Digital Discourse / Archives for department of commerce

Botnets are Best Addressed with Multi-stakeholder Approach

November 14, 2011 By

Today, SIIA filed comments in the Departments of Commerce and Homeland Security’s proceedings geared toward addressing the problems of botnets and other malware. The harm from malicious software is well known–it can turn computers into elements of a robot network (or botnet), and can be activated by outside entities to launch denial of service attacks, send spam, or harvest personal information. The extent of the problem is hard to quantify, but in the aggregate undoubtedly imposes substantial economic costs on individuals and enterprises.

SIIA’s comments are in response to a process set in motion in September, when the Departments of Commerce and Homeland Security set out to craft a framework to address botnets and malware. The proceeding got a boost in October, when Howard Schmidt, Cybersecurity Coordinator for the Obama Administration, and Cameron Kerry, General Counsel for the U.S. Department of Commerce appeared at an event held by the Center for Strategic and International Studies focused on the need for public/private collaboration in fighting malware.

We endorse the fundamental idea of a voluntary approach, in which the government brings together relevant parties to confer on best practices. Our comments support mult-stakeholder discussions on how the private sector can develop and maintain timely and voluntary programs to detect and notify end-users that their machines have been infected with botnets or other malware and provide mitigation support that will eliminate these infections.  SIIA wants to be part of these ongoing discussions.

Collaboration and cooperation between the public and private sector are key to addressing the problem in a holistic way. Some suggest a government role to subsidize the notification and mitigation efforts needed to clean up infected computers.  In this model, researchers inform network companies (or they become aware through their own traffic monitoring activity) of IP addresses of infected computers on their networks. The network companies communicate with the customer whose computer appears to be infected and offer them a government- sponsored clean-up scheme, which they are entitled to use if they wish. Australia, Japan and Germany provide a collaborative framework that follow this rough model.

In the United States, search engines are already taking steps to warn users that their computers might be infected. In July 2011, Google discovered that some unusual traffic connecting to its search engine was caused by computers infected with a specific strain of malware.  Google responded by displaying a prominent warning at the top of its search results page when it appeared that a user’s computer was infected with this malware.

Despite these efforts, SIIA believes that there would be great benefit from further discussion of collaborative efforts to address this problem. We have several points to further the discussion:

*  A voluntary code of conduct approach is preferable to regulatory intervention.
*  ISPs need to be involved because they have a privileged role in the infrastructure.
*  Other participants should include security firms, search engines and computer services companies.

SIIA welcomes this facilitation role in the case of collaborative efforts to manage the botnet problem.  We urge that the agencies act as the convener and facilitator providing a platform for the airing and discussion of the views of industry, non-governmental organizations, technical experts and international participants.  We also want to make sure that the codes that emerge from this process are voluntary self-regulatory standards, not de facto regulatory mandates.

For further discussion of the general problem of botnets, see Tyler Moore, Richard Clayton, and Ross Anderson Economics of Online Crime, Journal of Economic Perspectives, Volume 23, Number 3, Summer 2009, Pages 3–20. See also Symantec and McAfee, Botnets Demystified and Simplified.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

Busy week in Washington: Cybersecurity, Privacy, Patent Reform – and ICANN

June 15, 2011 By

Cybersecurity / Data Security

The top news on the data security front is the upcoming Commerce Sbcmte. legislative hearing on Data Security/Data Breach scheduled for Wednesday morning. Earlier this week, Chairwoman Bono Mack (R-CA) released a discussion draft of the legislation, and a memo summarizing key differences from the legislation that passed the House in the 111th Congress.

On the Administration cyber front, the Dept. of Commerce last week released a report entitled, “Cybersecurity, Innovation and the Internet Economy.” SIIA issued a statement in support of the effort to more clearly define the line between “covered critical infrastructure” and the other parts of the Internet economy, and expressing our commitment to work with the Department to refine this definition.

Also out of the Administration last week, NIST held a workshop in conjunction with a NOI seeking feedback on a governance structure to advance their Trusted Identities in Cyberspace Initiative (NSTIC). More about that here.

Privacy

There are two noteworthy privacy bills in the works in the Senate. Sen. Franken (D-MN) is drafting a mobile privacy bill, and Sen. Pryor (D-AR) is expected to introduce a bill regarding children’s privacy online prior to the July 4th recess. While there may be a Senate Commerce Committee  a legislative hearing on the Kerry-McCain privacy legislation, the Commercial Privacy Bill of Rights Act (S. 799), as soon as next week, discussions are ongoing within the Committee regarding the official legislative vehicle for advancing Chairman Rockefeller’s (D-WV) priorities in this area, which also include a focus on “tracking” and children’s privacy.

Patent Reform

The House patent reform bill (H.R. 1249) is expected to be considered on the floor later this week. While support for the House bill is broad and bipartisan, budget issues and various amendments could cause the bill to be defeated or striped it of key elements, including the provision allowing the PTO to keep its user fees, and the “first to file” provision.

ICANN

ICANN is expected to vote on the new gTLD Applicant Guidebook on June 20. If the Guidebook is approved, the process for introducing hundreds of new gTLDs to the Internet will likely begin sometime next year. Also, the NTIA issued a Further Notice of Inquiry seeking comments on a Draft Statement of Work regarding the IANA functions (the contract for which currently is assigned to ICANN but is up for review). More about that here.

For SIIA policy updates including upcoming events, news and analysis, subscribe to SIIA’s weekly policy email newsletter, Digital Policy Roundup.

Share|
Filed Under: Copyright, Digital Policy Roundup, Patent Tagged With: , , , , , , , ,