FCC Chairman Julius Genachowski wants Internet Service Providers (ISPs) to take on more responsibility in the battle against the plague of botnets and other online security threats.
The proposal seems to make perfect sense. ISP's are in the unique position to detect large-scale botnet activity, to interrupt command and control server networks, to identify victims whose machines are potentially infected with botnet malware, and to notify those users along with providing mitigation mechanisms to quell the infection.
"If we fail to tackle these challenges, we will pay the price in the form of diminished safety, lost privacy, lost jobs, and financial vulnerability – billions of dollars potentially lost to digital criminals," Genachowski said.
The agency is pushing an industry Code of Conduct which would require ISPs to adhere to a standard set of best practices as well as consumer education outreach efforts.
Botnets are networks of computers used without the owner’s knowledge for cybercrime activities, such as spamming and or for politically or economically motivated distributed denial of service (DDoS) attacks.
"Bots are used to relay massive amounts of spam. Bots can be used to steal passwords and financial information, putting an individual's identity at risk. I'm calling on all ISPs, working with other stakeholders, to develop and adopt an industry-wide Code of Conduct to combat the botnet threat and protect the public," Genachowski said.
Last fall, the Department of Homeland Security and the Department of Commerce sought public and industry input through a Request for Information on a proposal to incentivize ISPs to notify consumers if they have been the victims of botnet infections.
The proposal was the next step in generating the voluntary Code of Conduct for ISP's as had been outlined in a Commerce Department Green Paper that examined facilitation of public/private cooperation enlisting multiple stakeholders.
High on the list of issues to be addressed is the prevalence of domain name fraud.
"DNS is essentially a digital phone book for the web. Servers are filled with identifying information for web sites, which is used to direct people where they want to go. The challenge is that the DNS has vulnerabilities that can allow the identifying information to be changed," said Genachowski.
ISPs are being encouraged to implement recommendations outlined in the Domain Name System Security Extensions (DNSSEC) standard.
"DNSSEC is a profoundly important standard that enables improved security in most applications on the Internet. It adds public key cryptographic signatures to the entries in DNS itself, along with public keys for domains. When fully implemented, DNSSEC allows users, which really means applications, to verify that the DNS entries they retrieve really came from the domain that was queried. This protects against important classes of attacks, including redirection and cache poisoning," explains PC Magazine analyst Neil Rubenking.
The long term impact of the Code of Conduct on the prevalence of botnets and domain name fraud remains to seen, but the effort by regulators to compel ISPs to become more proactive in protecting Internet users is a logical approach.