FCC’S PUBLIC SAFETY AND HOMELAND SECURITY BUREAU REQUESTS COMMENT ON IMPLEMENTATION OF CSRIC III CYBERSECURITY BEST PRACTICES
FOR THE FULL TEXT OF THIS PUBLIC NOTICE PLEASE VISIT FCC COMMISSION DOCS
In March 2012, the FCC’s third Communications Security, Reliability and Interoperability Council (CSRIC III)[i] unanimously adopted voluntary recommendations for Internet service providers (ISPs) to combat three major cybersecurity threats: (1) botnet attacks; (2) domain name fraud; and (3) Internet route hijacking.[ii] Among other stakeholders, leading ISPs participated in the development of these recommendations and publicly committed to implementing them.[iii] The recommendations included voluntary measures in three areas: an Anti-Bot Code of Conduct to mitigate the proliferation of distributed denial of service (DDoS) attacks,[iv] steps to better secure the Domain Name System (DNS) through incremental implementation of DNSSEC, and steps to strengthen the security of the Internet’s inter-domain routing infrastructure.[v]
CSRIC III also recommended that the FCC encourage ISPs to implement source-address filtering to prevent attackers from spoofing IP addresses to launch DDoS attacks. Specifically, CSRIC recommended that the FCC encourage implementation of the following best current practices (BCPs) to mitigate this risk:[vi]
1) BCP 38/RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing;[vii] and
2) BCP 84/RFC 3704 – Ingress Filtering for Multi-homed Networks.[viii]
All CSRIC best practices are available on the Commission’s website in a searchable database.[ix]
[i] CSRIC is a federal advisory committee composed of leaders from the private sector, academia, engineering, consumer/community/non-profit organizations, and government partners from tribal, state, local and federal agencies. See FCC Encyclopedia, Communications Security, Reliability and Interoperability Council III, http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.
[ii] See CSRIC III Final Reports, Working Groups 5, 6, 7, available at http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.
[iii] See AT&T Public Policy Blog: Cybersecurity and the FCC’s CSRIC Recommendations (March 22, 2012), available at http://www.attpublicpolicy.com/cybersecurity/cybersecurity-and-the-fccs-csric-recommendations/; CenturyLink Public Policy Blog: CenturyLink Takes Cybersecurity Seriously (April 2, 2012), available at http://community.centurylink.com/regulatoryblog/2012/04/centurylink-takes-cybersecurity-seriously/; and Comcast Voices: Comcast Applauds Work of the FCC’s CSRIC on Online Security and Safety (March 22, 2012), available at http://corporate.comcast.com/comcast-voices/comcast-applauds-work-of-the-fccs-csric-on-online-security-and-safety.
[iv] In a distributed denial-of-service (DDoS) attack, an attacker uses multiple computers to prevent legitimate users from accessing information or services by sending large amounts of data to a website or spam to particular e-mail addresses. See Security Tip (ST04-015), Understanding Denial-of-Service Attacks, US-CERT, (Feb. 06, 2013), http://www.us-cert.gov/ncas/tips/ST04-015. Source-address spoofing may lead to “attacks where the unreachability of the source can be exploited” by attackers who transmit packets that appear to come from a victim’s IP address. See CSRIC III Working Group 4 Final Report at 18 (March 2013), available at http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG4_Report_March_%202013.pdf (CSRIC III WG4 Report).
[v] See News Release: FCC Advisory Committee Adopts Recommendations to Minimize Three Major Cyber Threats, Including an Anti-Bot Code of Conduct, IP Route Hijacking Industry Framework and Secure DNS Best Practices, (March 22, 2012), available at http://www.fcc.gov/document/csric-adopts-recs-minimize-three-major-cyber-threats.
[vi] CSRIC III WG4 Report at 20.
[vii] See P. Ferguson & D. Senie, Best Current Practice 38, Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing (2000), available at http://tools.ietf.org/html/bcp38.
[viii] See F. Baker and P. Savola, Best Current Practice 84, Ingress Filtering for Multihomed Networks, (2004), available at http://tools.ietf.org/html/bcp84.
[ix] See CSRIC Best Practices, FCC Public Safety and Homeland Security Bureau, https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm.