ISPs expected to adopt new security code of practice

The local ISP industry is expected to take up the Australian Internet Industry's (AII) new voluntary code of practice on cyber security, but some doubts over the plan have been expressed.

iiNet’s head of regulatory affairs Steve Dalby said the ISP intended to support the new code.

“iiNet is intending to adopt the code, which comes into effect in December,” he said. “We will consider any process changes required before that date but don’t expect adoption will pose any difficulties or significant changes. “

Dalby added that the ISP did not view the new code as a means for addressing issues that the Federal Government’s mandatory ISP-level filter was officially supposed to address.

“There is no commonality of purpose, of this code, with a filter designed to block websites,” he said.

An Optus spokesperson confirmed that the telco had participated in the development of the Code, and supported a self-regulatory approach to promoting cyber-safety.

“Part of the iCode is based on the ACMA Australian Internet Security Initiative, which Optus has participated in since its inception,” the spokesperson said.

“We are supportive of the Code as it is aimed at educating consumers to protect themselves online, as well as detailing mechanisms for ISPs to protect their networks from the impacts of compromised computers.”

The code has also been endoresed by the IT security industry. In a blog post, Sophos Head of Technology APAC Paul Ducklin, said he was supportive of the initiative, but had some reservations.

“Some of these interventions are, by design, annoying and disruptive to the infected user,” the post reads. “But since zombified users are, in turn, disruptive to the rest of us, I urge you to support the concept of the IIA's iCode.”

“Let's be quite clear: this is not a code for snooping, or for surveillance, or for censorship. It is not a code which plays into the hands of the movie or the music industry's quest for ISP-based copyright enforcement. It is not any sort of mandatory internet filter. The code explicitly states that the privacy of customers is paramount – and zombification is, after all, a major risk to privacy, since it gives cybercriminals unregulated remote access to your PC and its data.”

As the iCode’s goal was to reduce the number of zombie PCs, ISPs should be encouraged to adopt it, Ducklin wrote.

“And be prepared to explain to any of your friends and family who may have their internet access restricted due to zombie activity on their PCs that their minor inconvenience really is for the greater good of all,” the post reads.

Imperva has also backed the IIA's initiative, but similarly acknowledged that consumers may have reservations about being quarantined in if their PCs become infected.

"This move is to be applauded and while it’s certain to generate an outcry from some quarters, will only temporarily block an infected users' ability to generate spam," Imperva CTO Amichai Shulman said in a statement. "It won't affect their ability to surf the Internet or access a Webmail account.”

"The IIA says the code of conduct will give customers greater levels of confidence in the security of their Internet connections, as well as helping to reduce the levels of zombie infections actively connected to the Internet."

However Computerworld Australia understands that some ISPs may have reservations about the effectiveness of the code as an agent of positive change as many ISPs are already carrying out many of the measures it recommends.

Further, the code also fails to address the role vendors play in creating software which leaves users’ PCs vulnerable to becoming part of a botnet.

It also takes a view of ISPs as being responsible for traffic originated and requested by end users, rather than one which sees ISPs simply being conduits of data originated and requested by third parties.