ISPs asked to cut off malware-infected PCs

The Internet Industry Association (IIA) has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases disconnect, customers that have malware-infected computers.

The drafted code, which will not be mandatory, suggested ISPs take a four-step approach to protecting customers.

• Identification of compromised computers
• Contact affected customer
• Provision of information and advice to fix the compromised system; and
• A reporting function for alerting about serious scale threats, such as those, that may threaten national security.

"Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem," the new code states.

Chief regulatory officer of ISP iiNet, Steve Dalby, said he would adhere to the code if the process could be automated and development costs weren't prohibitive.

"Potentially it's something that we would do. If there were some costs we might consider whether government funding was available, but again it's very hypothetical," Dalby said.

IBRS analyst James Turner welcomed the move and said ISPs should be able to find a way to fund the initiative.

"They'll find a way of commercialising it and making it, at the very least, cost neutral if not cost positive," he said.

Turner said it was reasonable to expect a form of "quality control" for computers connected to the internet in a similar way cars need to be roadworthy.

"The Government make laws and regulations about what you can drive on the roads. If you're in New South Wales, after your car gets over five years old ... you've got to take it over to the pits every year. A form of quality control for computers that are on the internet seems perfectly reasonable to me," said Turner.

Communications Minister Senator Conroy has voiced his support for the new code. In May, he said the "code will provide a consistent approach for Australian ISPs to help inform, educate and protect their clients in relation to e-security issues."

"It will contribute to the range of efforts being made by Government and industry to raise awareness of online security and to foster digital confidence," said Conroy at the time.

However, an IIA spokesman said that if Stephen Conroy was serious about addressing eSecurity he would fund more education initiatives. Government initiatives, such as the once a year e-security campaign that told Australians to change their password, was not enough, he said.

"The government has spent an awful lot of money on a single website," the spokesman told iTnews. "I think there's about two or three websites doing exactly the same thing and they all assume you've got to log on to the website. It's kind of like a web 1.0 style approach," he said.

Initiatives such as the recently announced Queensland Government war driving mission were praised by the spokesman.

The code of conduct was initiated on 10 June when the IIA, in association with the Government, ISPs, security vendors and consumer representatives convened a meeting to explore the merits of a new voluntary eSecurity code.

"The meeting agreed that A Draft Code Principles with representative from all stakeholders with a final version of the voluntary code envisaged by 1 December 2009," the IIA said.

ISPs that adhere to the code would be able to display an IIA tortoise log on their website.

Members of the public are asked to respond to the draft code by posting their comments and suggestions to securitycode@iia.net.au no later than Friday 30 October 2009.

What do you think? Should service providers be expected to invest in the technology to know when a user's computer is infected? Do they have the legal right to cut an infected user off?