Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.
DDoS attacks can be powerful tools for censorship, criminal extortion, or nation-state aggression. Tools such as Mirai source code, amplified by an embedded base of insecure devices worldwide, accomplish more than isolated nuisance; these are capabilities – weapons even – that can debilitate entire ranges of economic activity. While the internet was not designed with security in mind, its resiliency –which serves as its animating principle – is now being undermined.
I respectfully request that you respond to the following questions:
1. What types of network management practices are available for internet service providers to respond to DDoS threats? In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing “traffic that constitutes a denial-of-service attack on specific network infrastructure elements.” Is it your agency’s opinion that the Mirai attack has targeted “specific network infrastructure elements” to warrant a response from ISPs?
2. Would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?
3. What advisories to, or direct engagement with, retailers of IoT devices have you engaged in to alert them of the risks of certain devices they sell? Going forward, what attributes would help inform your determination that a particular device poses a risk warranting notice to retailers or consumers?
4. What strategies would you pursue to take devices deemed harmful to the network out of the stream of commerce? Are there remediation procedures vendors can take, such as patching? What strategy would you pursue to deactivate or recall the embedded base of consumer devices?
5. What consumer advisories have you issued to alert consumers to the risks of particular devices?
6. Numerous reports have indicated that users often fail to install relevant updates, despite their availability. To the extent that certain device security capabilities can be improved with software or firmware updates, how will you ensure that these updates are implemented?
Sign up for Computerworld eNewsletters.