Skip Navigation

Federal Communications Commission

English Display Options

Commission Document

PSHSB Seeks Comment on CSRIC III Cybersecurity Best Practices

Download Options

Released: July 25, 2014
image01-00.jpg612x792

PUBLIC NOTICE

Federal Communications Commission

News Media Information 202 / 418-0500

445 12th St., S.W.

Internet: http://www.fcc.gov

Washington, D.C. 20554

TTY: 1-888-835-5322

DA 14-1066

Released: July 25, 2014

FCC’S PUBLIC SAFETY AND HOMELAND SECURITY BUREAU REQUESTS COMMENT

ON IMPLEMENTATION OF CSRIC III CYBERSECURITY BEST PRACTICES

In March 2012, the FCC’s third Communications Security, Reliability and Interoperability

Council (CSRIC III)1 unanimously adopted voluntary recommendations for Internet service providers

(ISPs) to combat three major cybersecurity threats: (1) botnet attacks; (2) domain name fraud; and (3)

Internet route hijacking.2

Among other stakeholders, leading ISPs participated in the development of

these recommendations and publicly committed to implementing them.3 The recommendations included

voluntary measures in three areas: an Anti-Bot Code of Conduct to mitigate the proliferation of

distributed denial of service (DDoS) attacks,4 steps to better secure the Domain Name System (DNS)

through incremental implementation of DNSSEC, and steps to strengthen the security of the Internet’s

inter-domain routing infrastructure.5

CSRIC III also recommended that the FCC encourage ISPs to implement source-address filtering

to prevent attackers from spoofing IP addresses to launch DDoS attacks. Specifically, CSRIC

recommended that the FCC encourage implementation of the following best current practices (BCPs) to

mitigate this risk:6

1)

BCP 38/RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks which

employ IP Source Address Spoofing;7 and

2)

BCP 84/RFC 3704 – Ingress Filtering for Multi-homed Networks.8

All CSRIC best practices are available on the Commission’s website in a searchable database.9

Since CSRIC III adopted these important recommendations, stakeholders have not yet provided

the FCC’s Public Safety and Homeland Security Bureau (Bureau) information regarding their

implementation that is sufficient for a meaningful understanding of either their effectiveness or lessons

learned from implementation. Meanwhile, the vulnerabilities these recommendations were intended to

address continue to be exploited.10 For example, recent DDoS attacks of unprecedented scale11 add to the

urgency of ISPs’ implementation of CSRIC recommendations or of alternative approaches that ISPs

believe are superior to the CSRIC recommendations.

Request for Comment

By this Public Notice, the Bureau seeks comment from ISPs, the Internet community, consumer

organizations, and the broader public on the implementation and effectiveness of the CSRIC III

recommendations and/or alternatives that stakeholders have developed since the time of the CSRIC’s

original work to address these challenges.

The purpose of this Public Notice is to promote a robust, stakeholder-driven discourse drawing on

broad perspectives from throughout the cyber ecosystem to provide the communications sector and the

Commission new information, insights and situational awareness regarding innovative solutions to these

image02-00.jpg612x792

particular cyber risks. To the extent that companies or stakeholders may prefer that their submissions

remain confidential, we intend to protect the confidentiality of submissions according to the requests and

consistent with FCC rules, as described below. This inquiry is part of the Commission’s effort to develop

effective and proactive private sector-driven cyber risk management;12 in particular, it complements and

supports ongoing work in CSRIC IV to create measurable, accountable cyber assurances across a wide

variety of IP-based communications technologies and services.13

The Bureau seeks public comment on the implementation status and effectiveness of these

voluntary recommendations, or alternatives, by ISPs and other members of the Internet community. We

are particularly interested in comment on the following questions as they relate to the four broad areas of

CSRIC’s previous best practices and recommendations cited above:

1.

What progress have stakeholders made in implementing the recommendations?

2.

What barriers have stakeholders encountered in implementing the recommendations?

3.

What significant success stories or breakthroughs have been achieved in implementing the

recommendations?

4.

What are stakeholders’ views and/or plans for full implementation of the recommendations?

5.

How effective are the recommendations at mitigating cyber risk when they have been

implemented? Given the experiences gained in the past two years, are there alternatives to full

implementation that could be more effective than full implementation at mitigating cyber risk

risks posed by botnets, DNS vulnerabilities, routing infrastructure vulnerabilities, and source

address spoofing? On what basis do stakeholders believe that these alternatives are more

effective than the CSRIC III recommendations? Do stakeholders undertake qualitative or

quantitative evaluations of the effectiveness of these various approaches, or both?

