Make zombie code mandatory: govt report

Make zombie code mandatory: govt report

Summary: A parliamentary report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected.

SHARE:

A parliamentary report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected.

security

(Security image by David Goehring, CC 2.0)

Committee chair Belinda Neal said in her introduction to the 262-page report titled "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime" that due to the exponential growth of malware and other forms of cybercrime in recent years, "the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition".

"We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cybercrime threats that impact on society more generally," she said.

A new mandatory "e-security code of practice" for ISPs is one of the key recommendations of the report, which suggested that the Australian Communications and Media Authority (ACMA) and Internet Industry Association (IIA) be tasked with establishing the code under the Telecommunications Act.

This code of practice would make ISPs force their customers to install antivirus and firewall software. They would also need to educate those customers on how to protect themselves from hackers and malware when they first sign up to the ISP. In the event that a customer's computer is infected, the code would see ISPs forced to restrict that user's access and ultimately disconnect the customer from the internet completely until that system has been cleared of the infection.

The code of practice looks to be based on a code drafted by the IIA in September 2009 and set to come into effect in December this year. However, signing up to that code is voluntary for ISPs. The IIA had not responded to requests for comment at the time of writing.

In a statement today, Neal defended the mandatory nature of the code of practice recommended in the report.

"The internet service providers should not shoulder a disproportionate amount of the cybercrime burden, but ISPs are in a unique position to inform consumers if their computer is infected," she said. "End users must also take responsibility for protecting themselves online to prevent the spread of computer viruses to the rest of the community."

In the report, Shadow Minister for Communications Tony Smith noted his concerns about this mandatory requirement for ISPs.

"[To] dramatically and quickly institute a requirement that ISPs contractually require the subscriber to install antivirus software and firewalls before connecting to the internet, whilst well meaning, opens up a plethora of new liability issues for subscribers," he said.

    Some of the other 34 recommendations in the report include that the:

  • Government should establish an "Office of Online Security" headed by a cybersecurity coordinator with expertise in cybercrime and e-security located within the Department of Prime Minster and Cabinet, with responsibility for whole-of-government coordination;
  • Development of a single national online cybercrime reporting portal and helpline;
  • Establishment of an agency to oversee all collection of data and establish agreements on how government agencies and industry will share and protect information for research;
  • Government should provide free access to antivirus software;
  • Australian domain name register industry be subject to an anti-phishing code of conduct; and
  • Department of Broadband, Communications and the Digital Economy send out "public health" style campaigns in the media informing the public of certain cybercrime activities.

"The government will examine the report to see how it can improve current cyber security arrangements," the office of Communications Minister Stephen Conroy said.

Topics: Government, Government AU

About

Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • I'd love to know how they propose to install anti-virus and firewalls on devices such as Nokia smartphones and TIVOs.

    Not to mention all the folks who run GNU/Linux, who don't need anti-virus as long as their systems are up-to-date.

    Is there anyone in the Government who actually understands how this stuff works? Or are they just making it up as they go along?
    hamrag.yattletrot
  • Ban windows machines. If only. Really this shows without a shadow of doubt how those making the decisions behind such ludicrous policy have not a clue in the world as to how these things should be delt with. You cant just kick those without certain types of applications running. It would be much more practical to use already available malware alerts to inform customers that there is likely something lurking on their pc and to install a free antivirus application. To somehow force a check on computers connecting to the internet for the presence of AV shows the fairlyland that this government is living. It just aint work that way fellas. Consult an expert or ten before you make any further blunders and burn another hundred mill or so.
    nissy-2f939
  • They don't need to actually detect if AV software is installed. The article has dumbed this fact down a bit, but most viruses are trivial to detect at the gateway in near-real-time. I'd support this if a suitable escalation schedule were implemented: i.e. notify the customer early, and progressively cut the service off progressively over a period of a few days.

    It's then up to users to implement whatever security practices are suitable for their platform: Your embedded devices obviously aren't going to trip any triggers; your Linux box will be fine if you keep your security patches up to date.

