Who Protects Us from the ISPs? The Missing Layer of Internet Security

Without accountability, ISPs remain one of the weakest links in national cybersecurity.

Jim Leone

9/2/20253 min read

When I recently spoke with the FBI and CISA about large-scale attacks originating from ISP-provisioned lines, I asked a simple question:

When an Internet Service Provider (ISP) is the source of a massive attack, who do we contact to make them aware, and who holds them accountable to investigate, filter, and stop it?

The answer was sobering... there is no formal governance, no escalation path, and no defined responsibility for ISPs to take action.

The Accountability Gap

In cybersecurity, we spend enormous resources defending at the edge, deploying firewalls, scrubbing services, intrusion detection, and advanced analytics. Yet the attacks themselves often originate from the very networks that power our businesses and homes.

ISPs, by design, act as “common carriers.” They provide connectivity but historically have not taken responsibility for the nature of the traffic traversing their pipes, unless compelled by law enforcement. That legal posture may have made sense in the early internet. But today, in an era of petabyte-scale DDoS floods, automated credential stuffing, and nation-state probing campaigns, this hands-off model creates a dangerous gap.

  • Utilities are regulated and must meet resiliency standards.

  • Airlines and banks operate under strict compliance frameworks.

  • Yet ISPs... who underpin every digital transaction, emergency service, and critical infrastructure link... largely operate without binding security accountability.

The Missed Opportunity--> MANRS

It’s important to note that the internet community has not been entirely silent on this issue. The Mutually Agreed Norms for Routing Security (MANRS) initiative, backed by the Internet Society, was created to reduce common routing threats such as IP spoofing, route hijacking, and misconfigurations.

MANRS defines a set of best practices for ISPs and network operators, including:

  • Filtering: Preventing traffic with spoofed source IP addresses from leaving a network.

  • Anti-Spoofing Measures: Ensuring attackers can’t easily mask their origin.

  • Coordination & Transparency: Publishing routing policies and contact information so incidents can be quickly escalated.

On paper, MANRS is a strong foundation for a safer internet. But here’s the problem: participation is voluntary. Many ISPs either don’t join, or adopt only pieces of the framework without accountability. There is no SLA, no enforcement body, and no penalty for ignoring it.

In practice, this means that even if your security team identifies malicious traffic and can trace it back to an ISP’s network, there’s no guarantee that ISP has the processes, or the will, to act on it quickly.

Why This Matters

The consequences of this gap are real:

  • Downstream Victims Bear the Cost Enterprises, hospitals, schools, and even government agencies are left to fend for themselves, filtering and blocking malicious IPs long after the attack has propagated.

  • No SLA for Action If you detect an attack wave coming from an ISP block and notify them, there is no guarantee of investigation, let alone mitigation within a defined timeframe.

  • National Security Risk Foreign adversaries can abuse U.S. or allied ISP networks to stage reconnaissance or disruption campaigns, knowing enforcement is weak and fragmented.

A Path Forward--> Shared Responsibility

This is not a call to turn ISPs into surveillance agencies. It’s about responsible governance and clear escalation channels. Imagine if ISPs were required to:

  • Investigate reports of malicious activity within a defined Service Level Agreement (SLA).

  • Implement upstream filtering once verified, to protect not just one customer but the broader internet.

  • Participate in transparent industry coordination, similar to Information Sharing and Analysis Centers (ISACs).

Such measures would create a more resilient internet ecosystem without eroding civil liberties. Accountability and transparency should be the guiding principles.

A Call to Conversation

The internet has matured into critical infrastructure, but our governance of it has not. The FBI and CISA openly acknowledge this accountability gap. It’s time for policymakers, ISPs, and security leaders to come together and ask:

  • Should ISPs be held to security SLAs, just as utilities are held to uptime SLAs?

  • How do we build oversight without overreach?

  • What role should government, industry, and the global community play in setting these standards?

Until we answer these questions, we’ll remain in a cycle where defenders scramble downstream while attackers freely exploit upstream blind spots.

  • Have you encountered this same gap when trying to escalate malicious traffic?

  • What governance models, voluntary or regulatory, might realistically improve accountability?

This is a discussion we can’t afford to delay. The security and stability of our digital future may depend on it.

The IP HighWay

Stay updated with the latest IT security news.

info@iphwy.com

© 2025. All rights reserved.

Visit my personal page -->