But will it work?

Longer term, however, it remains unclear whether customers will really decide in droves to turn over their security to telecom companies--or to anyone. For one thing, not everything can happen in the cloud. Even if an Internet carrier scans incoming e-mails for viruses, for instance, the company still needs a desktop application to guard against malicious code introduced by USB drives or other portable devices. What's more, the Fortune 1000 customers that large telecom and IT companies have historically courted are likely to have contracts with multiple telecom companies for reasons of redundancy, and also tend to want security devices onsite that they can configure on a moment's notice. The outsourcing model may be better suited to small and midsize businesses that can't afford to hire round-the-clock security and IT staff--and even they may be reluctant to give up their boxes and blinking lights and move to a virtual model.

At Visions Federal Credit Union, VP and CIO Tom Hull decided to turn over 24/7 security monitoring to Perimeter eSecurity, but still keep the company's own firewalls. "I think there is a hard sell there," says Hull (whose Endicott, N.Y.-based company has just 400 employees and annual sales of $80 million) of the in-the-cloud model. "We still retain their help in managing the firewalls, but we didn't want to rely on the schedule of a third party to institute any changes in our environment. Plus, as it relates to any outages, downtime, system maintenance or things of that matter, that was another thing we could not relinquish control of."

In London, AT&T customer Martin Joy also decided against AT&T's virtual devices. "I'm not keen to see a device on my premises. The important thing is to make sure the technology makes sense and delivers what we want," says Joy, CIO of Control Risks, a $219 million risk consultancy. Nevertheless, he felt that his business needs were best met by turning over management of firewalls and other devices to AT&T, while keeping his antispam function handled in the cloud by a separate e-mail security company. For him, it was a question of one-stop shopping versus what he perceived as best-of-breed.

On a broader scale, it's unclear whether home consumers will ever want to sign up for a "clean" Internet. AT&T is testing how it could roll out a version of its corporate security offerings to home customers, but already executives have concluded that even its target audience--parents of school-aged children--might not be content with just a Disneyfied version of going online. "Maybe Dad wants to do online gambling but keep teens away from it," Amoroso says. "We're just trying to create something people will like and that matches what people want to do." That will likely involve different versions of the Internet, perhaps delivered to homes based on who's at the computer--a far cry from really cleaning up the junk in the pipes of the Internet.

For now, and maybe for the long run, companies like AT&T will have to continue to make careful decisions about what traffic they can safely delete without violating their service-level agreements with customers or overstepping their bounds as common carriers that just pass bits from left to right. Amoroso says that AT&T can and does delete malicious traffic that will affect its infrastructure. It also deletes e-mail traffic coming from known blacklists of spammers and blocks port 25 on its DSL lines unless a customer requests otherwise. (Amoroso estimates that 75 percent of spam comes from compromised home PCs, usually on port 25, which is not the port that a typical DSL subscriber uses for outbound e-mail.) But for the most part, AT&T can do so only on behalf of a customer--not on behalf of the Internet at large.

"I don't think there's a single carrier that would do that, only because that's pretty presumptuous," Amoroso says. "If there was some general council in Geneva, some tribunal that decided all carriers must do the following, it would be easy enough to do. But I don't think that's a role that the carrier has been asked to do or would be comfortable doing."

Even deleting the most egregious traffic can raise issues. Amoroso says there have been cases where AT&T terminated a portion of an agreement with a customer who was on the blacklist of spammers--in other words, a customer whose every outgoing e-mail AT&T would normally delete.

Understandably, AT&T wants to distance its security operations from the net neutrality controversy as much as possible. After one interview with CSO, a public relations professional called to emphasize that cleaning up traffic for security reasons is entirely different from segmenting different types of traffic into high-speed lanes. But the fact remains that both activities involve value judgments about which traffic deserves to go where and when. And that further complicates Amoroso's lofty version of the "cleaner" Internet of AT&T's future.

"Filtering out traffic makes the carriers less neutral, no doubt about it," Oxford University's Zittrain says. And the more the carriers do so, he predicts, the more difficult it may become. "They are holding back not because of some ideological principle like a belief in net neutrality," Zittrain continues, "but because they see no reason to get into a customer-service nightmare of quarantining their compromised subscribers and then helping them to fix their machines."

Technically speaking, Internet carriers such as AT&T, looking out at their charts of DoS attacks and spam and unfolding worm- and bot-related activity, may indeed be in the best position to fix the Internet. But actually doing so, outside the prescribed version of the Internet that businesses want to make available, simply may not be a task that they are in a position to accomplish.

"People want simplicity, but they also want flexibility," says Andrew Odlyzko, director of the Digital Technology Center at the University of Minnesota, who worked in research at AT&T Bell Labs for 26 years. "That's the conflict. If the telecom environment were stable and predictable, then the smart Ma Bell network"--in which Internet users are carried from one clean and safe place to another--"would make a lot of sense. People don't want to worry about the complexity of spyware, viruses, corrupt files. But they want new services, like YouTube. So you have this tension. It's there, and it will continue to be there.

"I don't expect that AT&T or any other carrier can provide a foolproof solution to computer insecurity," Odlyzko continues. But he won't go so far as to say that telecom companies are just wasting their time, either. "I think they can do some [of the solution] and make money at it too."