Sen. Warner: FCC Should Clarify ISP Power to Combat Hacks

Queries federal agencies in wake of last week's DDoS attack

Sen. Mark Warner (D-Va.) has written the FCC and other agencies asking what tools there are and what tools there need to be to combat crippling cyber attacks, and in the case of the FCC, how the Open Internet rules affect what ISPs can do about them.

Warner, a former wireless net executive, is co-chair and co-founder of the bipartisan Senate Cybersecurity Caucus.

Among the answers he wants is what network management practices ISPs can use to respond to those threats and whether the FCC's Open Internet order's suggestion that ISPs could only take steps to address “traffic that constitutes a denial-of-service attack on specific network infrastructure elements” applied to last week's hack and warranted a response from ISPs.

In his letter to FCC chairman Tom Wheeler, Warner signaled the FCC needed to clarify what ISPs could do and when.

"Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of 'non-harmful devices' to their networks," he wrote. "It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the 'network'—whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area."

In the wake of last week's DDoS (distributed denial of service) attack that affected a host of websites—including Twitter and PayPal, as well as B&C and Multichannel News—Warner fired off letters to the FCC, the Federal Trade Commission and the Department of Homeland Security.

Warner is concerned about, among other things, security weaknesses in the growing legion of Internet of Things (IOT) connected devices, from cars and thermostats to refrigerators and cameras.

Warner wants to drive a stake into the "zombie computers" (botnets) behind last week's DDoS attacks and is looking for the tools to do so.

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers," he said.

Warner wants Wheeler to answer the following questions.

1. "What types of network management practices are available for internet service providers to respond to DDoS threats? In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing 'traffic that constitutes a denial-of-service attack on specific network infrastructure elements.' Is it your agency’s opinion that the Mirai attack has targeted 'specific network infrastructure elements' to warrant a response from ISPs?"

2. "Would it be a reasonable network management practice for ISPs to designate insecure network devices as 'insecure' and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?"

3. "What advisories to, or direct engagement with, retailers of IoT devices have you engaged in to alert them of the risks of certain devices they sell? Going forward, what attributes would help inform your determination that a particular device poses a risk warranting notice to retailers or consumers?"

4. "What strategies would you pursue to take devices deemed harmful to the network out of the stream of commerce? Are there remediation procedures vendors can take, such as patching? What strategy would you pursue to deactivate or recall the embedded base of consumer devices?"

5. "What consumer advisories have you issued to alert consumers to the risks of particular devices?"

6. "Numerous reports have indicated that users often fail to install relevant updates, despite their availability. To the extent that certain device security capabilities can be improved with software or firmware updates, how will you ensure that these updates are implemented?"

7. "Do consumers have meaningful ability to distinguish between products based on their security features? Are formal, or third-party, metrics needed to establish a baseline for consumers to evaluate products? If so, has your agency taken steps to create or urge the creation of such a baseline?"

8. "Should manufacturers have to abide by minimum technical security standards? Has your agency discussed the possibility of establishing meaningful security standards with the National Institute of Standards and Technology?"

9. "What is the feasibility, including in terms of additional costs to manufacturers, of device security testing and certification, akin to current equipment testing and certification of technical standards conducted by the Federal Communications Commission..."

Rep. Fred Upton (R-Mich.), chairman of the House Energy & Commerce Committee, which oversees the FCC, has also weighed in on the attacks.

“These ongoing attacks are cause for serious concern as they directly disrupt the well-being of online businesses and consumers browsing the Internet," he said last week. "We’re closely monitoring the situation and will continue exploring strategies and developing protections to mitigate the impact these types of attacks have on our networks.”