Public-Private Partnership: The ISP Role in Fighting Malware
October 4, 2011
Good morning. I especially want to thank Jim Lewis and the staff at the Center for Strategic and International Studies for hosting this important dialog among these distinguished panelists. I think that the title of the program is fascinating: a public-private partnership and the ISP role, which would be one of the private parts of the partnership, and that partnership must indeed take a holistic approach and collective, coordinated action among both government entities and private companies. I am here to talk about the FCC’s role in that partnership, a role which is only a supporting role compared to the leadership roles that the Department of Commerce and the Department of Homeland Security must play, but an important, perhaps essential supporting role, in helping to secure our nation’s cyber ecosystem against malware threats. And the point is that all hands have to be on deck for this partnership to work. We can’t afford for any part to be idle.
The FCC has always been vitally interested in the security and reliability of communications networks. The Internet has expanded the concept and scope of communications, but the very openness of the Internet makes it very vulnerable to exploits, and specific areas of risk exist in Internet routing and directory services.
Now the guy in the office next to you, your Mom’s computer, even your computer are all exposed to torrents of malware and spam, making them susceptible to infection and setting them up as threats to other users and, in extreme scenarios, the communications infrastructure itself. Millions of computers get incorporated into botnets each month, capable of launching crippling distributed denial of service attacks.
Just last week, one of Australia’s key internet registries, NetRegistry, reported a major denial of service attack. The attack left customers unable to access their websites for one or more days.
Like legacy communications, we must remember that Internet is operated by private, commercial entities, not the government, and so, like legacy communications, private companies are in the vanguard of protecting their infrastructure and their consumers.
Internet Service Providers (ISPs) are not alone in this responsibility, but they play a significant function in battling botnets and malware. And naturally, ISPs would be concerned about their responsibilities in remediating the botnets; they are pulled in different directions. I think that ISPs are concerned about unnecessary government intervention or regulation. Concerns about customer privacy rights, fear of losing commercial advantage, and fear of exposure to new legal liabilities have caused trepidation for ISPs seeking to create safer online experiences for their customers. But the industry also lacks an effective, common set of guidelines for what should be done to detect, notify, and remediate end users' computers that become infected by bots and other forms of malware.
Speaking for myself, I think that a proper government role should start with facilitating collective action among the public sector and private entities, using the least restrictive and least regulatory means available that actually achieve success. I think I can speak in harmony with my other Federal partners when I say that we in the public government sector realize it will take a cooperative, focused public-private partnership in order to effectively combat the malware that threatens Internet users and networks.
The Commerce Department, in their “Green Paper,” suggests that voluntary codes of conduct – a written set of industry-wide voluntary practices designed to spur a community to operate in a uniform manner - be developed through a multi-stakeholder process to significantly advance efforts to protect the Internet from the growing malware and bot threats.
The U.S. Department of Commerce and U.S. Department of Homeland Security’s RFI, which builds on past work here and abroad to ask important questions about creating a voluntary industry code of conduct to address the detection, notification, and mitigation of botnets, is a major step forward and we at the Commission fully support our Federal partners in combating this growing threat.
We are especially looking forward to hearing responses to the RFI’s questions on practices to help prevent and mitigate botnet infections, practices for identifying botnets, effectiveness of consumer notification, and incentives to promote voluntary action to notify consumers. These questions and the responses are extremely important in helping to formulate a strategy and pursue a public-private partnership, to effectively detect, notify consumers, and mitigate the effects of the botnet.
And this is not just a U.S. problem and the solutions are global. For example, last year in Australia, the Internet Industry Association launched a voluntary code of practice for Australian ISPs to ensure consistent notification and remediation of consumer computer problems caused by botnets. Germany and Japan have begun similar efforts using models that are suited to their own circumstances.
Steps to remediate the adverse effect of botnets involve more than the ISP community, but ISPs surely have a role to play. At the Commission, we are doing our part to assist our Federal partners and the industry in combating the global botnet threat. Here’s what the Commission is doing. In December 2010, the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) Working Group 8 released a report recommending 24 voluntary Best Practices to address botnet protections for consumers and network providers. The Best Practices covered several areas including prevention, detection, notification, mitigation, and identified means to address externalities such as privacy concerns.
On September 23rd, we had the inaugural meeting of the newly re-chartered CSRIC III Working Group 7, and I appreciate Ari Schwartz of the Department of Commerce coming to address this group of almost 60 experts from industry and government. These experts include luminaries from this panel including Michael O’Reirdan and then Max Weinstein is on one of our working groups. Rodney Joffre, Alan Paller and Steve Crocker are other examples of this all-star CSRIC. Over the next 18 months, the new CSRIC III will be reviewing the efforts undertaken within the international community and among domestic stakeholder groups, such as the Australian Internet Industry Code of Practice, relevant Internet Engineering Task Force (IETF) Requests for Comment, and the work of the Messaging Anti-Abuse Working Group (MAAWG), for applicability to U.S. ISPs. Building on the work of CSRIC II Working Group 8, in coordination with DHS and the Department of Commerce, and informed by the results of the botnet RFI, the CSRIC III’s Working Group 7 will propose a set of agreed-upon voluntary practices and a framework for ISP implementation. The Working Group will also identify potential ISP implementation obstacles and identify steps the FCC and other Federal partners can take that may help overcome them. Furthermore, the Working Group will identify outcome-oriented performance metrics to evaluate the effectiveness of their work in addressing the botnet problem. We will work very closely with our federal partners.
We are committed to working vigorously with our Federal partners and industry to reduce the impact of botnets, through efforts such as those we have challenged CSRIC III to work, to identify effective ways in which we can leverage the lessons being learned globally to create an environment where botnets find it difficult to thrive and ISPs can operate in a cooperative, voluntary manner to remediate their effects.
Again, thank you for allowing me to participate on this panel. I look forward to our continued discussion and work in this important area.