Comment Submission

Interested parties are invited to comment by September 26, 2014. Please submit comments or

meeting requests by email directly to the Associate Bureau Chief for Cybersecurity and Communications

Reliability, Jeffery Goldthorp, at jeffery.goldthorp@fcc.gov, with a copy to the Deputy Chief of the

Bureau’s Cybersecurity and Communications Reliability Division, Lauren Kravetz, at

lauren.kravetz@fcc.gov.

Requests for confidential treatment of information submitted should follow the procedures set

forth in section 0.459 of the Commission’s rules, under which all submissions with an appropriate request

for confidential treatment will be treated as presumptively confidential pending a ruling on the request.

Additionally, upon request and on a case-by-case basis, the Bureau may accommodate classified

comment submissions or discussions.

Alternatively, those who desire to submit comments in hard copy only should submit an original

and one copy of each set of comments. Hard copy comments can be sent by hand or messenger delivery,

by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All such

submissions should be addressed to the Commission’s Secretary, Office of the Secretary, Federal

Communications Commission and reference DA 14-1066.

All hand-delivered or messenger-delivered paper submissions for the Commission’s

Secretary must be delivered to FCC Headquarters at 445 12th St., SW, Room TW-A325,

Washington, DC 20554. Delivery hours are 8:00 a.m. to 7:00 p.m. All hand deliveries must

be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed

of before entering the building.

Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail)

must be sent to 9300 East Hampton Drive, Capitol Heights, MD 20743.

2

image03-00.jpg612x792

U.S. Postal Service first-class, Express, and Priority mail must be addressed to 445 12th

Street, SW, Washington DC 20554.

To request materials in accessible formats for people with disabilities (braille, large print,

electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental

Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty).

For further information, contact Jeffery Goldthorp, at jeffery.goldthorp@fcc.gov or (202) 418-

1096 or Lauren Kravetz, at lauren.kravetz@fcc.gov or (202) 418-7944.

– FCC –

1 CSRIC is a federal advisory committee composed of leaders from the private sector, academia, engineering,

consumer/community/non-profit organizations, and government partners from tribal, state, local and federal

agencies. See FCC Encyclopedia, Communications Security, Reliability and Interoperability Council III,

http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.

2 See CSRIC III FINAL REPORTS, WORKING GROUPS 5, 6, 7, available at

http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.

3 See AT&T Public Policy Blog: Cybersecurity and the FCC’s CSRIC Recommendations (March 22, 2012),

available at http://www.attpublicpolicy.com/cybersecurity/cybersecurity-and-the-fccs-csric-recommendations/;

CenturyLink Public Policy Blog: CenturyLink Takes Cybersecurity Seriously (April 2, 2012), available at

http://community.centurylink.com/regulatoryblog/2012/04/centurylink-takes-cybersecurity-seriously/; and Comcast

Voices: Comcast Applauds Work of the FCC’s CSRIC on Online Security and Safety (March 22, 2012), available

at http://corporate.comcast.com/comcast-voices/comcast-applauds-work-of-the-fccs-csric-on-online-security-and-

safety.

4 In a distributed denial-of-service (DDoS) attack, an attacker uses multiple computers to prevent legitimate users

from accessing information or services by sending large amounts of data to a website or spam to particular e-mail

addresses. See Security Tip (ST04-015), Understanding Denial-of-Service Attacks, US-CERT, (Feb. 06, 2013),

http://www.us-cert.gov/ncas/tips/ST04-015.

Source-address spoofing may lead to “attacks where the unreachability

of the source can be exploited” by attackers who transmit packets that appear to come from a victim’s IP address.

See CSRIC III WORKING GROUP 4 FINAL REPORT at 18 (March 2013), available at

http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG4_Report_March_%202013.pdf (CSRIC III

WG4 REPORT).

5 See News Release: FCC Advisory Committee Adopts Recommendations to Minimize Three Major Cyber Threats,

Including an Anti-Bot Code of Conduct, IP Route Hijacking Industry Framework and Secure DNS Best Practices,

(March 22, 2012), available at http://www.fcc.gov/document/csric-adopts-recs-minimize-three-major-cyber-threats.

6 CSRIC III WG4 REPORT at 20.

7 See P. FERGUSON & D. SENIE, BEST CURRENT PRACTICE 38, NETWORK INGRESS FILTERING: DEFEATING DENIAL

OF SERVICE ATTACKS WHICH EMPLOY IP SOURCE ADDRESS SPOOFING (2000), available at

http://tools.ietf.org/html/bcp38.

