Australia and neighbouring countries such as Singapore need to lead the push for global cybersecurity compliance between governments, large enterprises and telcos, the former deputy director and chief information officer of the US National Security Agency (NSA), Dr Prescott Winter, has warned.
Winter, who spent more than 27 years with the government agency, commended the Internet Industry Association (IIA) and Australian ISP sector for its collaboration in formulating the Internet Industry Code of Practice - dubbed the “iCode” - and called upon equivalent agencies around the world to adopt similar mechanisms.
The iCode, first released by the IIA in June, is a voluntary and non-binding set of guidelines that calls upon willing service providers to undertake greater customer education, increase network detection for potential security threats, frequently report malicious activity and address compromised PCs on their networks by speed throttling or quarantining the connections of affected users.
The code of practice, according to IIA chief executive, Peter Coroneos, is built on four years of best practice established by the 79 Australian service providers who cooperate in the Australian Communications and Media Authority’s (ACMA) Australian Internet Security Initiative, but by its own credit has already garnered support from industry providers and experts ahead of its full implementation on 1 December this year.
While the code is yet to yield any measurable effects by itself, Winter promoted its adoption both in Australia and globally.
“I think it’s a wonderful initiative and I think not only because of its functional benefit, the things I think it could help fix if it were working, but also because it’s something that appears to have originated on the industry side of the ledger, not just mandated by the government,” he said. "That’s one of the biggest problems that we have in the US - everything that has been mandated by the government has almost already run into terrible flack.”
Coroneos welcomed the commendation from Winter, pointing to accelerating international recognition in the iCode from the likes of the OECD, APEC and the US communications watchdog as a sign of Australia’s leadership in the area. Coroneos also briefed White House Cyber Security Chief, Howard Schmidt, in May on the proposal, who the IIA chief said would like to see implemented more broadly.
“Peculiar” cultural problems in the United States, according to Winter, prevented the country’s government and industry from providing traditional leadership over such global collaboration, but the lack of regulatory mechanisms in the cybersecurity arena were worrying to the NSA chief. In comparing the internet and cybersecurity to the regulation of the flight industry, Winter pointed to the global bodies and standards that made for safe airspace.
“The European Union actually bans 278 airlines mainly from Africa and the Middle East in the US because the crews and the aircraft are not deemed to be airworthy,” he said.
“We have nothing like that in the internet environment. While its easy to understand why you don’t want 250 tonnes of aluminium crashing down on your building, nobody has quite figured out that it’s not too smart to have buckets of contaminated internet traffic flowing through your business. We just don’t see it as much of a threat yet.”
However, according to Winter, greater regulation of rogue internet traffic and higher cybersafety standards would have to come from the private sector, rather than a top-down regulation mechanism from the government. Law enforcement agencies would continue to play a role in helping to mandate take down notices on identified botnets and compromised networks, but Winter said an industry-led mechanism was the only way forward.
“These problems can only be dealt with in larger frameworks so no individual company or service provider has to be singled out, I think it can only work in the mass sense,” he said
The code, according to IIA’s Coroneos, was a good example of that.
“I think people are recognising that ISPs are in a position to assist in the broader security landscape and I think the key point is that because the ISPs themselves don’t like to see compromises occurring on their own networks, there is a higher degree of self-interest in ISPs supporting this work and I think that largely explains why to date, there’s been such enthusiasm from the ISP sector in the kind of measures that we’ve codified,” he added.
In addition to the code’s implementation in December, the industry association will also oversee the formation of a website that will provide “comprehensive” information for users whose PCs or devices may have become corrupted for use in a botnet. The Web resource will likely form part of the user education programs the IIA is promoting, but may also alleviate the pressures associated with quarantining or warning compromised internet subscribers, perhaps without warning.
More mature methods of dealing with corrupted PCs - such as automatically directing all web traffic on an infected PC to an education resource - have been implemented in some cases, but are yet to catch on across the industry.
“It needs to happen really fast - we don’t have a century to make it happen,” Winter, now CTO of public sector operations at security firm Arcsight, said.
“If you can hook the Australian enterprise and Australian code of practice to similar kinds of codes of practice in the United States and the other major nations, you can actually start to put some teeth in this thing.”