Make zombie code mandatory: govt report

A parliamentary report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected.

A parliamentary report into cybercrime has recommended that internet service providers (ISPs) force customers to use antivirus and firewall software or risk being disconnected.


(Security image by David Goehring, CC 2.0)

Committee chair Belinda Neal said in her introduction to the 262-page report titled "Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime" that due to the exponential growth of malware and other forms of cybercrime in recent years, "the expectation that end users should or can bear the sole responsibility for their own personal online security is no longer a tenable proposition".

"We need to apply the same energy and commitment given to national security and the protection of critical infrastructure to the cybercrime threats that impact on society more generally," she said.

A new mandatory "e-security code of practice" for ISPs is one of the key recommendations of the report, which suggested that the Australian Communications and Media Authority (ACMA) and Internet Industry Association (IIA) be tasked with establishing the code under the Telecommunications Act.

This code of practice would make ISPs force their customers to install antivirus and firewall software. They would also need to educate those customers on how to protect themselves from hackers and malware when they first sign up to the ISP. In the event that a customer's computer is infected, the code would see ISPs forced to restrict that user's access and ultimately disconnect the customer from the internet completely until that system has been cleared of the infection.

The code of practice looks to be based on a code drafted by the IIA in September 2009 and set to come into effect in December this year. However, signing up to that code is voluntary for ISPs. The IIA had not responded to requests for comment at the time of writing.

In a statement today, Neal defended the mandatory nature of the code of practice recommended in the report.

"The internet service providers should not shoulder a disproportionate amount of the cybercrime burden, but ISPs are in a unique position to inform consumers if their computer is infected," she said. "End users must also take responsibility for protecting themselves online to prevent the spread of computer viruses to the rest of the community."

In the report, Shadow Minister for Communications Tony Smith noted his concerns about this mandatory requirement for ISPs.

"[To] dramatically and quickly institute a requirement that ISPs contractually require the subscriber to install antivirus software and firewalls before connecting to the internet, whilst well meaning, opens up a plethora of new liability issues for subscribers," he said.

    Some of the other 34 recommendations in the report include that the:
  • Government should establish an "Office of Online Security" headed by a cybersecurity coordinator with expertise in cybercrime and e-security located within the Department of Prime Minster and Cabinet, with responsibility for whole-of-government coordination;
  • Development of a single national online cybercrime reporting portal and helpline;
  • Establishment of an agency to oversee all collection of data and establish agreements on how government agencies and industry will share and protect information for research;
  • Government should provide free access to antivirus software;
  • Australian domain name register industry be subject to an anti-phishing code of conduct; and
  • Department of Broadband, Communications and the Digital Economy send out "public health" style campaigns in the media informing the public of certain cybercrime activities.

"The government will examine the report to see how it can improve current cyber security arrangements," the office of Communications Minister Stephen Conroy said.