    One strange thing that jumps out at me here is the suggestion of putting out public security information via the DoBB. Wouldn't it make more sense to fund AusCERT appropriately and pass the job on to them? They are surely in a better position than a Gov Dept for this kind of stuff.
    chovain
  • How about getting Microsoft to make Windows more secure?
    How about access denial to unsecure sites like McAfee Advisor?
    ojvpuce
  • More proof that the government has lost it when it comes to the "big bad internet"
    What about other devices? What is the definition of a computer these days. Is it a box sitting on your desk, is it a mobile phone in your hand, is it your internet enabled TV?
    Which ones "require" a virus scanner and firewall?
    I have Linux and Macs. Most cases you don't need virus scanners on these systems. I am not even aware of a resident memory virus scanning package for Linux because at this stage its just not needed. Does this mean I can't use the internet?
    An as for firewalls. What about all the ADSL connections that use routers. Firewalls are redundant. You can't connect to a computer through a router if the route doesn't exist!
    duke149
  • It's amazing isn't it that some peple still think that the only devices attached to the Internet run either M$ Windows or an Apple operating system
    DrSnipe
  • Banning Windows machines won't help. All OSes have exploits.

    The difference is market share, if Apple or *nix had 50% market share then it would be worthwhile for cyber criminals to target these machines.
    Macka-844f2
  • There will be at least 1 ISP that won't use the code. It's a big bad joke. Labour know that they have lost now there pissing off as many people as they can before there out of office. Vote them out of the house of reps. Get a better party in. One that isn't turning left wing. They need to learn there is only so much that can be done and forcing people to install AV isn't the way to gon about things. I don't like how vauge this article is either... will i be able to choose what AV i can use or will i be told. I like the AV i have and everyone knows firewalls are useless. They talk about high speed broadband in australian homes but the Kiddie filter and this nullify the whole point of having world class internet. Conboy and KRudd need to pull their act together or get out.
    Planitia-49855
  • No, duke149, the government hasn't lost it about the Net.

    Conboy never had the intelligence OR the experience to understand what he was blustering about, so it seems clear that he doesn't get it now and never will.
    gnome-8be8a
  • This report is just another example of how we give away all of our personal responsibility to others. "Can't use the internet properly? Don't worry the Safety Police can do it for you."
    First it was the filter - don't worry about where to surf the government will let you know what you can and can't see.
    Second is ISP's keeping our browsing records - don't worry we'll keep an eye on you.
    Now this, when will governments stop trying to regulate everything, you can't regulate stupidity. If people don't want to have anti-virus, good luck to them. If they want to head to the seedy side of the internet, good luck but be careful what you pick up on the way out.
    bombinaround
  • You obviously have no idea either.
    The difference is that Linux/Unix/BSD/OSX are built on a secure base.
    To execute anything requires user intervention to firstly make the object executable and then to actually run it. That user also must have administrative privelidges, at which level the admin users don't normally run.

    Windows however was built insecure and will not be fixed because of the whole antivirus/malware industry's reliance on this insecurity to make money.
    RichardHead-36746
  • Another typical Govt. report!

    Fortunately, they didn't recommend the version of the Windoze to be installed in order to browse the internet.

    The eco system of the IT industry needs Windoze, malware, AV etc. That is how many 'so called' IT experts make their living! And, that is why I generally don't force anyone to switch to a more secure OS like Linux!! Why should we mess up the whole eco system of such an important industry?
    syampillai
  • "Get a better party in. One that isn't turning left wing."

    "LEFT" wing? We have no such thing. Labor is SUPPOSED to be "left wing", but since the Keating days it has drifted so far right as to be indistinguishable from the Liberal Party.

    As for AV software, I have little trouble with viruses--spyware is currently the bane of all evil, and ALL browsers should isolate third-party cookies, so that they can only be accessed on a first-party basis.
    Treknology
  • Democracy in action!!

    Well here we go again!! the government sort of re-minds me of a blind man running around a room banging into walls trying to find a door, the problem is, if he ever finds the door he will probably go the wrong way; fall in the pond have to get himself out because security is having a lunch meeting on the gold coast. he catches pneumonia gets stuck in queue in the hospital emergency room, falls on the floor through lack of attention starts coughing and wheezing, security finally return from lunch and throw him into the street because he is upsetting the nursing staff during there hour and a half coffee break and chat session. He staggers up the road and gets hit with an on the spot fine for being drunk and disorderly and is thrown unceremoniously into the nearest pub to get him of the street; where he promptly dies. But this is all well and good because we can have another million dollar inquiry as to how it could have all gone so wrong, so we can then table the results so they can be ignored so that in a couple of years we can have another inquiry as to why the first inquires recommendations were not implemented.......and on and on and on.

