1. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for filtering scan and attack traffic across their networks.

ISPs were declared "publishers" by the Child Online Protection Act. The legal effect of this was that ISPs were found to be not responsible for the content or intent of the data packets going across their networks. While it may be reasonable to say that an ISP might have no clue that a JPEG file going across its network has child pornography, thousands of ACK packets sent instantaneously are a different story. Attack and scan traffic is easy for ISPs to detect and block. The more scans that are blocked, the fewer compromised systems there will be. Any increase in time to process data packets is easily made up by the overall decrease in the amount of network traffic.

2. Make ISPs (and all organizations providing computer access to more than 100 people) responsible for knocking customer PCs off their network if they become bots.

Any system that is clearly behaving as a bot should be immediately logged off a network. An end user who starts flooding the network with tens of thousands of e-mail messages, or who starts to send hundreds of thousands of DOS packets, is clearly compromised or otherwise abusing privileges. It is blatant and therefore easy to spot. More important, it is easier to identify and stop offending traffic at the source than for a victim under attack to identify and contact the appropriate administrators to stop the attacks.

3. Make end users liable if losses are incurred because of outdated security software.