Today, an important step was taken in the fight against badware on consumer devices in the U.S. An advisory group to the Federal Communications Commission known as CSRIC III voted unanimously to release the U.S. Anti-Bot Code of Conduct for Internet Service Providers. Known as the ABCs for ISPs, or simply "the Code," this voluntary set of guidelines encourages ISPs to engage in bot education, detection, notification, remediation, and collaboration. Several major ISPs—AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, and Verizon—committed to adopting the Code and two other security-related sets of recommendations released by CSRIC. The documents will be available soon on the CSRIC III web page.
I served on the group that developed the Code, the elegantly named CSRIC III Working Group 7. (Last week, I explained why fighting botnets is critical to StopBadware's mission to make the Web safer.) The finished product is a testament to the collaborative spirit of the group's members and the fearless leadership of the group's chairman, Mike O'Reirdan.
There is, of course, room for criticism of the Code. I was, for example, disappointed that telling customers "go to this website to check if we've found bot traffic from your IP address" is considered a valid form of customer notification. The lack of any formal system to track which ISPs have agreed to adopt the Code (let alone verify that they're actually following it) is also frustrating. If it had been up to me, I also would have more closely mimicked Australia's model, which supplements the code of conduct with a national data clearinghouse of bot detection data.
Still, with all these complaints, we should consider the Code a step forward. With broad support (and substantial early adoption) from the ISP industry, it's clear that millions of U.S. consumers will soon have more information to help them prevent badware, to learn if their devices are infected, and to assist them in cleaning their devices up. And the Code's requirement that ISPs share information should help drive improved measurement and better anti-bot strategies.
Several groups, including MAAWG, the Industry Botnet Group, OTA, and even CSRIC III Working Group 7 continue to build upon the work done to date. There's still plenty to be done, but it's great to see so much movement in the right direction.