FCC, NIST leading fight against ‘zombie armies’

Botnets are plaguing the Internet. Experts estimate one in 10 computers are infected by malware or a virus that lets bad actors take control of the system and use it to steal information or attack other networks.

Botnets, or zombie armies, are not new, but the increased sophistication of the technology and the widespread use of online services are causing the Federal Communications Commission and the National Institute of Standards and Technology to become more aggressive in stopping them.

The FCC and NIST are teaming with commercial Internet Service Providers (ISPs) on a new Industry Botnet Group (IBG) to help stem the flow of attacks. With more than 80 percent of all federal networks depending on commercial ISPs, the attention to preventing or remediating botnets attacks crosses private and public sectors.

“A botnet infection can lead to monitoring of the consumer’s personal information and communications, and also to exploitation of that consumer’s computing power and Internet access,” said Miriam Perlberg, a senior director for cybersecurity policies on the White House’s National Security Staff, Thursday during a meeting of the FCC’s Communications, Security, Reliability and Interoperability Council meeting in Washington. “Researchers suggest an average of about 4 million new botnet infections occur each new month. The vast majority of botnet attacks occur by using our own computers and our own computing resources to compromise our own infrastructure.”


Perlberg added botnets damage the economy by increasing the price of doing business and threatening individual privacy.

She said the IBG would focus on four areas:

  • Develop high level principles for addressing botnets.
  • Develop a strategy to increase public awareness on botnets and related malware, including a focus on prevention and remediation.
  • Use consumer focused information tools and resources to prevent and remediate botnet infections.
  • Identify inventory measurement standards by collecting progress reports on the botnet environment, the effects of education and the health of the ecosystem.

“These goals draw on the expertise from the widest range of players, led by the private sector, only bringing in government to partner as needed on items like education, consumer privacy and key safeguard,” Perlberg said.

The IBG grew from a request for information NIST issued in September asking for possible requirements and approaches to creating a voluntary code of conduct to address the detection, notification and mitigation of botnets.

NIST will conduct a botnet workshop May 30 in Gaithersburg, Md., to further the discussion about identifying available and needed technologies and tools to recognize, prevent and remediate botnets. The workshop also will explore current and future efforts to develop botnet metrics and methodologies for measuring and reporting botnet metrics over time. Additionally, it will help NIST understand where ecosystem stakeholders are in terms of roles and responsibilities.

New recommendations for ISPs

Along with the new Industry Botnet Group, the FCC’s Communications, Security, Reliability and Interoperability Council approved plans for a voluntary set of standards for ISPs to deal with botnets.

Mike O’Reirdan of the Messaging Anti-Abuse Working Group is the chairman of the working group that developed the report and recommendations. He said the recommendations have five major objectives, including encouraging ISPs to work with customers to help them understand how to make their systems more secure.

The working group also wants service providers, such as AT&T, Verizon, CenturyLink and Comcast, to get involved in detecting botnets on their networks and to notify end users of infections. Most of all, the report recommends ISPs work together more closely.

“An awful lot of the good work that has been done on things like spam was been done because of collaboration and sharing,” O’Reirdan said. “That is the most effective way. The Internet is a collaborative environment, and for us to actually deal with this problem, we need to deal with it in a collaborative manner.”

He emphasized the code of conduct is voluntary, technology neutral and doesn’t prescribe any particular approach.

Julius Genachowski, chairman of the FCC, said many of the major ISPs already have implemented much of the standards called for in the report.

“The work of [the council] that you are all here today for is the FCC’s most significant effort yet to enhance cybersecurity,” he said. “We called on you to develop cybersecurity solutions, real steps that materially will enhance our security and to do it in a way that preserves the ingredients that have and will fuel the Internet’s growth and success.”

Genachowski said the multi-stakeholder approach works best to figure out the best ways to solve problems.

Security begins at the Domain Name System

Along with botnets, the council addressed two other security issues. Working groups released reports on domain name service security (DNSSec) and the development of more secure routing protocols.

DNSSec would ensure the website users go to is the real website and not a spoof where bad actors are trying to steal passwords. DNSSec basically creates a handshake between the user and the website they want to visit.

The working group recommends ISPs use DNSSec at the second highest level.

“There are degrees of implementation. The highest level would be to actually do the validation,” said Steve Crocker, CEO of Shinkuro and chairman of the working group on DNSSec. “The next level below that would be to implement DNSSec aware resolvers so that if validation is requested by the end system, the capability is provided by the ISP to support that.”

Crocker said by at least getting that second level, ISPs could easily turn on full scale validation. The challenge, however, is getting industries such as banking and healthcare, to request the validation because ISPs don’t want to spend the money to put in the capability if no one will use it.

The secure routing protocols report addresses how to ensure Internet traffic between and among ISPs is secure. Over the years there have been problems both accidentally and maliciously where messages have been hijacked or spoofed to another address.

The working group recommended a framework for securing these protocols.

Without metrics, none of this matters

The key to all of these efforts is metrics, said Alan Paller, a member of the council and research director for the Sans Institute.

“If we say we will do something and it matters to the country, we need to be able measure how effective we are,” Paller said. “If we don’t have the measurement system in place, that’s the first task not the voluntary code because a voluntary code without a measurement system is the same as no code. A measurement system is a prerequisite for having any confidence that we are actually attacking the problem rather than just a marketing program for ISPs.”

All three working groups said they would be working on metrics over the next six months. The NIST workshop also will address metrics to analyze how effective the tools and technologies are in stopping botnets.

“We are not just issuing reports today, although these reports are important. We are talking about companies that serve more than 80 percent of the country’s Internet users already committing to these meaningful solutions to specific cybersecurity challenges,” Genachowski said. “We expect that other companies will join in committing to implement these recommendations as well, and [the council’s] voluntary cybersecurity measures will soon become standard operating procedures.”


DHS, NIST partner on ‘botnet playbook’

FCC to establish cyber certification program