NetworkWorld quoted the AT&T CISO, Ed Amoroso:

The past decade has been tough – the security industry has lost its way. At one point we had no security; now there’s too much. This has been the era of security getting worse and worse. Today there’s too much software from vendors that needs to be patched. There are viruses and worms and spam and firewalls…carriers need to be doing security for the endpoints.

The theory is that a central entity can do a better job filtering the data to detect anomalies, and that the end users can not all afford to specialize in security.

But how do we know that AT&T has a security baseline that is consistent with ours as end users? I agree with Ed that the most basic threats should be removed by the carriers (like the centrally-controlled conditioning that removes big spikes and sags from the power lines), but do not see how he can get around that fact that end users will always have vastly different risk models that need individual solutions. Some of us still buy small UPS, some big, and some go with multiple UPS plus generators. That doesn’t mean we don’t think that the power company shouldn’t be liable for outages, it just means we don’t all address the same risks let alone agree to a universal fix.