Internet Industry Association

The Internet Industry Association (IIA) has released a draft eSecurity code to guide ISPs in improving net security for its users throughout Australia 

The extent of the growing zombie botnet problem in Australia is not well understood. Nor are its implications clear for the integrity of our networks, and confidence of businesses and users who traverse them.

To that end, the IIA has kicked off a process to provide standardised messaging to users whose computers exhibit the attributes of major malware infection. There is also scope to expand the scheme to include remediation of affected machines once the user is notified and the problem established.

Launched on 10 June 2009 by the Minister Senator Stephen Conroy, the gathering of regulators, ISPs, security vendors and consumer representatives ended the session with enthusiastic agreement to support the development of IIA’s new eSecurity Code which will be a first in systematically addressing the problem on a national scale.

The growing malware problem in Australia has implications for both end user privacy and identity protection, spam, online fraud and other forms of cybercrime and national security. That’s a big list of ills to be addressing, all the more reason why work done in this area will produce multiple benefits. The underlying driver for this work is the win-win outcome we can facilitate for both network providers and their users. The short point is it’s in noone’s interests to have compromised machines running amok in Australia.

Our indicative timetable envisages Code finalisation by December 2009.

The underlying principles that will guide the development of the new Code include:

1. The Code will be voluntary.
2. The Code will be flexible and allow for a range of responses according to ISPs’ circumstances.
3. The development of a Code is predicated on a recognition that compromised computers represent a threat to the integrity of networks.
4. The privacy of end users is paramount; it must be made clear that the program would not require the surveillance of individual online activity.
5. The Code should contain a statement of the potential benefits of the program including the protection of privacy and identity of individuals who would otherwise be at risk if their computers became/remained compromised.
6. The Code should define the problem – what is a compromised computer and how do you know if you have one.
7. The Code should link back to the IIA Spam Code of Practice, but would not duplicate provisions therein.
8. The Code should draw upon existing best practices ISPs were currently undertaking.
9. The Code should provide a list of resources that ISPs could access to provide intelligence on sources of attack.
10. The Code may make provision for the use of a trust-mark to signify to users that the ISP was Code compliant. [The image of a tortoise was mooted.]
11. The Code should recognise that some attacks are worse than others and ISPs should make provision for prioritisation or deprioritisation, as the case may be, of action depending on the nature of the threat.
12. Education will be a key element of the strategy.
13. The Code will be reviewed within 12 months of its implementation.

The proceedings from the June 10 workshop are available as part of series of 100 “tweets” found at www.twitter.com/IIAComms 10 June 2009.

The Code will be called the IIA eSecurity ISP Code of Practice: A Voluntary Code Outlining Best Practice Industry Standards for eSecurity in Australia.

A drafting committee has been formed and Code writing will shortly commence. IIA members will be consulted during the development process to ensure that all views are taken on board.

The code will also build on the wok of ACMA's Australian Internet Security Initiative (AISI).

ISPs interested in contributing to this important initiative are encouraged to join the AISI initiative.