The decision to create the research center, to be announced Monday, was endorsed by a top official of a government Internet security board. But the reaction among some in the Internet security industry was more cautious.
They note that ISPs have opposed government requirements to improve security; the investment in the laboratory will be modest -- less than $10 million, according to SBC; and it won't be designed to warn customers of ongoing attacks.
The SBC lab, to be based in Austin, will mimic servers, firewalls and other structures of an ISP. Fred Chang, chief executive of the unit that will run the lab, said the center could produce some early anti-attack technologies within 18 months and "quite significant innovations" in three to five years.
Howard Schmidt, vice chairman of the Bush administration's Critical Infrastructure Protection Board, said SBC's move indicates that industry is moving toward making the Internet safer, and that government regulation isn't needed.
"The government should let industry drive the solutions," Schmidt said. "The governments shouldn't be telling companies how to innovate."
Internet security officials, who haven't seen the specifics of SBC's lab, said ISPs should be testing anti-attack technology as a routine part of their business.
Russ Cooper, a security official with TruSecure, based in Herndon, Va., questioned whether SBC would learn much about attacks because crackers would avoid the center.
"The real [crackers] don't attack these things because they don't give away their secrets for free," he said.
Cooper said it would be more helpful if SBC and other ISPs took stronger measures to block traffic or levy fees on hosts whose computers are used to spread a virus or attack.
William Crowell, president and chief executive of Cylink Corp. in Santa Clara, Calif., said security measures such as firewalls and encrypting financial transactions should be built into networks like SBC's, not left to individual companies and computer users.
"My mother is 88 years old," he said. "She uses the Internet, but she doesn't know how to install a firewall, nor should she. That should be embedded in the infrastructure."
Crowell favors requiring ISPs to report attacks and disclose what they are doing about the threats. That, he said, would encourage them to build safer networks and make people more comfortable about conducting business and financial transactions online -- a boon to e-commerce.
"Many of us fear we won't act until after we've had some type of disaster," he said.
Copyright 2002. Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
