Industry Groups Release Anti-Botnet Principles with White House, Agency Backing
A process of cybersecurity industry collaboration that started last fall bore fruit Wednesday at a White House event, with the Industry Botnet Group (IBG) as expected (CD May 29 p9) releasing a set of principles for mitigating the effects of botnet infections. FCC, Department of Homeland Security and Commerce Department leaders also spoke at the event. “Combating botnets is not a new phenomenon” but a “broader base” of organizations is now working together, Liesyl Franz, TechAmerica vice president-cybersecurity policy, told reporters on a conference call after the event.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Commerce and DHS released a request for information in September, asking industry to suggest elements of a voluntary code for the detection, notification and mitigation of botnets. Federal officials including White House Cybersecurity Coordinator Howard Schmidt, who made his last public appearance in the position Wednesday, had said the driving principles of fighting botnets should be public-private partnerships, consumer education and a minimal government role CD Oct 5 p11). The IBG formed in January, composed of the Business Software Alliance, TechAmerica, USTelecom, NCTA, U.S. Internet Service Providers Association and the technology policy division of the Financial Services Roundtable, known as BITS, among others.
The IBG principles are: (1) Share cyber responsibilities by “employing reasonable technologies” to thwart the “effectiveness” of botnets, through prevention, detection, notification, remediation and recovery. (2) Cross-sector coordination to find and combat threats. (3) Cross-border collaboration. (4) Report “lessons learned” with partners in the Internet ecosystem. (5) Educate users through information and resources. (6) “Preserve flexibility” so different entities can respond appropriately to an “ever-evolving threat environment.” (7) Promote innovation. (8) Respect privacy. (9) “Navigate the complex legal environment” (http://xrl.us/bm9t8d).
The Financial Services Information Sharing and Analysis Center, known as FS-ISAC, was also expected to announce its own pilot Wednesday to share information about botnet attacks this year, an administration official told reporters in a briefing. FS-ISAC is working with the Anti-Phishing Working Group and using Internet Engineering Task Force specifications to collect the least-possible amount of infection information to share with other organizations, the official said. We couldn’t reach FS-ISAC, which works closely with DHS and the Treasury Department. Some of the IBG participants are also part of the new “Keep a Clean Machine” educational campaign (http://xrl.us/bm9udz), part of DHS’s Stop. Think. Connect. initiative.
"The issue of botnets is larger than any one industry or country,” and requires consultation with “the widest range of players” in business and government, Schmidt said. DHS aims to build a cyber system that “supports secure and resilient infrastructure, encourages innovation, and protects openness, privacy and civil liberties,” said Secretary Janet Napolitano. “Today’s efforts are only the beginning of the actions we can take” to reduce the toll that botnets take on business, which is increasing “the price of doing business online” and putting U.S. companies “at a competitive disadvantage,” said Patrick Gallagher, director of the National Institute of Standards and Technology.
FCC Chairman Julius Genachowski gave his agency a pat on the back at the event, noting its Communications Security, Reliability and Interoperability Council’s botnet working group came up with its own code of conduct that ISPs representing 90 percent of U.S. Internet subscribers have committed to implementing (CD March 23 p1). Cyberthreats require unique cooperation among the “commercial communications ecosystem,” interagency collaboration and solutions that “preserve Internet freedom and the open architecture of the Internet,” Genachowski said in prepared remarks: The IBG is taking the same “multi-stakeholder model” approach championed by the FCC.
Industry participants have already accomplished a lot in the past four months working on the IBG principles, much faster than government processes typically take, administration officials told reporters. Efforts are focused on communicating with Internet users in ways they can understand and making them appreciate their role in cybersafety, they said. Botnet infections as measured by McAfee were growing around 4 million a month when the agencies put out their request last fall, and that’s now risen to 5 million new monthly infections, officials said. The industry efforts are separate from other measures to make hardware more secure, such as for the BIOS system that boots up PCs, Franz told reporters. The challenge is how to notify users when they're infected and tell them how to “remediate” the problem, she said.