European ISP organizations are concerned that the cost of implementing proposals intended to reduce cybercrime could put them out of business, but a leading security vendor said the cost of not doing anything could be even higher.

As we reported yesterday, a report for the European Parliament suggests that ISPs pool together to conduct pro-active measures against systems that maliciously impact IP traffic, and that ISPs be held responsible if they fail to do so. That proposal garnered comments from European organizations and from states' government representatives.

Generally, the written comments -- 15 of them from a wide variety of European countries, most of whom wrote individual responses rather than using the response form provided -- were supportive of the proposals, but were concerned about some of them. In particular, the ISP organizations are concerned about a proposal that Internet exchange points, or connections between two ISPs, be more closely regulated.

A number of them seemed to take offense at the recommendations, citing their many years of robust operation. "We do not believe that scaremongering about network resilience is a helpful activity," seethed Euro-IX, the European association for the operators of IXPs.

ISP organizations also expressed concern about the practical business realities of implementing some of the suggestions, particularly ones that could affect a commercial business' confidentiality. "To define [security standards for network-connected computers] should not be difficult, but to implement and enforce them could be a nightmare," responded the Ministry of Foreign Affairs in Poland.

"[A]t any one time there are millions upon millions of compromised hosts on the Internet," the Malta Communications Authority chimed in. "Establishing real-time monitoring mechanisms to monitor this huge number of hosts is a real challenge."

In addition, a special interest group made up of 28 vendors expressed concern that vendors had not been consulted. "We believe that imposing further liability on vendors will have a stifling effect on the industry," FIRST Vendor SIG said. "This effect would be especially devastating to open source vendors and small vendors in general."

Other suggestions from a number of ISP organizations included more incentives and fewer penalties.

But ISPs may not have a choice, said John Maddison, vice president of core technology solutions for Trend Micro, in Cupertino, Calif. ISPs need to become both more proactive and more reactive now, he said, particularly as bandwidth increases. "Once you have that bandwidth, botnets can cause some pretty substantial damage," he told BetaNews. "More bandwidth is like providing more powerful guns to the bad guys."

Part of the problem is that users cannot be counted on to implement security patches and programs correctly, Maddison acknowledged. And while some of that could be done remotely by the ISP, that gets into privacy issues. Instead, he suggested that ISPs should look for ways to implement them on the ISP network itself rather than on the endpoints.