The Federal Communications Commissions (FCC) may soon kickstart a number of new initiatives to encourage Internet service providers to do a better job cleaning up bot-infected PCs and malicious Web sites on their networks, KrebsOnSecurity has learned.
Earlier this year, the commission requested public comment on its “Cybersecurity Roadmap,” an ambitious plan to identify dangerous vulnerabilities in the Internet infrastructure, as well as threats to consumers, businesses and governments. Twice over the past few weeks I had an opportunity to chat with Jeffery Goldthorp, associate bureau chief of the FCC’s Public Safety & Homeland Security Bureau, about some of the ideas the commission is considering for inclusion in the final roadmap, due to be released in January 2011.
Goldthorp said there are several things that the commission can do to create incentives for ISPs to act more vigorously to protect residential users from infections by bot programs.
“Along those lines would be something like an ISP ‘code of conduct’ and best practice-oriented approach that ISPs could opt-in to or not, basically a standard of behavior for ISPs to follow when they find that a user of theirs has been infected,” Goldthorp said. “The goal of that would be to clean up the consumer and residential networks. We’re also very interested in trying to figure out if there are rules we have on our books that stand in the way of ISPs being more proactive and creating a safer environment for consumers online.”
In addition, Goldthorp said the FCC is considering ways to encourage ISPs to be more proactive in dealing with malicious Web sites.
“At the server level, we’re looking at doing things that would allow us in an operational role to apply our jurisdiction with ISPs and try to reduce the time to remediation of things like malicious hosts and phishing or spam sites,” he said. “That’s really an area that [the FCC is] doing nothing in right now. We don’t get any information now about what those sites are and what we could do about them. So, we expect that there will be specific things we’d propose on all those areas of the roadmap.”
Prompted in part by the FCC’s request for comment, I wrote a column for CSO Online last month in which I called on the commission to begin measuring the responsiveness of ISPs in quashing malicious threats that take up residence on their networks. One of the ways I suggested the commission could do that is by publishing data about badness on these networks – data that is already being collected by a myriad of mostly volunteer-led groups that monitor this type of activity.