IIA cautions against ISP e-security burdens

A closed-door meeting today of government, law enforcement and privacy officials, together with security experts and a half-dozen ISPs, discussed creation of the code as part of national e-security awareness week.

Development of an ISP code was recommended by the 2008 national e-security review.

Some 62 ISPs covering 90 per cent of internet users already participate in the Australian internet security initiative, which is led by the Australian Communications and Media Authority (ACMA).

It is understood the code would build on this initiative and be developed in conjunction with ACMA and the Department of Broadband, Communications and the Digital Economy (DBCDE).

Under the code, participating ISPs would need to provide plain language information to customers on e-security risks and simple steps they can take to help protect themselves online.

But Senator Conroy has also proposed other requirements be added.

"The code aims to provide a consistent approach for ISPs to help inform, educate and protect their customers in relation to e-security issues. But critically [it] will go further," Conroy said.

"It will include mechanisms and information-sharing arrangements between ISPs to help prevent compromises on one ISP network from affecting customers on other networks."

How this would occur is unknown, but Internet Industry Association (IIA) chief Peter Coroneos, who convened the meeting today, said it is an idea rather than a guaranteed inclusion and would need further consultation before being potentially added to the code.

"I'd like to de-emphasise the sharing idea at this point. It's just not realistic to talk about specific measures," Coroneos told iTnews.

"There are many things on the table for discussion and this is one."

Coroneos' caution in endorsing the Senator's proposal in full appears to be over concerns that these extra elements could place unrealistic regulatory and financial burdens on the IIA's members, particularly small ISPs.

"The sharing arrangements are something that's been proposed by the Government. We need to look at what can reasonably be done and what would be most useful," Coroneos said.

"We have a very strong regard for smaller ISPs who clearly are going to be limited in the resources they have available internally.

"The code is really intended as a better way to protect their own networks, without imposing a regulatory burden on them."

The same caution is also likely to apply to the role of ISPs in remediating e-security breaches on user machines.

"It's likely the code will have provisions to direct users to resources where they can have their computers fixed," Coroneos said.

"The remediation itself will not involve ISPs because I don't think it is right for them to take on that responsibility. They can certainly be the conduit for that type of information."

Coroneos said the NBN was a driver in fast-tracking development of the ISP code, because it will increase the potential for the spread of zombies, malware and other malicious code.

The IIA said it will now convene a drafting committee of ISPs to examine further development of the code and take inputs from industry stakeholders.

The association is targeting completion of the code before the end of the year.