CSRIC Approves Botnet Code of Conduct, DNS Registry
The FCC’s Communications, Security, Reliability and Interoperability Council Thursday approved three reports designed to make use of the Internet safer for users. CSRIC approved reports recommending a voluntary U.S. Anti-Bot Code of Conduct for ISPs and domain name system (DNS) best practices, aimed at beefing up security and preventing spoofing. CSRIC also approved a certified registry allowing ISPs to validate the authenticity of routing information, with a goal of blocking Internet route hijacking, in which Internet traffic is routed through potentially untrustworthy networks.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
FCC Chairman Julius Genachowski stopped by the meeting to note that he had called for action in all three areas in a speech last month at the Bipartisan Policy Center (CD Feb 23 p5). He called CSRIC’s work “the FCC’s most significant effort yet to enhance cybersecurity,” important to both wireline and wireless networks. The reports were not available online at our deadline.
"As all of you know very well, cyberattacks pose a very real threat, a critical threat to our economic future and our national security,” Genachowski said. “To put the scale of this challenge in some perspective, and there’s so much data that one can point to, experts reported recently that the majority of all Internet traffic is non-human -- consisting of bots, automated spam, and hacking software."
The work that CSRIC is doing is critical, Genachowski said. “We called on you to develop cybersecurity solutions, real steps that will materially enhance our security, and to do it in a way that preserves the ingredients that have and will fuel the Internet’s growth and success,” he said. “That means solutions that preserve Internet freedom and the open architecture of the Internet, which have been essential to the Internet’s success as an engine of innovation and economic growth. Privacy is a similarly vital principle."
Verizon, AT&T, Comcast, Cox, Time Warner, CenturyLink and Sprint Nextel have agreed to abide by the principles adopted Thursday, Genachowski said. Wireless carrier T-Mobile supports all three recommendations and will implement the DNS best practices and DNS security extensions (DNSSEC).
The White House sent Miriam Perlberg, senior director for cybersecurity policies for the National Security Council, to the meeting to endorse the CSRIC recommendations. “As an ever-increasing portion of our world’s daily functions rely on digital systems, the importance of protecting the personal data we store on our computers, our mobile devices and our networks increases each day,” she said.
An average of four million new botnet infections occur each month, Perlberg said. “One increasingly exploited threat is the rise of botnets,” she said. “A botnet infection can lead to monitoring of a consumer’s personal information and communications and also to exploitation of that consumer’s computing power and Internet access.” The problem is bigger than any one company or nation, she said. “That’s why partnership is so very important,” she said. “Our collective, coordinated initiatives are raising the costs for cyber criminals using botnets."
The guidelines approved “will have national effect and perhaps even international influence,” said Jamie Barnett, Public Safety Bureau chief.
Bots “are a massive problem in the U.S. and globally,” said Michael O'Reirdan, chairman of the Messaging Anti-Abuse Working Group, who presented the report on behalf of a CSRIC working group. “This is about crime,” he said. “This is about ripping people off. ... They look to spam, to do ID theft, distributed denial of service. Sometimes you get a bot on your machine and it’s going to sew up all your data and then say, ‘give me 50 bucks to unencrypt it.'” Measuring how well the code works and measuring the scale of the bot problem are probably the toughest challenges going forward, O'Reirdan said. “There are an awful lot of people who produce reports ranging from ... the hopelessly optimistic to the scarily ridiculous, and we need to find out what the truth is,” he said. “The fact is the truth isn’t very good and the problem is significant.”
DNS best practices will remain a challenge, said Steve Crocker, CEO of collaboration software maker Shinkuro and ICANN board chairman, who presented the report to the CSRIC. “The domain name system has been operating for quite a long time, a quarter century or more, and is embedded deeply into every aspects of the Internet,” he said. “There are literally hundreds of thousands, or millions, of separate ... deployments of DNS that are operating around the world.” Inside a single laptop are as many as three or four DNS “resolvers,” he noted. “Trying to make a change to that system is a nontrivial problem even if the concept is relatively easy.” As an example of the kinds of problems industry faces, Crocker noted that some companies try to sell incorrect or slightly-different domain names to users who mistype the name they were looking for. “That is not in accordance with the way the domain name system protocol was set up,” he said. “DNSSEC makes it either hard or impossible to continue those kinds of practices.”
"Communications networks and customers who utilize these networks are the targets of thousands of cybersecurity events daily from simple network defense probing to sophisticated, harmful attacks,” said Glen Post, CSRIC chairman and CEO of CenturyLink, during the group’s meeting. “Over the last 10 years the communications industry has worked extensively with industry peers, partners in government and other stakeholders to strengthen the nation’s collective defenses against cyberattacks. ... Continued cooperation between government and industry in this area is absolutely critical, in my view.”
Major telecom carriers and cable companies released statements Thursday supporting the steps taken by CSRIC. “We believe today’s announcement is a good foundation for building active participation and consensus -- not just among ISPs, but all players in the Internet ecosystem -- around a holistic, flexible and sound approach to cybersecurity,” said Stuart Elby, Verizon vice president-corporate technology. “There is no ‘one size fits all’ model for addressing cybersecurity risks,” said Comcast Executive Vice President John Schanz. “It takes broad participation for the best results. The flexibility for us to design and develop the best security solutions for our network architecture and customer environment is a core element of a successful cybersecurity policy.”
Making the recommendations work will require continued cooperation, said AT&T Senior Vice President Bob Quinn. “While the DNSSEC report recommends that ISPs make their DNS recursive nameservers DNSSEC-aware, it also recommends that key industry segments such as banking, healthcare and others sign their respective domains and that software developers, such as web-browser developers, study how and when to incorporate DNSSEC validation functions into their software,” he said on the company’s blog (http://xrl.us/bmy58z). “Also, the botnet report anticipates a significant role for other Internet ecosystem participants, including but not limited to security software vendors, operating system developers, end user-focused organizations and providers of Internet content, applications and services.”