FCC CSRIC Makes Recommendations Regarding ISP Cyber Security

March 22, 2012. The Federal Communications Commission (FCC) announced in a release that its Communications Security, Reliability and Interoperability Council (CSRIC) "adopted recommendations for voluntary action by Internet service providers (ISPs) to combat three major cyber security threats, including botnets, attacks on the Domain Name System (DNS), and Internet route hijacking". See also, second release, and speech by FCC Chairman Julius Genachowski.

Neither the FCC nor the CSRIC released the text of any recommendations.

These FCC releases, and Genachowski's speech, describe three CSRIC reports that contain a set of proposals, directed primarily at commercial providers of internet access services, compliance with which would be voluntary.

The FCC does not now propose to adopt any rules, or initiate any adjudicatory proceedings. Genachowski stated that "Solutions to cyber threats require the multiple stakeholders of the Internet community to work together and develop practical solutions to secure our networks. The goal isn't regulation".

He also stated that AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner, and Verizon "have already committed to implement the core recommendations of all three reports".

The FCC Chairman also predicted that the "CSRIC’s voluntary cybersecurity measures will soon become the industry standard operating procedures".

AT&T's Bob Quinn stated in a release that "AT&T is already fulfilling the recommendations in the reports".

"For every new solution we put in place, the attackers are already looking for a means to exploit or circumvent those solutions", said Quinn. "We need to avoid an outcome where we publish our playbook for our adversaries and potentially prematurely standardize solutions that may ultimately prove inadequate in addressing the changing cyber threat. While we are continuing to track industry developments in this space, we need to keep these issues in mind and not lull ourselves into a false sense of security."

Walter McCormick, head of the US Telecom, stated in a release that "solutions to cyber threats will require multiple stakeholders in the Internet community to work together, and that the multi-stakeholder process, rather than a regulatory approach, has proven over time to be an effective way to secure networks while keeping the Internet an open platform for innovation and communication. We are pleased that the recommendations adopted today recognize the need for more work in areas where standards are still under development, and where economic barriers may exist for some companies whose business models do not allow them to recover investments in cybersecurity solutions."

Botnets. First, the CSRIC recommendations address "botnets in residential networks". It recommends a voluntary code for ISPs.

Botnet is a slang term of recent origin derived from the words robot network. It is used to describe a collection of software robots that reside on a collection of compromised computers, almost always without the authority or knowledge of the owners or operators, that are controlled remotely for various nefarious purposes. The compromised computers are often referred to as zombies.

The purposes for forming botnets include sending spam, running denial of service attacks, committing click fraud, and infecting computers with spyware. Botnet based spam can be used for less harmful purposes, such as marketing, or for more harmful purposes, such as pump and dump securities fraud, theft of personal and financial information to commit further crimes, and various consumer fraud schemes. Also, Botnet operators sometimes lease spamming capacity to others.

The FCC release states that "To reduce the threat of botnets in residential networks, CSRIC recommended a voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (Anti-Bot Code). Under the Anti-Bot Code, ISPs agree to educate consumers about the botnet threat, take steps to detect botnet activity on their networks, make consumers aware of botnet infections on their computers, offer assistance to consumers whose computers are infected and collaborate with other service providers that have also adopted the Anti-Bot Code." (Parentheses in original.)

The code calls for ISPs to detect botnet activity on their customers' devices, to notify such customers that their equipment may be infected, and to provide information and assistance in remediating botnet infections. However, the code does not require ISPs to take any unilateral action to remediate infections, or suspend or limit service to any customers with infected devices.

Microsoft's Kevin Sullivan stated in a release that "the contents of this code are heavily based in the outstanding efforts that several ISPs already perform to help protect their customers".

Genachowski stated that "customers of CenturyLink and Comcast can already go to those companies' websites and download a tool that will scrub your computer if it’s infected by malware".

DNSSEC. Second, the CSRIC recommendations address the Domain Name System (DNS) and DNS Security Extensions (DNSSEC). The FCC release states that the CSRIC recommends certain "best practices", but does not disclose what any of these "best practices" are.

DNSSEC is a suite of applications designed by the Internet Engineering Task Force (IETF) to add security to the DNS, by enabling cryptographic signature of DNS records, for the purpose of providing secure authentication of internet assets.

The concept is that when broadly implemented by authoritative name servers and requesting applications, it will prevent man in the middle attacks on DNS queries by allowing provable authenticity of DNS records and provable inauthenticity of forged data. See also, Wikipedia pages for Domain Name System, name server, DNS hikacking, and DNSSEC.

DNSSEC's secure authentication is intended to limit the distribution of malware and other bad activity on the internet than can be used to expose credit card data, the content of e-mail, and other confidential information.

The FCC release states that the "CSRIC recommended that ISPs implement best practices to better secure the Domain Name System. DNS works like a telephone book for the Internet, but lack of security for DNS has enabled spoofing, allowing Internet criminals to coax credit card numbers and personal data from users who do not realize they are on an illegitimate website. DNSSEC is a set of secure protocol extensions that prevent such fraudulent activity. This recommendation is a significant first step toward full DNSSEC implementation by ISPs and will allow users, with software applications like browsers, to validate that the destination they are trying to reach is authentic and not a spoofed website."

Comcast, which is both a broadband internet access service provider, and a participant in the FCC's CSRIC, announced in January 10 release that it has "fully implemented" DNSSEC.

Comcast's John Schanz, who is a member of the CSRIC, stated in a March 23 release that Comcast hopes that the CSRIC's action "will encourage other major ISPs to implement DNSSEC, and to encourage domain owners like commerce and banking-related sites to begin signing their domain names with DNSSEC".

Schanz also disclosed that "The working group also recommends that software developers, such as those creating operating-systems, web-browsers, and other Internet-focused applications, study how and when to incorporate DNSSEC validation functions into their software." (The CSRIC has many working groups, including one titled "Cyber Security Best Practices".)

IP Route Hijacking. Third, the CSRIC recommendations address IP route hijacking.

The FCC release states that the "CSRIC recommended an industry framework to prevent Internet route hijacking, which is the erroneous routing of Internet traffic through potentially untrustworthy networks. CSRIC recommended that ISPs work to implement new technologies and practices to reduce the number of these events, thereby ensuring that users in the U.S. can be more confident that their Internet traffic will not be exposed to scrutiny by other networks, foreign or domestic, through misrouting."

Comcast's Schanz stated that "Improving the integrity of the global routing system has been a hope for quite some time. While there is work still to be done, Comcast joins other large network operators in our commitment to make sure data about resources is more reliable and accurate as a necessary precursor to any other enhancements which may be contemplated."

Genachowski added that the CSRIC "calls on network operators to develop and adopt new technical standards that will secure Internet routing. The secure Border Gateway Protocol standards would establish a certified registry that will enable ISPs to validate the authenticity of routing information, securing the foundations of trust between networks, which has been so essential to the Internet’s success".