Lawmaker calls on ISPs to stop customers being hit by viruses

Should your ISP play a greater role in keeping you safe from malware, viruses and other web threats? One of Australia’s senior politicians seems to think so. In a column in The West Australian, Dan Tehan, Australia’s cybersecurity minister, wrote: “Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats.”

A companion news article in the same newspaper cited Tehan as arguing that “the onus is on telecommunications companies to develop products to stop their customers being infected with viruses”.

According to The Financial Review, Tehan told the British Australian Fintech Forum in London that “telcos and ISPs must take greater responsibility for ensuring their customers understand risks and said the government expects them to engage with the not-for-profit sector and SMEs – who may not have their own resources to establish protective measures – and offer them commercial products to identify and eradicate threats”.

Tehan’s government roles include assisting the prime minister on cybersecurity, so folks throughout Australia perked up when he said all this. However, it’s not clear if there’s an actual plan behind Tehan’s observations – or if there is, whether it will be backed by legal mandates.

In another speech to the British Chamber of Commerce, Tehan emphasized partnership and teamwork, saying that the Australian government wants to

… support the private sector to step up and provide… products that reduce the risk of malicious cyber activity and give users the choice to purchase additional security services… industry must be empowered to design and implement solutions the public want… telecommunications companies and ISPs can and should develop products which users can embed to build-in cyber security measures and reduce the risk of malicious cyber activity before it ever reaches the end-user.

There’s not a lot of “mandate” in that language. And Tehan swore he wasn’t talking about government-mandated content filtering (a major controversy in Australia several years ago). But, back home in Australia, some early reactions to the possibility of any new government interference weren’t kind.

In iTWire, Sam Varghese said, “Dan Tehan has just provided the country with adequate reasons as to why he should not be allowed anywhere near any post that has anything to do with online security.” Varghese added: “When it comes to detail, Tehan predictably goes missing.” called Tehan’s comments “an attempt to be seen to be doing something when you have no clue as to what that ‘something’ is”.

Press reports suggest telecoms don’t yet know what if anything the government is cooking up. According to The Inquirer, “John Stanton, CEO of telecoms industry body the Communications Alliance, told Australian IT magazine IT News that he’d not had any contact from the government about its intentions.” iTwire elicited anodyne statements of cooperation from Telstra and Vodafone, two of Australia’s largest telecoms.

If you’re looking for something a bit more solid, it might be this: Tehan also discussed the Australian government’s move towards a posture of “active defence,” in which it “aims to disrupt malicious cyber activity using measures, such as blocking or diverting malicious traffic, to prevent problems before they occur”.

He said the government would more aggressively prevent government employees from visiting known malicious sites, and try to reduce legal roadblocks “that may be preventing the government and private sector from delivering” more aggressive cyberdefense services. That might mean poking some new exceptions into privacy laws against information sharing among government and businesses. But again, the devil’s in the details – and the details don’t yet exist.