AGENCIES:

U.S. Department of Commerce, National Institute of Start Printed Page 58467Standards and Technology; U.S. Department of Commerce, National Telecommunications and Information Administration; and U.S. Department of Homeland Security, National Protection and Programs Directorate.

ACTION:

Request for Information.

SUMMARY:

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets.^[1] Over the past several years, botnets have increasingly put computer owners at risk. A botnet infection can lead to the monitoring of a consumer's personal information and communication, and exploitation of that consumer's computing power and Internet access. Networks of these compromised computers are often used to disseminate spam, to store and transfer illegal content, and to attack the servers of government and private entities with massive, distributed denial of service attacks. The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets' illicit use of computer equipment.

DATES:

Comments are due on or before 5 p.m. EDT, November 4, 2011.

ADDRESSES:

Written comments may be submitted by mail to the National Institute of Standards and Technology at the U.S. Department of Commerce, 1401 Constitution Avenue, NW., Room 4822, Washington, DC 20230. Submissions may be in any of the following formats: HTML, ASCII, Word, rtf, or pdf. Online submissions in electronic form may be sent to Consumer_Notice_RFI@nist.gov. Paper submissions should include a compact disc (CD). CDs should be labeled with the name and organizational affiliation of the filer and the name of the word processing program used to create the document. Comments will be posted at http://www.nist.gov/​itl/​.

FOR FURTHER INFORMATION CONTACT:

Jon Boyens, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899, jon.boyens@nist.gov. Please direct media inquires to NIST's Office of Public Affairs at (301) 975-NIST.

SUPPLEMENTARY INFORMATION:

Background

The U.S. Department of Commerce (Commerce) recently issued a “Green Paper” ^[2] that suggests that voluntary codes of conduct ^[3] developed through a multi-stakeholder process can significantly advance efforts to protect the Internet from the growing security threats. One of the policy recommendations put forth was for Commerce to expand its role of working with multiple stakeholders to facilitate and promote the use of voluntary codes of conduct. Though the responses to the Green Paper are still being analyzed, it is clear that this facilitating role in the area of codes of conduct is seen as vital to advancing industry efforts in specific areas.

The U.S. Department of Homeland Security (DHS) has played an essential role in building cybersecurity educational programs for consumers. DHS's educational programs emphasize that every Internet consumer has a role to play in securing cyberspace and in ensuring the safety of ourselves, our families, and our communities online. DHS has a variety of outreach programs; most notable from a consumer perspective are the National Cybersecurity Awareness Month and Campaign. Each October DHS hosts events to encourage consumers to follow a few simple steps to keep themselves safe online. The Awareness Campaign “Stop. Think. Connect.” is a year-round program that helps consumers become more aware of growing threats and arms them with tools to protect themselves.

While security risks on the Internet exist in many areas, one current widely exploited threat comes from `botnets.' Through this Request for Information and any follow-on work, the two Departments aim to reduce the harm that botnets inflict on the nation's computing environment.

To build a botnet, intruders exploit security flaws in the hardware and/or software used by individual consumers, and they install malicious software that connects the consumer's computer into a remotely controlled network of many computers. Once compromised, the owners of these computers are put at risk. Criminals have the ability to access personal information stored on the computer and communications made with the computer. Criminals can exploit this information for identity theft, privacy violations, and other crimes, as well as utilize the impacted users' computing power and Internet access. Networks of these compromised computers are often used to disseminate spam, store and transfer illegal content, and attack the servers of government and private entities with distributed denial of service attacks. Researchers suggest an average of about 4 million new botnet infections occur every month.^[4]

The Departments are concerned about the potential economic impact of botnets and the problems they cause to computer systems, businesses, and consumers. To address these problems, it is necessary to stop botnets from propagating and to remove or mitigate the malicious software (malware) where installed. Companies and consumers may be able to voluntarily address some of these issues, but to fully address the problem, they will need to work together to clean and better protect computers. This will require voluntary efforts on many fronts, including better standards and procedures to secure systems.

