News Analysis

Nuke the zombies! ISPs must get real about security, says FCC

tom-wheeler-doge.jpg

much federal. very flag.

The U.S. Federal Communications Commission (FCC) proposes to force ISPs to take action on the security of their networks. FCC chair Tom Wheeler says the market isn't working, so ISPs must "voluntarily" get busy on this right away.

In other words: Clean up your customers' zombie PCs, or watch out for Tom's Damoclean sword of regulatory awesome. Something like that, anyway.

In IT Blogwatch, bloggers wonder what took him so long.

Your humble blogwatcher curated these bloggy bits for your entertainment.

 

Grant Gross gets going:

The [FCC] is threatening to step in with regulations if network providers don't take steps to improve cybersecurity...in keeping with its congressionally defined mission to promote the national defense and public safety.

FCC Chairman Tom Wheeler said...the FCC will push operators of U.S. communications networks to adopt cybersecurity best practices developed by the FCC's advisory committee, the Communications, Security, Reliability and Interoperability Council [in 2011] which include domain name security, Internet route hijacking measures and an antibotnet code of conduct.  MORE

 

Alina Selyukh reports Tom's implicit threat:

In his first major speech devoted fully to cybersecurity...Wheeler urged the private sector to "step up to assume new responsibility and market accountability for managing cyber risks" before the FCC weighs a regulatory approach. ... "The private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market."

Security experts continue to worry about the reluctance of many corporate leaders to spend more money on improving defenses.  MORE

 

And Brian Fung adds this "dire" economic warning:

In recent months, the [FCC] has quietly worked to expand its role among federal agencies charged with protecting the nation's networks from cyberattack. ... National security officials have warned that if companies fail to strengthen their protections for infrastructure and customer data, the nation's economy could grind to a halt.

Wheeler has filled his agency with officials with national security experience with the express intent to weigh in on cybersecurity. ... "The FCC’s responsibility to promote public safety and network security is fundamental," Wheeler said.  MORE

 

But this guy, Guy Wright, offers this (ahem) strong angle:

The FCC is essentially trying to use national security as a way to gain regulatory control over ISPs (which they currently don’t have). ... This is all coming out during a flash point for the FCC. They are about to weigh in on a Comcast / Time Warner merger, an AT&T; / DirecTV merger and their controversial new ‘net semi-neutrality’ proposal.

[But] the FCC doesn’t actually have the power to regulate any Internet Service Providers or take action against them. ... That’s why they want Congress to expand their power to include the ability to regulate, and if necessary punish ISPs [perhaps] by playing the terrorism card which apparently gives government agencies carte blanche to circumvent any laws.  MORE

 

Be kind, rewind -- back to 2010, when your humble blogwatcher was saying this:

After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? ... For several years, I and others have advocated a more aggressive approach to fighting botnets.

[ISPs] are in a superb position to detect the signs of infection. Once an ISP has detected that a user is infected, they can ensure that the problem gets fixed. ... ISPs could detect signs -- say, by intercepting outbound spam, or botnet command-and-control traffic. ... The user would be placed in a walled garden, where a web browser would only be able to see certain pages, which give instructions on how to fix the problem.

Over the years, we've seen a number of industry efforts to persuade ISPs to do this, but with limited effect. Here are just a few:

In 2006, the Australian Internet Industry Association issued a guide to its members about how to detect and remediate bots.

In 2007, the Messaging Anti-Abuse Working Group (MAAWG) issued a set of "Best Practices for the Use of a Walled Garden" to its members.

In 2009, the IETF started work on "Recommendations for the Remediation of Bots in ISP Networks."

[In 2010] Microsoft's...Corporate Vice President of Trustworthy Computing...spoke at the International Security Solutions Europe Conference in Berlin, Germany, advocating bot detection and remediation.  MORE

Computerworld Blogs Newsletter

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.  

Related:

Copyright © 2014 IDG Communications, Inc.

Shop Tech Products at Amazon