dslreports logo

story category
Big ISPs Convince FCC to Scrap CyberSecurity Program
Couldn't Agree to List of Voluntary Security Guidelines
by Karl Bode 09:03AM Tuesday Mar 19 2013
Back in March of last year you might recall that the FCC announced they had cooked up a new voluntary "cybersecurity" program designed to shore up and unify ISP responses to botnets and other security threats. The plan essentially just urged ISPs to voluntary follow a code of practice for shoring up security measures versus botnets, attacks on the Domain Name System (DNS), and Internet route hijacking. The recommendations simply nudged lazy and/or cheap ISPs to do things more security proactive ISPs like Comcast (at least in terms of DNS security) were already doing.

Fast forward a year and the program has now been scrapped entirely. According to the Wall Street Journal, ISPs have managed to bicker their way out of any cybersecurity improvements whatsoever, voluntary or otherwise (the Journal repeatedly incorrectly describes them as regulations). Many don't want to to pay for security upgrades, may not want to be advertised as security incompetents, or in some cases just don't want to acknowledge any FCC authority over them given pending neutrality lawsuits:
"Any connection between the FCC and any statement of what needs to be done in cybersecurity appears to be poison to these companies that control the Internet," said Alan Paller, a co-chairman of the group and founder of the Sans Institute, a cybersecurity research and education institute (and member of the FCC cybersecurity panel)
Given the government's abuse of the term "cybersecurity" and frequent general incompetence when it comes to technology, fear of new regulations on this front is understandable. But in this case, again, all this was was a list of recommendations many ISPs were already following, and may have been a useful nudge for those ISPs with a particular acumen for security incompetence.

topics flat nest 

Brighton, MA

who needs security?

why on Earth would we want a unified cybersecurity program?! psh. that's just too much common sense.

Lavalette, WV

Re: who needs security?

Unified also means implementations are all the same, too.

So, that means good news for hackers, who will have an easier time than they already are at breaking into these 'cybersecure' places.

But, you know, letting people figure out what works for them and not having to do data collection for the government, that is just boulderdash, right?

We obviously need a *unified* program, because making up your own plan, and choosing not to share data with government - these people are obviously doing something wrong.

Brighton, MA

Re: who needs security?

having a unified plan doesn't mean that the plan is set in stone. all parties need to communicate with each other with what works and they need to combine their experiences.


Security = cost

Hardware/software to protect ISP requires costly licensing agreements.
Policing your users can have negative effects (blocking ports and modems because of too much traffic/packets where there is a legitimate reason...backups, server monitoring, etc).

Blocking subscribers means having more staff and support, along with training (we know how this stuff evolves) to deal with the repercussions and correction of the issues.

Customers are ignorant. Heck, I had to deal with a 70yr old that had no idea what her password was or how it was setup. Why the heck are some on the net, let alone allowed to own a computer!
Sorry. Rant.

united state

Re: Security = cost

And getting hacked can cost thousands, up to hundreds esp if sensitive information gets out, more then having security.

But it's big business, so no one expects common sense or intelligent planning, just ceos getting huge bonuses and only planning for the next quarterly earnings.