One strategy that security experts suggest has been successful in stemming the tide of botnets has been for private sector entities to voluntarily and timely detect and notify end-users that their machines have been infected. This voluntary notification has mostly, though not always, come from the user's Internet Service Provider (ISP), which has contact information for the end-user and a pre-existing relationship. Once a service provider has detected a likely end-user security problem, it can inform the Internet user of the steps the user can take to address the problem. For example, last year in Australia, the Internet Industry Association in conjunction with the Minister for Broadband, Communications and the Digital Economy launched a voluntary code of practice for Australian ISPs to ensure consistent notification and remediation of consumer computer problems created by botnets. Once notified of a botnet infection, the consumer is sent to a website with information to help clean up his or her Start Printed Page 58468computer.^[5] Germany ^[6] and Japan ^[7] have begun similar efforts. Several U.S. companies seem to be engaged in similar types of practices, though without a code of conduct in place, and standards organizations ^[8] have been discussing standards for botnet detection. Last December the Federal Communication Commission's (FCC's) Communications Security, Reliability and Interoperability Council (CSRIC) Working Group (WG) 8 recommended 24 Best Practices to address botnet protection for end-users as well as for the network.^[9] The Best Practices cover several areas including prevention, detection, notification and mitigation, and identified means to address externalities such as privacy concerns. The Best Practices identified are primarily for use by ISPs that provide direct service to end-users on residential broadband networks. However, they may apply to other end-users and networks as well. The Internet Engineering Task Force also has developed a draft “Recommendation for the Remediation of Bots in ISP Networks.” ^[10]

Incentives and Voluntary Approaches

To promote voluntary best practices in botnet detection, notification and mitigation, one suggestion has been to provide companies that take action with certain types of liability protection in order to foster greater marketplace certainty. Another suggestion is to encourage ISPs to send consumer support queries to a centralized consumer resource center that could be supported by a wide number of players.^[11] Such a resource center could reduce the burden on corporate customer support centers by pooling resources. The center could aid consumers by, for example, providing certain no-cost means of support, as well as information on other means for expedited support. This center could also be used to facilitate information sharing and research that could lead to better botnet detection. Moreover, as a “condition of sponsorship” private sector entities could be required to adopt an agreed upon set of practices.

There are many different ways that such a resource center could be created, including some that help encourage innovation in preventative security models and/or directly aid consumers in cleaning their machines. Below are three very broad scenarios proposed to help focus comment on possible voluntary approaches:

A. Private-Sector Run and Supported—Under this scenario, the private sector would create, run, and fund a resource center to inform and educate consumers who have been notified that their equipment may be infected by a botnet. This service could be run by a new or existing non-profit or for-profit entity depending on the needs and the model created.

B. Public/Private Partnership—Under this scenario, the government and private sector would work together to create a resource to inform and educate consumers who have been notified that their equipment may be infected by a botnet. These services could be provided through a non-profit or quasi-governmental entity depending on the needs and the model created.

C. Government Run and Supported—Under this scenario, the government would create a centralized resource to inform and educate consumers who have been notified that their equipment may be infected by a botnet. These centralized services would be provided by a government agency with some substantive input from the private sector, perhaps through a Federal Advisory Committee.

Request for Information. Recognizing the seriousness of the threat from, and potential harm caused by, botnets, Commerce and DHS are issuing this Request for Information to solicit information on: the need for a voluntary code of conduct for consumer notifications on botnets; how private entities might help prevent and identify botnets and certain types of malware on systems and networks; how to mitigate and notify users about botnets—on systems and networks; how to help promote incentives for companies to participate in voluntary notification efforts; and how to help build related resources in the United States for ISPs or other entities to notify consumers.

The questions below are to assist in framing the issues and should not be construed as a limitation on comments. The Departments invite comment on the full range of issues that may be presented by this Request for Information. Comments that contain references, studies, research and other empirical data that are not widely published should include copies of the referenced materials with the submitted comments.

A. General Questions on Practices To Help Prevent and Mitigate Botnet Infections

(1) What existing practices are most effective in helping to identify and mitigate botnet infections? Where have these practices been effective? Please provide specific details as to why or why not.

(2) What preventative measures are most effective in stopping botnet infections before they happen? Where have these practices been effective? Please provide specific details as to why or why not.

(3) Are there benefits to developing and standardizing these practices for companies and consumers through some kind of code of conduct or otherwise? If so, why and how? If not, why not?

(4) Please identify existing practices that could be implemented more broadly to help prevent and mitigate botnet infections.

(5) What existing mechanisms could be effective in sharing information about botnets that would help prevent, detect, and mitigate botnet infections?

(6) What new and existing data can ISPs and other network defense players share to improve botnet mitigation and situational awareness? What are the roadblocks to sharing this data?

(7) Upon discovering that a consumer's computer or device is likely infected by a botnet, should an ISP or other private entity be encouraged to contact the consumer to offer online support services for the prevention and mitigation of botnets? If so, how could support services be made available? If not, why not?

(8) What should customer support in this context look like (e.g., web information, web chat, telephone support, remote access assistance, sending a technician, etc.) and why?

(9) Describe scalable measures parties have taken against botnets. Which scalable measures have the most impact in combating botnets? What evidence is available or necessary to measure the impact against botnets? What are the Start Printed Page 58469challenges of undertaking such measures?

B. Effective Practices for Identifying Botnets

(10) When identifying botnets, how can those engaged in voluntary efforts use methods, processes and tools that maintain the privacy of consumers' personally identifiable information?

(11) How can organizations best avoid “false positives” in the detection of botnets (i.e., detection of behavior that seems to be a botnet or malware-related, but is not)?

(12) To date, many efforts have focused on the role of ISPs in detecting and notifying consumers about botnets. It has been suggested that other entities beyond ISPs (such as operating system vendors, search engines, security software vendors, etc.) can participate in anti-botnet related efforts. Should voluntary efforts focus only on ISPs? If not, why not? If so, why and who else should participate in this role?

C. Reviewing Effectiveness of Consumer Notification

(13) What baselines are available to understand the spread and negative impact of botnets and related malware? How can it be determined if practices to curb botnet infections are making a difference?

(14) What means of notification would be most effective from an end-user perspective?

(15) Should notices, and/or the process by which they are delivered, be standardized? If so, by whom? Will this assist in ensuring end-user trust of the notification? Will it prevent fraudulent notifications?

(16) For those companies that currently offer mitigation services, how do different pricing strategies affect consumer response? Are free services generally effective in both cleaning computers and preventing re-infection? Are fee-based services more attractive to certain customer segments?

(17) What impact would a consumer resource center, such as one of those described above, have on value-added security services? Could offers for value-added services be included in a notification? If not, why not? If so, why and how? Also, how can fraudulent offers be prevented in this context?

(18) Once a botnet infection has been identified and the end-user does not respond to notification or follow up on mitigating measures, what other steps should the private sector consider? What type of consent should the provider obtain from the end-user? Who should be responsible for considering and determining further steps?

(19) Are private entities declining to act to prevent or mitigate botnets because of concerns that, for example, they may be liable to customers who are not notified? If so, how can those concerns be addressed?

Best Practices for Consumer Notification

(20) Countries such as Japan, Germany, and Australia have developed various best practices, codes of conduct, and mitigation techniques to help consumers. Have these efforts been effective? What lessons can be learned from these and related efforts?

(21) Are there best practices in place, or proposed practices, to measure the effectiveness of notice and educational messages to consumers on botnet infection and remediation?

D. Incentives To Promote Voluntary Action To Notify Consumers

(22) Should companies have liability protections for notifying consumers that their devices have been infected by botnets? If so, why and what protections would be most effective in incentivizing notification? If not, why not? Are there other liability issues that should be examined?

(23) What is the state-of-practice with respect to helping end-users clean up their devices after a botnet infection? Are the approaches effective, or do end-users quickly get re-infected?

(24) What agreements with end-users may need modification to support a voluntary code of conduct?

(25) Of the consumer resource scenarios described above, which would be most effective at providing incentives for entities to participate? Are there other reasons to consider one of these approaches over the others?

(26) If a private sector approach were taken, would a new entity be necessary to run this project? Who should take leadership roles? Are the positive incentives involved (cost savings, revenue opportunity, etc.) great enough to persuade organizations to opt into this model?

(27) If a public/private partnership approach were taken, what would be an appropriate governance model? What stakeholders should be active participants in such a voluntary program? What government agencies should participate? How could government agencies best contribute resources in such a partnership?

(28) If a government-run approach were taken, what government agencies should play leading roles?

(29) Are there other approaches aside from the three scenarios suggested above that could be used to create a consumer resource and to incentivize detection, notification, and mitigation of botnets?

(30) Are there other positive incentives that do not involve creation of an organized consumer resource that could encourage voluntary market-based action in detection, notification, and mitigation of botnets?

Footnotes