FCC Chairman Seeks Industry Cooperation on Botnets, Domain Name Fraud, IP Hijacking
Calling cyberattacks a “critical threat to our economic future and national security,” FCC Chairman Julius Genachowski asked Internet stakeholders Wednesday to address three significant cyberthreats: botnets, domain name fraud, and IP hijacking. Specifically, Genachowski called on ISPs to develop and adopt an industry-wide code of conduct to combat botnets; develop secure routing standards to eliminate maliciously misrouted traffic; and adopt a series of DNS security extensions, called DNSSEC, developed by the Internet Engineering Task Force. Speaking at the Bipartisan Policy Center, Genachowski said the vulnerabilities were identified after he tasked the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC) with making recommendations in March 2011.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Industry groups such as the American Cable Association and NCTA applauded the FCC’s embrace of voluntary public-private partnerships. “We're headed in the right direction,” said ACA President Matthew Polka. USTelecom Senior VP-Law and Policy Jonathan Banks said it was “actively supporting the voluntary process at the CSRIC,” emphasizing that continuing efforts “must include a broad spectrum of the firms that make the Internet work because, as the chairman points out, Internet Service Providers cannot do this alone.” AT&T Senior Vice President-Federal Regulatory Bob Quinn said the company was actively participating in the CSRIC working groups, and after the recommendations are approved by the full CSRIC, “we will evaluate those recommendations for implementation in our network.” Comcast President-Washington Kyle McSlarrow said his company agrees with Genachowski’s proposal for “real-time, industry-led solutions, rather than government mandates.” The efforts of CSRIC, of which Comcast is a participant, are an example of that kind of industry driven effort, he said. A Comcast spokeswoman said the company had already implemented DNSSEC, and already has programs in place to combat botnets.
A botnet, short for “robot network,” is used to distribute a virus over the Internet via a link or downloaded file, giving bad actors control over a computer. Someone with control over a large number of infected “zombie computers” can use them to crash a site, Genachowski said. “Botnets have been central to a very large percentage of the website crashes you've heard of, and that you haven’t. For the average consumer, the consequences can be equally devastating,” he said, saying consequences can range from spam to identity theft.
ISPs can play a significant role in combating botnets by spreading awareness through consumer education, he said, and by detecting infections in customers’ computers and offering to help fix the problem. “Comcast and CenturyLink have already taken the lead in developing and promoting solutions like this,” he said. “If other ISPs employed similar best practices, it could significantly reduce the botnet threat."
Internet route hijacking is a process in which traffic is diverted through a malicious network that can “eavesdrop” on the data passing through, stealing or changing the data in the process, Genachowski said. The protocol that enables seamless connectivity between networks -- known as Border Gateway Protocol -- lacks built-in mechanisms to protect against these attacks: “Misrouted traffic, whether intentional or accidental, is clearly unacceptable,” Genachowski said, urging network operators to support the development and implementation of secure routing standards. Costs could be minimized by putting the new standards in place “during routine hardware and software upgrades,” he said.
Domain name fraud occurs when DNS entries are maliciously changed, sending computer users to a fraudulent website that often looks exactly like the real site. A Gartner report said 3.6 million Americans are redirected to bogus web sites in a single year, at a cost of over $3 billion, he said. “Users have no idea that they are not working with legitimate websites, and unwittingly provide the operators of the fraudulent websites with financial and personal information,” Genachowski said. “You could think of it as the Little Red Riding Hood problem."
By adopting a series of security extensions developed by the Internet Engineering Task Force and endorsed by Internet pioneers such as Rodney Joffe and Vint Cerf, ISPs can minimize the threat, he said. “The standards for DNSSEC are well established and are already being deployed by government entities, but adoption in the private sector has been slow,” he said. “I urge all broadband providers to begin implementing DNSSEC as soon as possible.” An FCC spokesman declined to provide a cost estimate for the DNSSEC implementation.
Public Knowledge Legal Director Harold Feld called the proposals “reasonable,” and applauded Genachowski’s “strong advocacy of consumer privacy as essential to any security policy.”