Botnets are Best Addressed with Multi-stakeholder Approach

Today, SIIA filed comments in the Departments of Commerce and Homeland Security’s proceedings geared toward addressing the problems of botnets and other malware. The harm from malicious software is well known–it can turn computers into elements of a robot network (or botnet), and can be activated by outside entities to launch denial of service attacks, send spam, or harvest personal information. The extent of the problem is hard to quantify, but in the aggregate undoubtedly imposes substantial economic costs on individuals and enterprises.

SIIA’s comments are in response to a process set in motion in September, when the Departments of Commerce and Homeland Security set out to craft a framework to address botnets and malware. The proceeding got a boost in October, when Howard Schmidt, Cybersecurity Coordinator for the Obama Administration, and Cameron Kerry, General Counsel for the U.S. Department of Commerce appeared at an event held by the Center for Strategic and International Studies focused on the need for public/private collaboration in fighting malware.

We endorse the fundamental idea of a voluntary approach, in which the government brings together relevant parties to confer on best practices. Our comments support mult-stakeholder discussions on how the private sector can develop and maintain timely and voluntary programs to detect and notify end-users that their machines have been infected with botnets or other malware and provide mitigation support that will eliminate these infections.  SIIA wants to be part of these ongoing discussions.

Collaboration and cooperation between the public and private sector are key to addressing the problem in a holistic way. Some suggest a government role to subsidize the notification and mitigation efforts needed to clean up infected computers.  In this model, researchers inform network companies (or they become aware through their own traffic monitoring activity) of IP addresses of infected computers on their networks. The network companies communicate with the customer whose computer appears to be infected and offer them a government- sponsored clean-up scheme, which they are entitled to use if they wish. Australia, Japan and Germany provide a collaborative framework that follow this rough model.

In the United States, search engines are already taking steps to warn users that their computers might be infected. In July 2011, Google discovered that some unusual traffic connecting to its search engine was caused by computers infected with a specific strain of malware.  Google responded by displaying a prominent warning at the top of its search results page when it appeared that a user’s computer was infected with this malware.

Despite these efforts, SIIA believes that there would be great benefit from further discussion of collaborative efforts to address this problem. We have several points to further the discussion:

*  A voluntary code of conduct approach is preferable to regulatory intervention.
*  ISPs need to be involved because they have a privileged role in the infrastructure.
*  Other participants should include security firms, search engines and computer services companies.

SIIA welcomes this facilitation role in the case of collaborative efforts to manage the botnet problem.  We urge that the agencies act as the convener and facilitator providing a platform for the airing and discussion of the views of industry, non-governmental organizations, technical experts and international participants.  We also want to make sure that the codes that emerge from this process are voluntary self-regulatory standards, not de facto regulatory mandates.

For further discussion of the general problem of botnets, see Tyler Moore, Richard Clayton, and Ross Anderson Economics of Online Crime, Journal of Economic Perspectives, Volume 23, Number 3, Summer 2009, Pages 3–20. See also Symantec and McAfee, Botnets Demystified and Simplified.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.