or this discussion we are staying with the theme of negative externalities in cybersecurity. But this time, it's personal!

We haven't talked much at all about cybersecurity in the home this quarter. From a perspective of cyberwar or cyberterrorism, most of what you worry about at home is not a serious concern. Ransomware or spyware or a file deletion virus on your personal computer isn't a national security issue.

But there is one way in which the cybersecurity of your personal computer does potentially become a national security issue if attackers are using your computer as part of an attack on someone else, for instance, on critical infrastructure. This happens in three ways:

The attacker may use your computer as an interim step in an attack, for the purpose of making attribution difficult.

The attacker may use your computer as a C2 server to direct an attack

Your computer may be part of a botnet.

The first two of these are not actually a significant issue for a home computer, because attackers want to use computers that are connected to the internet 24 hours a day, and home computers often are not. They are much more likely to use compromised web servers than personal computers for those purposes.

But for botnets, they just want to control as many computers as possible, whether those computers are online 24/7 or not.

If you haven't noticed already, this is another perfect example of a negative externality. You pay very little price if your computer is part of a botnet. It may slow your internet connection occasionally, but otherwise you won't even know anything is happening. But the victims of the attack will. Your lack of cybersecurity is a negative externality the cost of your failure to protect your computer is paid by someone else.

Now you probably will never know that your computer is part of a botnet. And most computers users don't have a clue what a botnet even is.

But your ISP does know, or at least, they can usually easily identify when a customer's computer is part of a botnet. If ISPs did this, the power of botnets could be dramatically diminished.

So here's the question:

Should ISPs be required to notify a customer if their computer is part of a botnet? And if they do, should they disconnect the customer from the internet until the customer can have their computer cleaned?

By the way, you may think that your ISP doesn't have the right to monitor your internet traffic or disconnect your service, but they almost certainly do. It's in the contract that you, like the rest of us, agreed to without reading.