Comcast,
Time Warner Cable, Cox, and other major ISPs have answered FCC Chairman Julius
Genachowski's call for a set of voluntary cybersecurity codes of conduct for
dealing with online threats including botnets and domain name hijacking.
An
FCC advisory committee comprising ISPS and others, the Communications,
Security, Reliability, and Interoperability Council (CSRIC), Thursday voted to
adopt the following recommendations (AT&T, CenturyLink, Comcast, Cox,
Sprint, TWC, and Verizon have all agreed to abide by and implement the
recommendations):
•
"Anti-Bot Code of Conduct: To reduce the threat of botnets in residential
networks, CSRIC recommended a voluntary U.S. Anti-Bot Code of Conduct for
Internet Service Providers (Anti-Bot Code). Under the Anti-Bot Code, ISPs agree
to educate consumers about the botnet threat, take steps to detect botnet
activity on their networks, make consumers aware of botnet infections on their
computers, offer assistance to consumers whose computers are infected and
collaborate with other service providers that have also adopted the Anti-Bot
Code."
•
"DNS Best Practices: CSRIC recommended that ISPs implement best
practices to better secure the Domain Name System. DNS works like a
telephone book for the Internet, but lack of security for DNS has enabled
spoofing, allowing Internet criminals to coax credit card numbers and personal
data from users who do not realize they are on an illegitimate website. DNSSEC
is a set of secure protocol extensions that prevent such fraudulent activity.
This recommendation is a significant first step toward full DNSSEC
implementation by ISPs and will allow users, with software applications like
browsers, to validate that the destination they are trying to reach is
authentic and not a spoofed website."
•
"IP Route Hijacking Industry
Framework: CSRIC recommended an industry framework to prevent Internet
route hijacking, which is the erroneous routing of Internet traffic through
potentially untrustworthy networks. CSRIC recommended that ISPs work to
implement new technologies and practices to reduce the number of these events,
thereby ensuring that users in the U.S. can be more confident
that their Internet traffic will not be exposed to scrutiny by other networks,
foreign or domestic, through misrouting."
Comcast
has already been a leader in adopting the DNSSEC domain name security regime, a
point the company made at a cybersecurity hearing last week.
"The
recommendations approved today identify smart, practical, voluntary solutions
that will materially improve the cyber security of commercial networks and
bolster the broader endeavors of our federal partners," said Genachowski in a
statement. In a speech last month, the Chairman had called for thevoluntary commitment.
)
saying a multi-stakeholder model was the best way to respond to and prevent
cybersecurity threats and giving a shout-out to Comcast and CenturyLink for
taking the lead in informing computer users about potential threats without
compromising privacy.
"Today's
CSRIC recommendations represent best practices that recognize the importance of
companies having the freedom and flexibility to respond decisively to secure
networks and customers from cyber attacks," said Verizon in a statement.
"Verizon is proud of our role with the CSRIC, and is on track to integrate
many of the recommendations into our business operations. We believe today's
announcement is a good foundation for building active participation and
consensus -- not just among ISPs, but all players in the Internet ecosystem --
around a holistic, flexible and sound approach to cybersecurity.
In
a blog posting AT&T exec Bob Quinn echoed the sentiment that cybersecurity
commitments must reach beyond ISPs and networks to "security software
vendors, operating system developers, end user-focused organizations and
providers of Internet content, applications and services" and others, and
provided a word of caution about the standards: "We need to avoid an outcome
where we publish our playbook for our adversaries and potentially prematurely
standardize solutions that may ultimately prove inadequate in addressing the
changing cyber threat."
