, and that box keeps attacking MY systems, sooner or later the law needs to recognize that there IS some form of intent present. That person is potentially killing me by their actions; they are *certainly* costing me money. Addressing this might have a nice "social" side effect, btw, of making a certain vendor a little more cautious towards exactly *where* they decide to implement scripting features...
Slightly along these lines, again curtilage. The current license model allowed by law is grossly incorrect. The typical computer system (be it a home PC, or a 15 server setup like I have here) consists of three entities. First, there's the hardware owner. He owns the box, and has ultimate say as to what that hardware does. Next, there's the software [license] owner. That person can say what happens with a package, but has no implicit rights to the box it runs on. Lastly, there's the end user, who has the right to type. The present model does not address this. If my 5 year old neighbor sits at my keyboard, using a program my wife bought, he has full proxy authority for me. He can commit me to mortgages, bind me to EULAs, whatever... by simple virtue of the fact that he's physically able to.
My simple wishlist (Score:4, Interesting)
In a nutshell, intelligently enforce the laws you have.
One. Fund a specialized law enforcement group dedicated to cybercrimes committed by individuals and organized crime gangs located physically in the state. The group should consist of state marshalls, prosecutors, lawyers, judges, and a civilian oversight committee. Recruit from computer science programs at state universities, or require experienced judges and prosecutors to attend graduate level CS programs at least part time. The oversight committee should be paid, at levels to rival good silicon valley firms, so that experienced engineers can spend a couple of years helping to guide law enforcement efforts.
The cybercrimes group should go after trade secret thieves, spammers, scammers, slammers, crammers, and others who feed on the naivete of consumers, or who interfere in the operations of companies. They should target phone companies who slam/cram consumers, arresting corporate officers on criminal charges as warranted. They should actively track down individuals and groups who send out UCE, since spam clogging my servers is the largest single cost I have as an administrator. There should be an undercover unit targeting criminal groups who dupe individuals with "guaranteed 100% opt-in 5 million email addresses CDROM". There are many confidence/scam operators in California who have no fear of prosecution, because there hasn't been a single arrest in the last decade for any hi-tech scams in the state.
The group should have a very publically advertised way of being contacted, and should give priority to administrators like myself who want to start legal proceedings against criminals inside of California. The people taking the complaint should have a thorough understanding of network issues, system management, and technology in general. That means you will have to pay them competitive salaries, which will make this the most expensive law enforcement group in the state. Don't worry about the cost, the value to california businesses and voters^Wtax pay^W^Wresidents will be worth it.
Two. Criminalize aiding and abetting identity theft. This means the state should stop selling records to marketing firms. California needs to rework its incorporation laws to dis-allow companies from compiling marketing databases for sale to others. Any corporation that compiles in depth information on individuals (putting together name, address, SS#, CDL# and photo, tax history, property records, medical info) and then sell it should have its charter revoked immediately, and criminally prosecute the directors.
I'm regularly in touch with my counterparts on the west coast of the US, and I hear their complaints on a regular basis. The FBI has dropped *ALL* cases that don't directly involve shit that happened in September. Local cops are completely incompetent to do anything more than write speeding tickets or bust kids with joints. There is no state organization to fight cybercrime. The admins spend most of their time keeping their long distance voice traffic on the best carrier when they get slammed once a month. They deal with a level of spam which equals 80% of their incoming traffic, much of it from dialups inside of California. They have to deal with employees walking out with 40 CDROMs full of locally produced code who start at a competitor the next day, who one month later have an identical product that even duplicates the bugs. Hackers at the firewall are insignificant compared to all the other criminal activity going on.
Look at the Avant! case, where a handful of engineers walked out of Cadence, and the next week started selling an identical product at half the price and made millions of dollars in profit. The only way Cadence could prosecute was to pay for training for the judge and prosecutor, pay the whole investigation costs, and it still took most of a decade for the criminal parts of the case to occur.
There are organized gangs selling spam-kits to unsuspecting idiots all over California. They take a bunch of money up front from the scammees, in promise of huge returns down the road for selling "penis enlargement" and MLM scams. Until now, these scammers have had no fear of prosecution, because there isn't a cop or judge in the state who will (or able to) apply the law.
There are arguments that most of these things should be left to civil action. The problem is that civil action costs lots of money, and the civil courts tend to ignore complex cases that don't have huge amounts of money on both sides. The PUC is incapable of dealing with crammers, and have declared that any consumer who is hurt can throw millions into a civil case and hope to win. With consumer protection at the lowest in California history, its time for the government to step back into enforcing the law.
Arguments about the internet being international are just a red herring. The laws are already on the books, some jurisdiction has to start applying them first. So what if most of the scammers leave the state? Fine, but I doubt it will happen, the drug dealers didn't all leave with tough new anti-drug laws. I'd be willing to bet very few people have enough money to start a new life in another state, spammers are lazy bastards. Kick down a few doors, prosecute some spammers and make some press about it. You might only make a small dent in spam, but I'll take anything I can get.
the AC
Remove restrictions on software development... (Score:3, Interesting)
There are a couple of things that the government can do to make computer networks and computing more secure.
1) Repeal the DMCA. When security problems are found in an implementation of an algorithm, this law makes it illegal to talk about the problem or to implement a solution.
2) Repeal patent law as it applies to software. Software is well protected under copyright law as a work of art. The underlying function (algorithms used) for every program out there is a subtle change to prior art. It's just that no one but large corporations have access to the courts to successfully challenge these ludicrous restriction's on sharing mathematical equations with one another.
3) Allow end users to sue companies that keep there products closed and security problems a secret.
4) After fixing the above. Get out of the way as the free market takes over and those with bad software are forced to compete or go out of business.
Understand the structure. (Score:2, Interesting)
The design of the Internet requires that all entities on it act cooperatively. It was never designed to provide fair and equal service to all adversaries. Corporations are required by their shareholders to act in an adversarial manner wherever their profits are concerned.
This means that the Internet must evolve into a network run by a single organization (such as Microsoft or AOL) where dissent and creativity are not allowed to exist.
If this is the goal of Congress, then no action is required. But understand that this means you are writing off the investment which was made to date (and turning it over to the eventual winner) and that you will never again see an economic boom like the one we experienced in the 90's prompted by the growth of the Internet.
On the other hand, if Congress deems it important for the United States to maintain a strong technological superiority, and is interested in restoring the "capacity to innovate" which the Internet brought to us, then steps must be taken to ensure that the Internet can act as a fair and level playing field for all entities.
Since the Internet requires (at a technical level) a fair administrative regime, and since corporate ownership of the Internet cannot allow this to happen, Congress must choose between legislating an Internet structure which does not discriminate between players, or replacing the technology of the Internet with a system which can handle an adversarial administrative regime.
The former would require "common carrier" status laws for network service providers, and may also require de-valuing intellectual property protection, since IP and copyright law is the weapon of choice for corporate aggression on the Internet.
The later would require replacing the technology, at the TCP/IP level, with a new technology which enforces a fair and level playing field.
The risk to Congress, should it fail to take these actions is that the Internet Community will perceive the loss of the fair and level playing field as damage, a route around the problem, making foreign territory the location of choice for innovation and technological advancement.
In summary:
Look very carefully at the way the Microsoft Monopoly case is being handled. Nothing has yet been done to remedy their monopoly practices.
Require Internet access providers to provide service on a fair basis, including legal prohibition on "engineered structural damage" as are created by filtered routing, content-sensitive routing, and such.
So what does all of this have to do with increasing the security of the Internet? Security has to focus on the structural level; it's not an after market add on. The insecurity we have today was designed-in. It will have to be designed out, not painted over.