Now go beyond that and publicize what you find. If products or services (and this includes cloud platforms) are not secure, publish that on your website, and in notices to your customers. Withhold your recommendation. Urge customers not to use those products due to the lack of security, or because the vendors do not adequately maintain them. Will this hurt? Yes. Might this cost you some partnerships? Yes. However, if you do not advocate for your customers’ privacy, security and safety, who will? And after all, if those devices end up becoming corrupted and host bots that are used in a cyberattack, your network may be affected… and your business too, by bad publicity and possible lawsuits. Do what you can to keep your vendors from selling bad stuff, and to encourage them to fix vulnerabilities as quickly as possible – by any means possible.
A few months ago, the doorbell rang. It was a representative from our city’s water department. They noticed that our water usage had suddenly spiked. Was something wrong? There was indeed a leak in a pipe, and thanks to them, not only did we avoid paying for excess usage for more than a few days, but we also saved precious water (we live in Phoenix, which is in the middle of the Sonoran desert). Who better than our water company to know that we have a water problem?
In the same vein, every month I receive an email from APS, our local electric utility. They tell us how much power we have used, and also how that compares to our neighbors. They, too, are in the best position to see how my household is doing.
Imagine, if in every month, you sent your customers an email that indicated that you detected traffic originating on an insecure, unsafe IoT device, whether it’s an industrial sensor, smartphone, smart cities camera, HVAC controller, or other devices with out-of-date operating systems – and include a link to a page about how to update that specific device. Or that if you saw they were using old browsers, old versions of Microsoft Exchange Server, an unsecured dbMongo server, or an orphaned and unprotected web camera. They may not know about the vulnerability. But you can detect this, and help them remediate the problem. If you want to.
That’s a start. You can also provide real-time push alerts when the user attempts to use your SMTP server to send to a known phishing site, or attempts to download malware. Or, if you detect an unknown service trying to access a customer’s home security system, or worse yet, modify its firmware.
Can you do that? Technologically, yes. How about the fact that you’re a common carrier, aren’t you imperiling your status if you look at customers’ traffic metadata and took actions based on it? IANAL, but my own sense is that as long as you aren’t giving preferences to partners, or penalizing non-partners, you may be fine. If there are regulatory roadblocks to protecting your customers, sunlight is the best disinfectant – and use industry groups to lobby to overturn them.
Credit card companies can temporarily block transactions if they believe those transactions are fraudulent. That’s to protect their own interests, of course, but in that case, their interests and those of their customers are in alignment.
I believe that everyone involved in carrying traffic has the responsibility to help protect consumers and business customers from malware, from being hacked, and from being hijacked. All of our customers are vulnerable, and we are in a unique position to take action. Will it be easy? No. But advocating, with and on behalf of our customers, for safer things is the right thing to do.