From AT&T's Global Network Operations Center 40 miles west of New York City, CISO Ed Amoroso has as wide a window into the Internet as anyone. With a glance at a two-story wall covered with computer monitors and television screens, Amoroso can tell at any given moment how much e-mail, Web and voice-over-IP traffic is streaming across AT&T's data networks, buzzing its way from business to business, person to person.
The amount of Internet traffic represented in the room is staggering. On the average business day, almost 10 petabytes of data pass through AT&T's networks--more information than the entire Web contained in 2000.
Too bad that almost all of it is garbage.
More than 80 percent of the e-mail coming in to AT&T is spam. About 1 million of the home computers AT&T sees each day are thought to be infected with bots, reaching out to hundreds of other IP addresses far more quickly than any Internet surfer with DSL or a cable modem ever would. Before a worm strikes, technicians see strange spikes of traffic going to normally obscure ports, as malware developers test and tweak their code. A sudden, sharp increase in the amount of Web traffic worldwide could mean breaking news--or a distributed denial-of-service (DDoS) attack being lobbed at a single company halfway around the world.
But Amoroso's window into a rapidly junkifying Internet is largely just that: a window. For the most part, he says, all he can do is sit and watch through the glass, as unwanted or malicious traffic makes its way from point A to point B.
"The standard service-level agreement is that we just push the traffic in and out," he says. "We don't touch it. We can do some upstream and downstream filtering if we see something that will affect our infrastructure, but you getting a spam, or you having some weird protocol aiming at you--I would love to filter that, but it's not that simple."
That's because a telecommunications company's job has always been to pass traffic, not pass judgment. "The starting point [for Internet carriers] is no responsibility whatsoever," says Jonathan Zittrain, professor of Internet Governance and Regulation at Oxford University. "Echoing the original spirit of Internet protocol design, the job of a router is simply to move a packet one hop closer to its destination."
This is the reason for the intense debate over whether to forgo so-called net neutrality, in which Internet carriers treat all packets the same. Even as carriers argue that they should be allowed to prioritize high-revenue content, however, AT&T has been quietly getting permission from its customers to stop certain kinds of traffic altogether. Already, some businesses have signed up to have AT&T filter out spam, viruses, DoS attacks and other malicious activity behind the scenes, before the traffic touches their enterprises. AT&T is now working on the "productization" of similar services for its home customers. In Amoroso's vision of the future, telecom companies will routinely deliver not the diseased melange of today's pure Internet, but a "clean pipe" of good (or at least decent) traffic. Less junk, fewer risks. Here's your bill.
It's a necessary gambit for an ocean-ship of a company (US$63 billion) in an industry that faces new competition and downward pricing pressure, the result of the excess telecommunications capacity laid during the late 1990s and early 2000s. "The carriers are looking for ways to differentiate themselves so they're not just competing on who's got the cheapest bits per second, and they're also looking for ways to stop the decline in dollars per bits per second," says John Pescatore, a vice president at the IT research firm Gartner.
According to Pescatore and other observers, AT&T is farthest along in the journey of U.S. telecom companies to position themselves as security providers--although competitor Verizon took a huge leap forward in May, when it announced that it was acquiring Cybertrust, one of the country's biggest names in information security, for an undisclosed amount. Verizon said the acquisition would add 800 employees to its 300-person information security team, along with expertise in computer forensics and identity management and a solid presence in Asia.
The growing security ambitions of telecom companies could have a profound impact on how "security" is packaged and sold--by standalone security companies or by network or IT providers; to CSOs as standalone services or to CIOs within a bundle of other services; as products or in a software-as-a-service model. What's more, the outcome of what AT&T is attempting could influence the very future of the Internet as a free and unfettered, if increasingly dangerous, communications platform. The question is whether the strategy will pay off--whether AT&T's vast customer base really wants to pay extra for an Internet as safe, banal and micromanaged as a shopping mall.
Bruce Schneier, whose own security company was purchased last year by the United Kingdom's largest telecom carrier, BT, says that right now, it's not the telecom industry's role to stop bad traffic. But if a telecom company can make it profitable to do so, that role will change. And fast.
"They'll do it if it makes them money," says Schneier, chief technology officer of BT Counterpane. Until then, he believes, Internet carriers have little incentive to clean up the Internet. Why should they bother? "Bandwidth is cheap."