The Government and ISPs At Odds Over Fighting Botnets

Copyright 2008 Stuart Isett.
Start your day with TPM.
Sign up for the Morning Memo newsletter

Both the U.S. government and the country’s internet service providers (ISP) agree that botnets are among the greatest threats facing Web users.

But they can’t yet agree on what to do about it, because the ISPs aren’t exactly the biggest fans of a government document calling for them to establish voluntarily, industry-wide standards for detecting and fighting threats.

That was the major, unfortunate conclusion that came out of a contentious panel discussion on Tuesday featuring the White House cyber security coordinator, cyber experts at the Department of Homeland Security and the Department of Commerce and an ISP industry trade representative.

The U.S. government defines botnets as collections of compromised computers that are remotely controlled by a malevolent party. The networks are often used to launch crippling attacks against third parties online.

A recent study by Microsoft found the U.S. leads the world in terms of the number of computers infected with botnet malware, 2.2 million, compared to second-place Brazil’s 500,000. Globally, McAfee reported in late 2010 that it was seeing an average of 6 million new botnet infections every month.

Yet as a research report from the European Network and Information Security Agency released earlier this year found that ” botnet sizes are generally exaggerated because of a lack of reliable data and because the larger estimates will bring more financial support for security measures,” as EWeek reported.

“Botnets out there can harm and threaten any of us,” said Howard Schmidt, special assistant to the President and cyber security coordinator for the White House. “They can turn the victim of a crime into a vehicle for committing other crimes against systems that trust the infected computer…we have a lot to do to clear this up.”

“Whatever comes out of creating more security and fighting botnets, any kind of uniform response [by the government] is going to handcuff us from responding to dynamic threats,” said Kate Dean, executive director of the U.S. Internet Service Provider Association, an industry trade group.

Hosted by and at the Center for Strategic International Studies in Washington, D.C., the discussion was designed to kickstart the creation of a “voluntary industry code of conduct to address the detection, notification and mitigation of botnets,” as outlined in a September 21 request for information from the DHS and the Commerce Department’s National Institute of Standards and Technology.

The document seeks comments from “all Internet stakeholders, including the commercial, academic, and civil society sectors,” on how to best establish such a system. Comments can be emailed to Consumer_Notice_RFI@nist.gov, and there is a 30 day deadline for submissions, which ends on November 4.

But the government is also relatively broad in its suggestions, simply stating that American ISPs should do a better job of detecting botnets and notifying users that their computers are infected in a timely and standardized fashion.

Also, the document provides three degrees of botnet fighting standards that would involve varying levels of government participation: From none, in the “private sector run and supported model,” to some government services for helping to notify users in a “public/private partnership,” to one where the government provides the central resource for helping consumers fix botnets.

Clearly, the federal agencies are right now pursuing the second model, but the ISPs argue that they are already doing a good enough job at helping customers, and that it is the government’s lack of clarity on legality and liability issues – such as if ISPs can be prosecuted for accessing customer’s private information – that is holding them back from doing a better job. Also at stake is who would pay for such botnet fighting services.

The government’s document points to successful public/private partnerships in Australia, Japan and Germany, each with its own unique features, that have all seen some gains in helping users detect and clean up botnets on their computers. Yet American ISPs say the situation here is much different and so those models aren’t necessarily applicable.

As Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group, a global industry trade organization, said during the discussion: “There’s an emerging worldwide consensus something needs to be done.” But he also added: ” You can’t just focus on ISPs…end users have to be sensible…[cyber security] tools vendors need to come up with better tools.”

At the same time, the panel was asked why they thought a voluntary system would be effective when that’s essentially what’s been in place for the past 20 years since the commercial internet began taking off in the U.S.

“This is a new effort,” said Cameron Kerry, general counsel of the Commerce Department, defending the document. “It is all of the stakeholders perogative. We want to try the least restrictive means, maybe for a two year period, and if it doesn’t work out, we can revise it then.”

Latest Idealab
Comments
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Associate Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: