UPD UK ISPs Should Consider a Voluntary Anti-Bot Code of Conduct

An interesting development occurred in the USA yesterday when, for the first time, the Federal Communications Commission (FCC) announced a new Voluntary Code of Conduct for consumer broadband ISPs and network operators called the Anti-Bot Code of Conduct (ABC). The code is designed to help internet providers tackle Botnets (i.e. Trojan / Virus / Malware infected computers).

Botnets are a huge problem. Infected computers tend to spew out the vast majority of all junk email (SPAM) messages, while others can be harnessed and used by hackers to cripple online services. Creation of a Botnet in the UK would be a breach of the Computer Misuse Act but such laws have so far had little impact.

In fairness all UK ISPs have rules against such abuse (Acceptable Use Policy [AUP]) and some even take direct action against it. For example, Virgin Media’s recent Malware Defence Campaign worked with online security groups to identify and issue warning letters to internet access customers whom it believed could have had their computers infected by malicious software.

A Virgin Media Spokesperson said:

“Malware is a growing problem and an issue that can have incredibly damaging effects on those that are unfortunate to suffer from an infection. Despite many ISPs such as Virgin Media providing free security packages to protect users from such infections, if these are not updated correctly, computers can remain at risk of new infections. As a result, Virgin Media takes a proactive approach to tackling malware, sending letters to customers that have been identified as being affected by some of the more serious malware infections on the internet. We believe this approach, coupled with customer vigilance, will help to increase awareness to help combat this issue, however we would also welcome any collective industry approaches to help tackle malware more comprehensively.”

The problem is that such schemes are not widely adopted and, as this 2010 report from the OECD shows, they usually only catch a small proportion of infected customer computers. So perhaps it’s time for the UK to stop sidelining this problem and follow more pro-actively by the USA’s example, where participating ISPs are required to “take meaningful action” on each of the following areas.

USA/FCC’s Anti-Bot Code of Conduct

* Education – an activity intended to help increase end-user education and awareness of botnet issues and how to help prevent bot infections

* Detection – an activity intended to identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices

* Notification – an activity intended to notify customers of suspected bot infections or enable customers to determine if they may be infected by a bot

* Remediation – an activity intended to provide information to end-users about how they can remediate bot infections, or to assist end-users in remediating bot infections

* Collaboration – an activity to share with other ISPs feedback and experience learned from the participating ISP’s Code activities

Nobody is suggesting that such a code would completely eradicate the problem of Botnets but a more coordinated response would surely help to reduce the level of end-user bots and make the internet a more secure place. Most of the ABC’s rules are already being employed by ISPs anyway so surely now is the time to tackle the problem head-on, while also helping consumers to identify which providers take the problem seriously.

UPDATE 24th March 2012

Added a comment from Virgin Media.