ISPs Not Only Key Players In Cybersecurity Effort, Say Some Federal Officials
To make networks safer from botnets and other malware, public-private partnerships and a minimal role for government are the best approaches, said officials from the FCC, Commerce Department and other agencies. Any framework for protecting and notifying end-users of an attack should be voluntary and comprised of input from multiple stakeholders, they said Tuesday at the Center for Strategic and International Studies.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
While ISPs have a key role, many entities have a responsibility, they said. The issues won’t be solved by any one action taken by a company, individual or government, said Howard Schmidt, White House cybersecurity coordinator. But “we fully should recognize that we all have to do our little part to make this more secure,” he said. Moving forward requires a combination of efforts from federal, tribal, local governments, the private sector “and pretty much everybody on the planet that has the use of this technology,” he said. “You can’t just focus on the ISP,” said Michael O'Rierdan, chairman of the Messaging Anti-Abuse Working Group. “It’s a team sport and everybody’s gotta play their position."
Incentivizing consumers to pay attention to the problem with botnets and malware must be better addressed, Schmidt said: “We fully recognize in the industry there is a loss, there’s a lack of confidence [and] lack of trust.” There are some good tools, “but a lot of times people don’t know where to get them or how to use them,” he said.
The Commerce Department takes a multi-stakeholder approach to improving cybersecurity, said Cameron Kerry, its general counsel. It advances the central policy of maintaining a trusted and secure Internet “while protecting the innovation and interoperability that have made the Internet such a driver of economic growth globally,” he said. The key role for government is to convene stakeholders and “leading the way in the policy solutions that protect the public interest as well as private innovation.” But “pure government planning in this space is a prescription for failure,” he said.
Efforts in other nations, like Australia, Germany and Japan, indicate a growing consensus around the urgency of the issue, O'Rierdan said. They “reflect a consensus that something needs to be done and that thing can’t be preordained and predefined by any government or regulatory body.” About 90 percent of the Australian ISP market joined the “icode,” a voluntary cybersecurity code of practice for ISPs, he said. ISPs aren’t required to fix computers, “but the ‘icode’ encourages them to let you know there may be a problem.” Germany’s initiative involves ISPs detecting a problem and directing customers toward tools that can clean up the machine, he said.
Some officials said they're confident that Congress will work to move cybersecurity legislation. The White House proposal was “the beginning of a discussion, not an endpoint,” Schmidt said. “I think Congress is very much engaged in doing the right thing with this.” The political environment is difficult, “but we can get bipartisan agreement on legislation,” Kerry said. “I think there’s a good chance we will see some significant components of this pass in this Congress."
ISPs are pulled from many different directions, said Jamie Barnett, FCC Public Safety Bureau chief. They're concerned about unnecessary government intervention or regulation, customer privacy rights and there’s a fear of exposure to new legal liabilities, he said. However, “the industry also lacks an effective common set of guidelines of what should be done to detect, notify and remediate end users’ computers that have become infected.” The government should facilitate action “using the least restrictive, regulatory means available,” he said. The government should “provide some leadership and some clarity on some of the outstanding legal issues that create some uncertainty,” said Kate Dean, executive director of the U.S. Internet Service Provider Association. Some information technology security engineers have solutions they want to bring to market, but “some of the legal uncertainty can really slow the adoption and the implementation of that,” she said.
The FCC is assisting federal partners and the industry in combating the global botnet threat, Barnett said. Over the next 18 months, the new Communications Security, Reliability and Interoperability Council working group will review efforts in the international community and “propose a set of agreed upon volunteer practices and a framework for ISP implementation,” he said.
Incentives must “maximize the potential of the existing security market to address the problem,” said Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology. There must be benefits for all companies involved, including small and large companies, he said. “What we come up with must actually end up protecting the consumer.” Something needs to be done this Congress, said Bruce McConnell, senior counselor in the National Protection and Programs Directorate at the Department of Homeland Security. Commerce and DHS are awaiting responses on its request for information announced last month to “see what we can learn about the ways in which the private sector can help participate in educating consumers about botnets and malware,” he said.
Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., commended the RFI. It’s “a good step toward implementing an industry-wide code for Internet providers to inform their customers when a computer virus is detected,” he said. ISPs in other countries “are already providing alerts and warnings to compromised consumers as well as offering free mitigation tools.”