ISPs Sign FCC Cyber-Security Code of Conduct

Published May 31, 2016

A group of major Internet Service Providers signed the Federal Communications Commission’s new code of conduct designed to limit cybercrime. The FCC’s Communications, Security, Reliability and Interoperability Council conduct code targets three main security threats: botnets, domain-name system attacks, and Internet route hijacking.

Among the ISPs signing the CSRIC are AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, T-Mobile and Verizon.

In a statement, FCC Chairman Julius Genachowski said the CSRIC recommendations identify smart, practical, voluntary solutions that will materially improve the cyber-security of commercial networks and bolster broader cyber-security bills currently being considered by Congress, including the Cyber Intelligence Sharing and Protection Act.

CISPA passed the House of Representatives in April, but is not expected to pass the Senate. President Obama has stated he would veto the bill should it reach his desk.

‘Industry Self-Regulating’
Botnets are described as ‘zombie armies’ of computers whose interfaces have been compromised and are reset to forward transmissions such as viruses or spam to other computers. DNS attacks occur when hackers alter the domain name so that, when users log onto a Web page, the page redirects them to an alternate location. Internet route hijacking is the erroneous routing of Internet traffic through potentially untrustworthy networks.

Berin Szoka, founder of TechFreedom says the move toward a code of conduct is a positive development. “I see this more as a case of the industry self-regulating to enhance cyber security and protect their networks and customers rather than doing so at the behest of the FCC,” he said.

“Someone has to be selected to protect their systems,” Szoka continued. “And rather than pick the government, it seems to me like the ‘invisible hand’ of the market is working. If it succeeds, then we do not need to have government set the standards.”

ISPs Battle Botnets
Bruce Anderson, Director of Investigations for Cyber Investigation Services, Tampa, Florida, says there are several reasons why a code of conduct is necessary.

“Under the Anti-Bot Code, ISPs agree to educate consumers about the botnet threat, take steps to detect botnet activity on their networks, make consumers aware of botnet infections on their computers, offer assistance to consumers whose computers are infected and collaborate with other service providers that have also adopted the Anti-Bot Code,” Anderson said in an email.

“Currently Most ISP have not structured their networks and monitoring systems to attempt to detect botnets that are being delivered through Web sites, links, emails, or social media in order to gain control of users systems,” Anderson added. “Botnets can be purchased by anyone and code put onto a Web site that will steal users’ passwords and personal information and make their computer vulnerable for use in attacks against others.”

Preventing Fraudulent Activity
CSRIC recommended that ISPs implement best practices to better secure the Domain Name System. DNS works like a telephone book for the Internet, but lack of DNS security has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate Web site. DNS Security Extension (DNSSEC) is a set of secure protocol extensions that prevent such fraudulent activity.

“ISP implementation of DNSSEC will allow users, with software applications like browsers, to validate that the destination they are trying to reach is authentic and not a spoofed Web site,” said Anderson.

“CSRIC recommended an industry framework to prevent Internet route hijacking, which is the erroneous routing of Internet traffic through potentially untrustworthy networks,” Anderson explained. “CSRIC recommended that ISPs work to implement new technologies and practices to reduce the number of these events, thereby ensuring that users in the U.S. can be more confident that their Internet traffic will not be exposed to scrutiny by other networks, foreign or domestic, through misrouting,” says Anderson.

Threats to Online Environment
Ari Zoldan, CEO of Quantum Networks, LLC in New York, says the FCC code of conduct is a necessary measure meant to provide Internet users with a heightened degree of security. Moreover, it is not an invasion of privacy, he claims, but a necessity as the level of anonymity implied by the Internet tends to afford hackers the chance to wreak havoc in the virtual space.

“The code of conduct targets both Botnet attacks and DNS violations,” said Zoldan. “Both of these practices threaten the security of the online environment, and the FCC addressed them with the conduct code that encourages ISPs to sharpen detection methods and tighten security.”

Zoldan added: “The question is not whether the FCC has crossed a line in establishing this code, but rather whether they have gone far enough and instituted enough precautionary measures.”

More Data Scrutiny
Mike DeWolfe, information architect for Those DeWolfes Creative in Vancouver, British Columbia, says it is good news that large ISPs will collaborate and cooperate to detect botnet attacks, but adds he is also concerned that better detection will mean more scrutiny of the data moving through these ISPs.

“More control over routing will give ISPs the opportunity to better monitor traffic,” he said. “And they could abuse that ability. Their goal is to shun botnet attacks and identify false routing information.”

DeWolfe added: “Peer-to-peer traffic and legitimate but heavy file transfers could be detected and considered malicious even when they are benign.”

Kenneth Artz ([email protected]) writes from Dallas, Texas.