ISPs To Secure Their Communications Networks
The Federal Communications Commission (FCC) unanimously adopted recommendations for voluntary action by Internet service providers (ISPs) to combat three major cyber security threats, including botnets, attacks on the Domain Name System (DNS), and Internet route
hijacking.
FCC Chairman Julius Genachowski applauded the public
commitments of many of the U.S.' largest ISPs to
implement these best practices.
The Communications, Security, Reliability, and Interoperability Council (CSRIC) is a federal advisory committee established to provide recommendations regarding the security, reliability, and interoperability of the U.S. communications system. Currently, CSRIC is composed of more than 50 communications experts from the private sector (including ISPs), public safety, consumer organizations and tribal, local, state and federal governments.
Chairman Genachowski said, "The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners."
CSRIC was tasked with developing measures for ISPs to mitigate three major cyber threats: botnet attacks, domain name fraud, and Internet route hijacking. Today, the advisory committee endorsed industry-based recommendations in each of these three areas, including:
- Anti-Bot Code of Conduct: To reduce the threat of botnets in residential networks, CSRIC recommended a voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (Anti-Bot Code). Under the Anti-Bot Code, ISPs agree to educate consumers about the botnet threat, take steps to detect botnet activity on their networks, make consumers aware of botnet infections on their computers, offer assistance to consumers whose computers are infected and collaborate with other service providers that have also adopted the Anti-Bot Code.
- DNS Best Practices: CSRIC recommended that ISPs implement best practices to better secure the Domain Name System. DNS works like a telephone book for the Internet, but lack of security for DNS has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate website. DNSSEC is a set of secure protocol extensions that prevent such fraudulent activity. This recommendation is a significant first step toward full DNSSEC implementation by ISPs and will allow users, with software applications like browsers, to validate that the destination they are trying to reach is authentic and not a spoofed website.
- IP Route Hijacking Industry Framework: CSRIC recommended an industry framework to prevent Internet route hijacking, which is the erroneous routing of Internet traffic through potentially untrustworthy networks. CSRIC recommended that ISPs work to implement new technologies and practices to reduce the number of these events, thereby ensuring that users in the U.S. can be more confident that their Internet traffic will not be exposed to scrutiny by other networks, foreign or domestic, through misrouting.
Chairman Genachowski reiterated that privacy must not be compromised for the sake of security. He also announced that CSRIC is being tasked with preparing future recommendations to ensure that the best practices endorsed today will protect the privacy of Internet users. Last month, Chairman Genachowski urged the multi-stakeholder Internet community to find industry-led, non-regulatory solutions to secure the U.S. networks.
In response, several ISPs participating in CSRIC, including AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, and Verizon, pledged today to implement the CSRIC recommendations. Other ISPs, such as T-Mobile, have agreed to implement those recommendations that apply to their network architecture.
The Communications, Security, Reliability, and Interoperability Council (CSRIC) is a federal advisory committee established to provide recommendations regarding the security, reliability, and interoperability of the U.S. communications system. Currently, CSRIC is composed of more than 50 communications experts from the private sector (including ISPs), public safety, consumer organizations and tribal, local, state and federal governments.
Chairman Genachowski said, "The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners."
CSRIC was tasked with developing measures for ISPs to mitigate three major cyber threats: botnet attacks, domain name fraud, and Internet route hijacking. Today, the advisory committee endorsed industry-based recommendations in each of these three areas, including:
- Anti-Bot Code of Conduct: To reduce the threat of botnets in residential networks, CSRIC recommended a voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (Anti-Bot Code). Under the Anti-Bot Code, ISPs agree to educate consumers about the botnet threat, take steps to detect botnet activity on their networks, make consumers aware of botnet infections on their computers, offer assistance to consumers whose computers are infected and collaborate with other service providers that have also adopted the Anti-Bot Code.
- DNS Best Practices: CSRIC recommended that ISPs implement best practices to better secure the Domain Name System. DNS works like a telephone book for the Internet, but lack of security for DNS has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate website. DNSSEC is a set of secure protocol extensions that prevent such fraudulent activity. This recommendation is a significant first step toward full DNSSEC implementation by ISPs and will allow users, with software applications like browsers, to validate that the destination they are trying to reach is authentic and not a spoofed website.
- IP Route Hijacking Industry Framework: CSRIC recommended an industry framework to prevent Internet route hijacking, which is the erroneous routing of Internet traffic through potentially untrustworthy networks. CSRIC recommended that ISPs work to implement new technologies and practices to reduce the number of these events, thereby ensuring that users in the U.S. can be more confident that their Internet traffic will not be exposed to scrutiny by other networks, foreign or domestic, through misrouting.
Chairman Genachowski reiterated that privacy must not be compromised for the sake of security. He also announced that CSRIC is being tasked with preparing future recommendations to ensure that the best practices endorsed today will protect the privacy of Internet users. Last month, Chairman Genachowski urged the multi-stakeholder Internet community to find industry-led, non-regulatory solutions to secure the U.S. networks.
In response, several ISPs participating in CSRIC, including AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, and Verizon, pledged today to implement the CSRIC recommendations. Other ISPs, such as T-Mobile, have agreed to implement those recommendations that apply to their network architecture.
