The Federal Communications Commissions (FCC) may soon kickstart a number of new initiatives to encourage Internet service providers to do a better job cleaning up bot-infected PCs and malicious Web sites on their networks, KrebsOnSecurity has learned.
Earlier this year, the commission requested public comment on its “Cybersecurity Roadmap,” an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments. Twice over the past few weeks I had an opportunity to chat with Jeffery Goldthorp, associate bureau chief of the FCC’s Public Safety & Homeland Security Bureau, about some of the ideas the commission is considering for inclusion in the final roadmap, due to be released in January 2011.
Goldthorp said there are several things that the commission can do to create incentives for ISPs to act more vigorously to protect residential users from infections by bot programs.
“Along those lines would be something like an ISP ‘code of conduct’ and best practice-oriented approach that ISPs could opt-in to or not, basically a standard of behavior for ISPs to follow when they find that a user of theirs has been infected,” Goldthorp said. “The goal of that would be to clean up the consumer and residential networks. We’re also very interested in trying to figure out if there are rules we have on our books that stand in the way of ISPs being more proactive and creating a safer environment for consumers online.”
In addition, Goldthorp said the FCC is considering ways to encourage ISPs to be more proactive in dealing with malicious Web sites.
“At the server level, we’re looking at doing things that would allow us in an operational role to apply our jurisdiction with ISPs and try to reduce the time to remediation of things like malicious hosts and phishing or spam sites,” he said. “That’s really an area that [the FCC is] doing nothing in right now. We don’t get any information now about what those sites are and what we could do about them. So, we expect that there will be specific things we’d propose on all those areas of the roadmap.”
Prompted in part by the FCC’s request for comment, I wrote a column for CSO Online last month in which I called on the commission to begin measuring the responsiveness of ISPs in quashing malicious threats that take up residence on their networks. One of the ways I suggested the commission could do that is by publishing data about badness on these networks – data that is already being collected by a myriad of mostly volunteer-led groups that monitor this type of activity.
Goldthorp said the commission has met with a number of folks from these groups, and is also considering what it could do to help these groups shine a light on ISPs that have a substantial numbers of problem customers that remain infected for long periods of time.
“The idea that the FCC could be in the middle of that and broker some of that awareness so that the time to remediation could be minimized is very attractive,” he said. “At a minimum, there are things we can do to shed light on this, and we don’t have to have a commission vote on that to do it.”
AN IDEA WHOSE TIME HAS COME, OR AN INVITATION TO BIG BROTHER?
A number of others are beginning to press the idea of ISPs becoming more proactive in cleaning up problematic customers. Comcast, the nation’s largest residential high-speed Internet provider, announced last week it had begun deploying a bot-notification service to all 16 million of its customers nationwide.
On Tuesday, a top executive at Microsoft called for the creation of ISP industry standards for dealing with botnet infections. Speaking at the International Security Solutions Europe conference in Berlin, Scott Charney, Microsoft’s vice president of trustworthy computing, suggested it was time to start viewing the bot epidemic through the lens of public health models used to combat the spread of human infectious diseases.
To achieve this, Charney said Internet connected devices could be required to present a “health certificate” as a condition for Internet access. Conditions that might be presented in such a certificate include whether the customer is running up to date security software, anti-virus and whether the device has any obvious infections. In such cases where a machine’s health certificate reveals missing patches or out-of-date virus signatures, the ISP could provide a notice to that effect.
“If the problem is more serious (the machine is spewing out malicious packets) – or the user refuses to produce a health certificate in the first instance – other remedies, such as throttling the bandwidth of the potentially infected device might be appropriate,” Charney suggests in his paper titled Collective Defense: Applying Public Health Models to the Internet. “Simply put, we need to improve and maintain the health of consumer devices connected to the Internet.”
Unfortunately, this model starts to break down pretty quickly if you can’t vouch for the integrity of these certificates, or if others can abuse the information in them for nefarious purposes. Herein lies what may be the most controversial component of Charney’s proposal: The inclusion of a hardware+software approach that is capable of creating “end-to-end trust” between the consumer’s PC and the service provider.
“Combining trusted software (that is, hypervisors) and hardware (that is, Trusted Platform Module) elements could further enable consumer devices to create robust health certificates and ensure the integrity of user information,” Charney writes.
In a phone conversation about his paper, Charney said such a system would need to be designed openly and transparently so that it cannot be used for other types of online policing activity, such as intellectual property protection or to hunt for child predators.
“These are things that by design and policy and rule can be put off-limits,” he said. “So with Windows Update, sure this is a feature that phones home to Microsoft, but we have that feature audited by a third party to make sure it works in the way we’ve described it and only in that way.”
As for who would pay for all of this? Charney acknowledges such a shift would not come cheaply, although he said he is neither suggesting new taxes nor opposing the idea. Rather, Charney said he’s hoping to stimulate public discussion and debate about the proposal.
“I made a comment at the last RSA conference about funding models for this idea, and all these articles came out saying ‘Charney called for taxation of the Internet.’ I did no such thing, but I do believe you’d have to think about how you sustain these kinds of efforts,” he said. “The market might actually do this because it’s good to get rid of malware and it’s a better customer experience. But if the market doesn’t do it, we have to be prepared as a society to say this is a serious enough issue.”
So how about it readers? What do you think of where the FCC is headed? About Charney’s ideas? Are there aspects of his proposal you like or positively despise? Sound off in the comments below.