ISP Backlash Over Feds' Bot Notification Initiative

A new Department of Homeland Security (DHS) and National Institute for Standards and Technology (NIST) effort to establish voluntary best practices for how ISPs should notify their customers whose machines are part of a botnet has met with some resistance from the service provider community.

The Messaging Anti-Abuse Working Group (MAAWG), which is made up of ISPs, email providers, and security vendors including AT&T, Cisco, McAfee, Facebook, and Verizon, sees the federal effort as unnecessary and redundant, and is balking at the idea of the government legislating how ISPs handle bot-infected customers. MAAWG issued its own set of best practices (PDF) two years ago for mitigating bots, and several ISPs today already have their own bot notification mechanisms in place, according to MAAWG.

"There is no need for mandated action in this area since the market is already moving forward. Many ISPs are already doing a great deal to combat the menace of bots and malware. All over the U.S., ISPs currently have notification systems in place to tell their users they are infected and -- whether they deliver these warnings via email, phone, walled gardens, or inline warnings -- the warnings are being delivered," says Michael O'Reirdan, chairman of the MAAWG. "Other ISPs currently have pilot programs or technology development efforts in place, and there will be more deployments in the near future."

O'Reirdan says ISPs handled the spam battle on their own, and can also do so for battling bots. It has become a business issue for them, he says. "No one had to mandate anti-spam platforms: ISPs put them in place to deal with the menace of spam because, if they had not, they would have lost customers if customers' mailboxes were overrun with spam. The same is happening with anti-bot platforms. It is becoming a 'table stakes' issue for ISPs, and legislating in this arena will merely lock the response of ISPs in stone to conform with the legislation rather than allow innovation and development to meet the rapidly varying nature of the bot challenge posed by the bad guys," he says.

The Department of Commerce and DHS late last month issued a request for information in the Federal Register, looking for input for a voluntary "industry code of conduct" for detecting and notifying infected bot machine owners and mitigating botnets. Comments are due by Nov. 4.

"To promote voluntary best practices in botnet detection, notification and mitigation, one suggestion has been to provide companies that take action with certain types of liability protection in order to foster greater marketplace certainty. Another suggestion is to encourage ISPs to send consumer support queries to a centralized consumer resource center that could be supported by a wide number of players. Such a resource center could reduce the burden on corporate customer support centers by pooling resources," the Federal Register entry entitled "Models To Advance Voluntary Corporate Notification to Consumers Regarding the Illicit Use of Computer Equipment by Botnets and Related Malware" says.

ISPs traditionally have been uneasy about being too hands-on or invasive with bot-infected customers. They've been hesitant to suspend infected accounts for fear of repercussions with unhappy customers or lost business.

But ISPs such as Comcast, which two years ago was one of the first to employ a bot-notification service, notify customers whose machines they spot as bot-infected. Comcast's free Constant Guard Security program directs the infected user to the antivirus center, where he follows directions to remove the bot malware.

"From the perspective of MAAWG, the industry is already voluntarily moving very decisively in this direction without legislation. A lot is happening with the big ISPs, and the smaller ISPs may need help, but they don’t need compulsion," MAAWG's O'Reirdan says.

But others say that the federal effort for ISP best practices could go a long way in stemming the bot explosion. Maxim Weinstein, president and executive director for StopBadware, says the ISP's role in combating botnets is critical. "The ISP is the only player in the ecosystem that has the knowledge of what the customer is that is attached to a particular IP address, and that has a relationship with that person. That is really important in the case of bots," Weinstein says.

"ISPs are divided on where they are on this. Some are already doing things … others aren't sure if or what they are able to do," he says.

Weinstein, along with O'Reirdan, White House cybersecurity coordinator Howard Schmidt, and high-ranking federal officials from Commerce, DHS, NIST, and the FCC, yesterday participated in a panel discussion hosted by the CSIS Technology and Public Policy Program on the possible ISP role in fighting bots. He says one takeaway from the day was that ISPs and MAAWG's O'Reirdan say while ISPs do have a role to play in this, it should not just all fall on their shoulders.

"They made it clear that ISPs do have a role to play here, but it's not appropriate to put the entire onus on ISPs. It's much broader than that, and you shouldn't single out ISPs," Weinstein says of the ISP reaction.

ISPs worry whether they are equipped to handle bot notification and remediation, for instance, and whether it's a revenue opportunity, he says.

There is at least one part of the effort that should reach consensus, he says: a centralized mechanism for reporting bots to ISPs. "A bunch of third parties have information about bots. Why not make it as easy as possible to get that to ISPs?" Weinstein says.

But the toughest sell will be the potential hot button of a centralized resource for helping infected bot customers, he says. DHS and NIST laid out three scenarios for a resource center that would "inform and educate" users whose machines had been infected: a private sector-run center, a government-run center, or a public/private partnership-run center.

"It will be much more difficult deciding to what extent and what form a centralized resource for helping customers for remediation [should be]," he says. An ISP that already offers its own services and products for remediation might see it as competition, while a smaller ISP might welcome it as a handy resource.

"From our perspective -- representing individual users -- it would be great to have a central resource," Weinstein says.

Meanwhile, the FCC's Communications Security, Reliability and Interoperability Council (CSRIC) Working Group (WG) has a set of best practices for botnet protection for consumers, and the Internet Engineering Task Force is drafting the "Recommendation for the Remediation of Bots in ISP Networks."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.