    Sorry about the punctuation; we could have an inquiry about that??

    Ashman II
    ashmann
  • You are the one with no idea Richard. As the other chap said, all OSs have exploits and additionally all applications have exploits. Sendmail, BIND, MySQL and Firefox are amongst the most insecure applications available, each can be overcome with a number of exploits and vulnerabilities. It may come as a surprise to you but a lot of people do run Unix/Linux accounts with root privileges largely because they don't know the ramifications for doing so, as many Windows users run as Administrators. This doesn't make the software at fault, it makes the user at fault.

    If Unix/Linux was as popular as Windows I am quite sure that hackers would pay more attention to it. It can hardly amount to a destructive threat since it only caters for 5% of the computer market, now can it...
    Mel Sommersberg
  • ""LEFT" wing? We have no such thing. Labor is SUPPOSED to be "left wing", but since the Keating days it has drifted so far right as to be indistinguishable from the Liberal Party."

    Try telling Gillard that. She's Far Left and once considered herself part of the young communist uprising which thankfully is still limited to uni students. And what about KRudd? He's Right Wing but he was backed by left wing unions when challenged by Gillard last week. He also lead a political party with a boatload of Left Wing policies based on opening the floodgates to let in boat people and massive social welfare payouts.
    Mel Sommersberg
  • No, you do not understand.
    The whole "other OS's don't have the market share and thus are not tempting targets" is absolute idiocy only promulgated by M$ resellers.
    Windows PC market share is grossly inflated and besides, don't you think hackers would be interested in breaking into the systems of the London Stock Exchange ? Or Google ? Or Amazon ? or any major bank ? The all run Unix/Linux or some other variant.
    Hundreds of thousands of viruses and nasties simply do not exist for OSX and Linux/Unix because those OS's are built properly, and that is the ONLY reason. There are currently hundreds of millions of Macs out there, as an example. Any hacker that could write decent exploit code for the Mac would have that entire segment for themselves, and wouldn't have to "share" with all the other virus writers...yet there are NONE. Not, 10,000, not 100...NONE ! Understand yet ? Same for Linux and Unix.
    Microsoft Windows is a complete mess. MS Windows, Outlook and IE are the most efficient virus propagation systems ever devised.
    MAc. Unix and Linux viruses do not exist "in the wild" because those systems are simply superior. Please provide ONE example where an up to date MACOS box can be "rooted" simply by previewing an incoming email or clicking on a link ? I can show you TENS OF THOUSANDS of examples that infect MS Windows boxes every single day. I also have a CSE degree and a Masters in Information Security, if you want to know. I do this for a living and much more in depth than just clicking "next"..."next" on my favourite AV product. No serious security practitioner has anything except contempt for MS Windows, we all use Linux/Mac for a reason.
    Catch-e0dd2
  • If you ban all Windows' computers, then Apple targets become far more attractive. But we all know there's no way banning Windows SW will get any traction.
    TacoRag
  • Nah mate, you don't understand. You are also short-sighted.

    "The whole "other OS's don't have the market share and thus are not tempting targets" is absolute idiocy only promulgated by M$ resellers."

    I don't resell Microsoft and I am a frequent user of Windows 2008, Windows 7, Windows XP and FreeBSD. I can hardly be regarded as a blind follower of Uncle Bill as you seem to believe.

    "Windows PC market share is grossly inflated and besides, don't you think hackers would be interested in breaking into the systems of the London Stock Exchange ? Or Google ? Or Amazon ? or any major bank ? The all run Unix/Linux or some other variant."

    There lies the problem. All those organisations have been hacked in the past and many more. I host my own web services and have never been owned.

    "Hundreds of thousands of viruses and nasties simply do not exist for OSX and Linux/Unix because those OS's are built properly, and that is the ONLY reason. "

    Yeah, that's why a teeniebopper called Ashley Towns was able to launch a virus that took over gaolbroken iPhones without raising a sweat.

    "Unix and Linux viruses do not exist "in the wild" because those systems are simply superior."

    In your one-eyed opinion maybe... The fact is that if you want to do as much damage as possible you will use the most efficient method and that is to compromise as many machines as possible. It comes down to the lowest common denominatior, although you dispute this of course so it must be wrong.

    "I also have a CSE degree and a Masters in Information Security, if you want to know."

    Oh wow! You are my hero.
    Mel Sommersberg