8 See F. BAKER AND P. SAVOLA, BEST CURRENT PRACTICE 84, INGRESS FILTERING FOR MULTIHOMED NETWORKS,

(2004), available at http://tools.ietf.org/html/bcp84.

9 See CSRIC Best Practices, FCC Public Safety and Homeland Security Bureau,

https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm.

10 See Jim Cowie, The New Threat: Targeted Internet Traffic Misdirection, RENESYS BLOG, Nov. 19, 2013,

available at http://www.renesys.com/2013/11/mitm-internet-hijacking/.

According to an Internet security firm that

investigated the attack, victims included financial institutions, governments, and network service providers in the

United States, South Korea, Germany, and several other countries. Id.

See also Nicole Perlroth, In Cyberattacks on

Banks, Evidence of a New Weapon, THE NEW YORK TIMES, Oct. 5, 2012, available at

http://bits.blogs.nytimes.com/2012/10/05/in-cyberattacks-on-banks-evidence-of-a-new-weapon/. See also Mathew

3

image04-00.jpg612x792

J. Schwartz, Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions, INFORMATION WEEK, March 27,

2013, available at http://www.informationweek.com/attacks/bank-ddos-attacks-resume-wells-fargo-confirms-

disruptions/d/d-id/1109271?.

11 In a Reflective DNS Amplification DDoS attack, an attacker sends multiple requests to multiple open DNS

resolvers pretending that they are coming from a victim’s IP address. The open DNS resolvers then reply to the

victim’s IP address with larger packets thus amplifying the attack size. See David Piscitello, Anatomy of a DNS

DDoS Amplification Attack, WATCHGUARD TECHNOLOGIES, INC.,

http://www.watchguard.com/infocenter/editorial/41649.asp. See also John Leyden, Biggest DDoS Attack in History

Hammers Spamhaus, THE REGISTER (March 27, 2013),

http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/; John Markoff and Nicole Perlroth, Firm Is

Accused of Sending Spam, and Fight Jams Internet, N.Y. TIMES, (March 26, 2013), See also Mathew J. Schwartz,

DDoS Attack Hits 400 Gbit/s, Breaks Record, INFORMATION WEEK (Feb. 11, 2014), available at

http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-

id/1113787.

12 See remarks of FCC Chairman Tom Wheeler to the American Enterprise Institute, June 12, 2014 available at

http://www.fcc.gov/document/chairman-wheeler-american-enterprise-institute-washington-dc. Chairman Wheeler

stated that “the pace of innovation on the Internet is much, much faster than the pace of a notice-and-comment

rulemaking” and challenged communications providers to create a “new paradigm” of proactive, measurable,

accountable, business-driven cyber risk management. He cited the “important foundational work” in cybersecurity

from CSRIC III that is the subject of this Public Notice and announced that “in the coming weeks, we will be

seeking information to measure the implementation and impact of these industry-defined best practices.”

13 See Remarks of Public Safety and Homeland Security Bureau Chief, Rear Admiral (Ret.) David Simpson to

CSRIC IV Public Meeting, June 18, 2014, available at http://www.fcc.gov/events/communications-security-

reliability-and-interoperability-council-iv-meeting-1. Admiral Simpson’s remarks reiterated Chairman Wheeler’s

call for a “‘new paradigm’ of proactive, measurable, accountable, business-driven risk management for

communications security and reliability” and further described the “new paradigm” as “a substitute for traditional

regulation that is more dynamic than complying with rules and more effective than blindly trusting the market.

Under this new approach, businesses would step up and take responsibility for determining how to manage their risk

in a more transparent and measurable way that promotes market accountability for cyber risk reduction. The

traditional regulatory approach was that the FCC would propose a rule, and, after taking in your comments, tell you

what you have to do – and, then, we would measure whether or not you are doing what we told you to do. The ‘new

paradigm’ approach is different, and it is more challenging, because if it is going to succeed, it will rely primarily on

your action. This is the case both in developing best practices and risk management processes in the first place, and

then in following through with meaningful, measurable, demonstrable implementation.”

4

Note: We are currently transitioning our documents into web compatible formats for easier reading. We have done our best to supply this content to you in a presentable form, but there may be some formatting issues while we improve the technology. The original version of the document is available as a PDF, Word Document, or as plain text.

close
FCC

You are leaving the FCC website

You are about to leave the FCC website and visit a third-party, non-governmental website that the FCC does not maintain or control. The FCC does not endorse any product or service, and is not responsible for, nor can it guarantee the validity or timeliness of the content on the page you are about to visit. Additionally, the privacy policies of this third-party page may differ from those of the FCC.