FCC outlines cybersecurity best practices for ISPs


Remotely controlled botnets threaten end users, users connected to infected users and Internet service providers. Unfortunately,  perpetrator catch rates are very low, and remediation tools are "immature," reported a working group during a Dec. 13 Federal Communications Commission communications security, reliability and interoperability council meeting in Washington, D.C.

"This threat is severe. It is growing worse. It is not stabilizing or getting better, by any means," said working group member Jason Livingood, executive director of Internet Systems and Engineering at Comcast Cable.

The CSRIC working group has now completed an ISP network protection best practices document that specifies recommended actions around prevention, notification, mitigation and privacy.

Creating best practices in this area is especially difficult because the architecture, capabilities and interactions of a cable-based network, such as Comcast's, are significantly different than a fiber-based network, such as Verizon's FiOS. "ISPs need to be able to take these practices that we recommend and figure out how best to implement them," said working group Chair John Morris, director of Internet standards at the Center for Democracy and Technology

Livingood said best practices should be reviewed every two years, if not more frequently and evaluated to assess their effectiveness in dealing with the botent problem.

Government needs to play a leadership role in this area, reported the working group, beyond simply ensuring that government networks are kept safe, group members said. The group recommended the United States follow the lead of governments such as Germany and Japan, and create national websites to educate citizens about malware and provide malware remediation tools.

The group highlighted the difficult balance between whether a malware infection is definitively known or if it's just likely. It's more important to notify users in a timely manner that an infection is likely, than it is to wait for a definitive alert that malware exists, they said. The group also said end-user awareness and behaviors must be improved, and there is likely an opportunity for cross-industry coordination in this area.

During the meeting, another CSRIC working group announced that it is working on formulating cybersecurity best practices document. It is putting the final touches on a draft document which it will have it to the CSRIC steering committee by Jan. 31, 2011. A final report is expected by Feb. 10, 2011.

For more:
- view a video of the FCC meeting here

Related Articles:
FCC completes pandemic planning report and implementation plan
Clarke: Regulation needed to defend critical infrastructure against threat of cyberwar
FCC's Genachowski promises NG-9-1-1 'first step' 
FCC telecom subsidy program needs robust risk management, says GAO 
FCC plans private sector cybersecurity role