New anti-bot code of conduct approved by FCC
An industry advisory group wants U.S.-based internet service providers (ISPs) to adopt a "code of conduct" for weeding out botnet infections.
Made up of more than 50 experts, the Communications, Security, Reliability and Interoperability Council (CSRIC), which reports to the Federal Communications Commission, drafted the code that gives ISPs a voluntarily blueprint to follow to address compromised computers belonging to their customers.
Currently one of the biggest threats plaguing the internet, botnets give criminals the ability to steal personally identifiable information and launch distributed denial-of-service attacks against websites.
According to a report by the FCC (PDF), an ISP that willingly adheres to the code of conduct must educate consumers about the dangers of botnets, take steps toward the detection and remediation of the infections, and collaborate with other service providers that have adopted the code.
The FCC is not enforcing the agreement, but that shouldn't stem participation, Michael O'Reirdan, a CSRIC Working Group chairman, told SCMagazine.com this week.
“It's important to know that this isn't the FCC going out and mandating that the ISPs do this,” he said. “We're not recommending different things in different groups, but we're asking various people to play their parts in a coherent way.”
The guidelines encourage ISPs to voluntarily pitch in, much in the same way they have for years to help filter out spam before it reaches the customer's network, said O'Reirdan, who also co-chairs the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).
The CSRIC committee drew on previous ISP-focused best practices already adopted in other countries, such as Australia's iCode.
Major ISPs in the United States have already agreed to jump on board with the recommendations. The FCC report states that AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile, and Verizon have committed to implementing the code of conduct.
Nothing is ever going to make bots go away, O'Reirdan said. However, he said if ISPs implement a small fraction of the major principles outlined in the code, it will make it difficult for attackers to operate.
In an email to SCMagazine.com, John Pescatore, vice president and research fellow at Gartner, said he hopes the code of conduct encourages ISPs to perform actual prevention and cleaning of infected machines, rather that focusing solely on education and awareness. But, he admitted, such tactics could run into hurdles related to keeping the internet free and open."In the U.S., the pressure on 'net neutrality' causes issues," Pescatore said. "The first time an ISP blocks a bot that someone can claim was really a service competing with that carrier, all hell will break loose if there isn't some agreed-upon structure in place in advance."
The creation of this new standard further adds to the industry efforts underway, including the recently formed Industry Botnet Group, initiated by the Department of Commerce and made up trade associations, security companies and ISPs. The group's primary objective is to provide consumers and stakeholders with best practices for detecting and removing botnets.
In addition to the new code of conduct, the CSRIC also made recommendations to ISPs to further secure the Domain Name System through secure protocol extensions (DNSSEC), which prevent users from accessing illegitimate websites. These protocols would enable users with browsers to validate their web destinations.
CSRIC also suggested that ISPs should work to implement new “technologies or practices” to reduce the number of route hijacking events, a threat that involves the routing of internet traffic through deceitful networks.