DHS and NIST proposal suggests American ISPs should assist in stopping botnets

Internet police badgeWhen I do public speaking, I often rant about how distracted we are by high profile attacks like Stuxnet even though few of us are responsible for protecting nuclear centrifuges.

The vast majority of attacks are using our own computing resources to compromise our infrastructure. Our identities are being stolen, and we’re spamming and DDoS’ing ourselves into oblivion.

So it’s great news that the Department of Homeland Security and National Institute of Standards and Technology have published a request for comment from the community on a proposal for voluntary notification of consumers whose computers are infected by malware.

Considering the large number of unprotected or poorly protected PCs in the United States, I welcome any effort to raise awareness among consumers that their computers are infected.

I think it’s great that the United States is taking this problem seriously and learning from initiatives in Germany, Japan and Australia.

iCode compliantThe iCode project in Australia has been operating for some time. Hopefully the US will consult with their teams as well.

I expect that we can also learn a bit from the experience of Comcast, who implemented their own infection notification system last October.

If effective this initiative could also raise the cost to cybercriminals of renting botnets. As was noted in research on the economics of the pay-per-install malware distribution method, bots are already the most expensive to acquire in the US, Canada and United Kingdom.

But having ISPs inspect your traffic for potential botnet activity also raises privacy concerns. If we agree to having our packets inspected as they traverse the internet, will the temptation to use this information to track your activities, or sell your surfing habits to marketers, be too great for ISPs to resist?

This proposal is in very early stages of development and leaves many questions unanswered. Should enforcement be done by ISPs? Can other private security companies contribute? Who should help the users clean up?

It is clear to me that there are many questions to be answered and challenges overcome to implement this as a policy, but if DHS, NIST, privacy watchdogs and the private sector work together, we can make the net a safer place.

Do you think users should be blocked from the internet if their computers are infected? Who should pay to man the call centers required to support consumers in cleaning up their act? Share your thoughts in the comments below.