Last Thursday, the country’s largest wired and wireless ISPs, representing about 80% of the broadband subscribers in the United States, committed to a voluntary set of cybersecurity codes of conduct for dealing with online threats, including botnets, attacks on the domain name system (DNS), and Internet route hijacking. The ISP group includes AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable and Verizon.
The codes of conduct include:
- Anti-Bot Code of Conduct: A botnet is a collection of compromised computers, each of which is known as a “bot,”connected to the Internet. When a computer is compromised by an attacker, there often is code within the malware that commands it to become part of a botnet. The “botmaster” or “bot herder” controls these compromised computers. The bot can perform automated tasks over the Internet without the user being aware. ISPs agreed to agree to educate consumers about the botnet threat and take steps to detect botnet activity on their networks. ISPs will warn consumers of botnet infections on their computers and offer assistance to consumers whose computers are infected.
- DNS Best Practices: ISPs agreed to implement a set of best practices to better secure the DNS. DNS works like a telephone book for the Internet, but lack of security for DNS has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate website. DNSSEC is a set of secure protocol extensions that prevent such fraudulent activity. This recommendation is a significant first step toward full DNSSEC implementation by ISPs and will allow users, with software applications like browsers, to validate that the destination they are trying to reach is authentic and not a spoofed website.
- IP Route Hijacking Industry Framework: ISPs also will implement an industry framework to prevent Internet route hijacking, which is the erroneous routing of Internet traffic through potentially untrustworthy networks. CSRIC recommended that ISPs work to implement new technologies and practices to reduce the number of these events, thereby ensuring that users in the United States can be more confident that their Internet traffic will not be exposed to scrutiny by other networks, foreign or domestic, through misrouting.
The codes of conduct are consistent with the recommendations from the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC). “The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cybersecurity of commercial networks and bolster the broader endeavors of our federal partners,” Chairman Genachowski said in a statement.
In a blog posting, AT&T executive Bob Quinn urged cybersecurity commitments to reach beyond ISP networks to entities across the entire Internet ecosystem including security software vendors, operating system developers, end user-focused organizations and providers of Internet content, applications and services. “Effectively addressing cybersecurity is going to require the various stakeholders experimenting and innovating with different solutions and learning from one another,” Quinn said.
He also provided a warning about standards: “We need to avoid an outcome where we publish our playbook for our adversaries and potentially prematurely standardize solutions that may ultimately prove inadequate in addressing the changing cyber threat.”
CSRIC is a federal advisory committee established at the direction of the FCC Chairman to provide recommendations regarding the security, reliability and interoperability of the nation’s communications system. Currently, CSRIC is composed of more than 50 communications experts from the private sector (including ISPs), public safety, consumer organizations and tribal, local, state and federal governments.
In a parallel track, Congress also is attempting to address cybsersecurity threats to the nation’s critical infrastructure. Several cybersecurity bills have been introduced in the House and Senate.
Congress generally concurs that there should be more open lines of communication between the government and private industry, and a forum to share best practices in regard to cybersecurity. However, some congressional leaders disagree on how cybersecurity legislation should be enacted, what constitutes “critical infrastructure” (and, therefore, if the rural ISP industry will even be included), and what security mandates will be enacted. At this point in time, it’s unclear what the final legislation will include, or what entities will be subject to the mandatory network protection requirements under development.