I don't think the attitude that it's "a few days worth of work or oh I guess maybe a few more if they don't have everything automated yet..." is very helpful. It diminishes the problem and is incredibly unrealistic. While I don't have experience running an ISP, it's huge infrastructure, which is inevitably incredibly complex and it is almost certainly expensive, time consuming, and extremely risky to roll out major changes. But I don't disagree with you! This is even more of a reason that we need help from regulators on this front. Things that are prohibitively costly for private entities to do but must be done for society to function the way we want it to are the sweet spot for regulation.
I keep hearing that the government is taking cyber security seriously, but I see no evidence. Where is the DHS funded formal verification tool or subsidized penetration testing for critical infrastructure? I'm not saying these are the right ideas, but I don't see anything at all. Perhaps I just don't know of the programs that already exist though - looking forward to being educated here!
Ingress filtering really is not a big deal, and has been supported by all routing edge hardware/software for 15 or 20 years now.
The fact it isn't implemented is down to apathy, ignorance and people making excuses.
I don't think throwing your hands up and saying "oh this is probably hard" is very constructive on this front. Stop making excuses for people whos lack of action puts everyone else is danger.
I think you're misunderstanding me. It's hard because doing anything is hard at scale. But I'm not saying it shouldn't be done because it's hard. Big companies do this sort of hard stuff all the time. But resources are limited and lots of efforts are competing to be the priority. It is natural that the things that will make or save money for the organization will take priority over things that are just general nice-to-haves. So the question is: how would this affect the bottom line of an ISP? If it wouldn't move the needle much, or would move it in the wrong direction, it's unlikely to get done. This is why I'm saying we need regulatory support - to shift the incentives.
A possibility I recently heard about and thought sounded interesting would be requiring certain kinds of companies hold security insurance, and allowing damages for things like DDoS attacks. Then, if the insurance is functioning properly, doing things like this would decrease premiums. Mostly though, I'm just bummed that I don't seem to hear much about any ideas for how to actually attack the problem after things like WannaCry or big data leaks happen. This is clearly a systemic problem, and nobody really seems to be attacking it at that level.
I keep hearing that the government is taking cyber security seriously, but I see no evidence. Where is the DHS funded formal verification tool or subsidized penetration testing for critical infrastructure? I'm not saying these are the right ideas, but I don't see anything at all. Perhaps I just don't know of the programs that already exist though - looking forward to being educated here!