FCC Chairman Urges ISPs to Combat CyberthreatsCall to Target Botnets, Net Hijacking, Domain-Name Fraud
"Tackling the challenges to Internet security is so important, because the opportunities of the Internet are so great," Genachowski said in remarks delivered at the Bipartisan Policy Center on Feb. 22, noting that broadband access has transformed the economy and society as $8 trillion worth of transactions occur annually over the Internet. "If you shut down the Internet, you'd shut down our economy."
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
Melissa Hathaway, the former White House cybersecurity adviser who helped Presidents Bush and Obama develop their cybersecurity strategies, characterized Genachowski's remarks as an important step toward delivering a more secure and reliable Internet infrastructure.
"ISPs have unique visibility of the malware and activity transiting their infrastructure," Hathaway said. "They also have a responsibility to provide uninterrupted service to their customers. As we see more organized and semi-organized groups disrupt services and infrastructures in support of the cause of the day using DDoS (distributed denial of service) or similar malware, it may demand that the ISPs adopt and practice Good Samaritan behavior."
Genachowski is asking ISPs, working with other stakeholders, to develop and adopt an industry-wide code of conduct to combat the threat of botnets, a collection of compromised Internet-linked computers often used to infect a large number of computers with malware. He said ISPs should empower consumers with information and tools to help consumer secure their computers.
"They can increase customer awareness so that users can look for signs that their computers are being used as bots, detect infections in customers' computers, notifying customers when their computers have become infected, and offer remediation support," the FCC chairman said. "Of course, ISPs can and must do this in a way that does not compromise consumers' privacy."
ISPs can help battle Internet route hijacking, Genachowski said, in which Internet traffic is misdirected through an untrustworthy network where data can be stolen or changed before arriving at an intended destination. He said network operators need to adopt secure routing standards, and engineers are making real progress on developing these technical standards in a way that will protect individual privacy and secure Internet routing.
"I strongly urge ISPs to support the development of secure routing standards and plan to implement them when they are ready," Genachowski said. "Costs of implementation can be minimized by putting in place the new technical standards during routine hardware and software upgrades. The benefits of ISPs taking these steps to eliminate accidentally misrouted traffic would be enormous."
Domain-name fraud is another problem ISPs should address, he said. Vulnerabilities in the Domain Name Systems - simply, the system that catalogs Internet addresses - can allow "bad actors" to change identifying information that misdirect users to fraudulent websites that look like the real ones.
Genachowski called on ISPs to adopt the Domain Name System Security Protocol that's aimed to address these vulnerabilities. "The standards for DNSSEC are well established and are already being deployed by government entities, but adoption in the private sector has been slow," he said. "If they adopt DNSSEC, ISPs can provide a real and tangible benefit to the consumers and businesses that rely on them."
One of the largest ISP companies, Comcast, endorsed Geneachowski's goals. Writing in is blog, Comcast/NBCUniversal President Kyle McSlarrow said that protecting American consumers, businesses and governments from cybersecurity threats should be a global priority. "To be effective," McSlarrow said, "everyone who is a part of the Internet ecosystem must play a meaningful role in ensuring that private and government networks, and personal computers and devices are secured."
Genachowski's proposals jibe with the mindset of many lawmakers who have introduced cybersecurity legislation in which the government encourages business to adopt best practices to protect information technology and safeguard privacy rather than to implement regulations forcing them to do so.
"The FCC has a long history of engagement on network reliability and security, working with commercial communications providers, wired and wireless, to develop industry-based, voluntary best practices that improve security and reliability," he said.