ISPs should disconnect spyware-infected machines, Parliamentary report recommends

Computers infected with spyware or that do not have firewall protection should be disconnected by internet service providers and an industry code of practice should be established in order to combat cybercrime, a Parliamentary committee on internet security has recommended.

However, some industry figures have spoken out against the recommendations, saying they will dictate what ISPs can or cannot do.

The Hackers, Fraudsters and Botnets report, tabled by the House of Representatives Standing Committee on Communications, recommends that a requirement be introduced for ISPs to ensure customers have adequate protection before heading online.

The report, which tackles a number of internet security issues including identity theft, says cybercrime has grown from an annoyance into an “organised transnational crime” committed for profit.

As a result, one of its recommendations states ISPs should adhere to “acceptable use policies”. These would include contractual obligations that require any customer to install anti-virus software and firewalls before an internet connection is activated, and promise to keep that software up to date.

Additionally, the report states that ISPs would, under the plan, take “reasonable steps to remediate their computers when notified of suspected malware comprise”.

Other recommendations include making ISPs provide basic security advice when an account is set up to help users avoid spyware infections, making ISPs inform users when their IP address has been listed as infected and creating clear policies on “disconnection until the infected machine is remediated”.

This may actually mean users would be unable to access the internet unless their computer is deemed safe by a third party.

But Colin Jacobs, head of lobby group Electronic Frontiers Australia, told SmartCompany the idea of maintaining up-to-date spyware on millions of machines is impractical.

“Our thoughts are that it’s impractical, people have all sorts of devices connected to the internet, finding out whether people have software installed could hurt the problem. It’s good that ISPs are doing something about spyware and botnets, but we think this raises more problems.”

“We’re in favour of proactive action combating malware infestations and botnets but we have some serious questions as the practicality of it.”

However, committee chairwoman Belinda Neal said in the report that the internet industry must accept that “commercial gains also carry social responsibilities”, given that cybercrime is so widespread.

“The private sector must also play its part. The Internet industry has to accept that commercial gains also carry social responsibilities. IT manufacturers also need to give a higher priority to security through better product testing, design and the provision of information to support informed consumer choices,” Neal said in the report.

“The private sector, especially IT manufacturers, Internet Service Providers and web hosting companies, and the Domain Name Registrars and Resellers, all bear some corporate social responsibility to promote the integrity of the Internet.”

The report recommends that “the Australian Communications and Media Authority further increase its access to network data for the purpose of detecting malware compromised computers”.

“This should include active consideration of how to increase access to network data held by global IT security companies and, in consultation with relevant departments, whether legal protections to address commercial, regulatory and privacy concerns are desirable.”

Nationals MP and committee member Kay Hull told Parliament today there must be more reason for ISPs to engage with customers regarding cybercrime attempts.

“It is very telling to note that there are few obligations on ISPs, few obligations on retailers and few obligations on consumers themselves,” she said. “ISPs need to be more vigilant with consumers when they are taking out their accounts.”
Others in the internet industry also say the report is too harsh.

Internet Industry Association Peter Coroneos told the AFR the very notion of making ISPs disconnect users based on spyware attacks goes too far.

“Moving to a position of threats is unlikely to be seen as practicable,” he said. “We have to respect consumer sovereignty…we are reaching the limits of the government as a protector.”

However, Alastair MacGibbon, former director of the AFP Australian High Tech Crime Centre and eBay security head, has said ISPs should be able to monitor user machines and block them if software is not up to date.

Another major recommendation in the report was that an Office of Online Security be established, headed by a Cyber Security Coordinator with “expertise in cybercrime and security”.

This office would allow 24/7 reporting and assistance for users facing cybercrime threats, and would assist in an education campaign for users to become more aware of different types of cybercrime, and methods of fixing computers.

The report focused quite heavily on the use of botnets, a type of system hackers use to control different computers. The Australian Communications and Media Authority told the committee that more than 10,000 Australian computers are affected by botnets each day.

Other recommendations include that:

• The Government should appoint an agency to conduct a “stock take” of current sources of data and research on cyber crime.

• That consumer law be effectively asserted against cybercrime perpetrators outside Australia.

• The Productivity Commission should commence an in depth investigation and analysis of the economic and social costs of the lack of security in IT hardware and software, and its effect on the economy.

• This inquiry should also address the merits of introducing regulation under existing consumer laws, which would include compulsory testing and evaluation of IT products.

• The Privacy Commissioner should make sure that overseas organisations use the personal information of Australians in a law-abiding manner.

• The Department of Broadband and Communications should implement a “health style” campaign that uses media to deliver messages on cyber security issues.

The report also proposes a number of new offenses to be considered, including making it an offense to make, supply or use identification information with the passing yourself off as another person to commit an indictable offence. This offense would carry a maximum five years of imprisonment.

Additionally, the committee proposes making it an offence to possess information with the intention that any other person would use that information to commit an indictable offence. This would carry a maximum of three years imprisonment.

Opposition communications spokesman Tony Smith said in written remarks he approved of many of the report’s recommendations.

COMMENTS