Hardware vendors could weigh in on iCode

The iCode may have industry and international support, but there are still a number of areas that need tweaking, including the possibility of getting manufacturers like Apple involved.

The Internet Industry Association (IIA) held an industry forum yesterday, looking at the voluntary code of conduct for internet service providers (ISPs), discussing problems the code currently has and new directions it could take.

The iCode is meant to help inform Australian internet users whose computers are infected with malware, but don't know about it. It outlines what ISPs should do to inform, educate and assist infected customers.

The IIA is currently conducting a review of how the code has worked since it was introduced two years ago. The forum was intended as a way for involved parties to express any issues that they had with the code.

There were a number of changes to the code proposed by speakers at the forum, as well as the audience, some of which are members of the board responsible for overseeing any changes — the IIA's iCode Review Taskforce.

Sophos Asia-Pacific director and former IIA director, Rob Forsyth, said that the continued roll out of IPv6 would change how the industry tracked botnets because of the larger pool of IP addresses it would bring. He also highlighted a point raised by ZDNet Australia in the past, that the iCode struggles with mobile devices as they often use the IP addresses of free Wi-Fi hotspots.

Forsyth said that these problems would continue to grow and new ones would also appear, leading to the necessary continual review of the iCode. A possible new problem would be the push for household goods to be connected to the internet and then be targeted by criminals.

"What happens when your smart TV starts becoming a spamming TV? How is our world evolving with our devices?" Forsyth asked.

One of the taskforce members, Holly Raiche, who also heads up the policy committee for the Internet Society of Australia (ISOC-AU), said that some of the wording needed to change. In particular, the code states that "each new customer be provided with information, or links to information, which provides them with simple steps they can take to better protect themselves online".

"That, in itself, has got some problems," Raiche said. "Why only new customers? I would be hoping you'd be having a conversation with all of your customers. I would be hoping you'd be educating them over time. Take out the word 'new'."

She also said that, more than just explaining what simple steps can be taken to free a PC of an infection, the internet service providers also have to explain the basics: what the danger is, what a compromised computer is and what harm it does to the user and other people. Only then would the user be ready to carry out any action to remedy their infection.

Although the discussion around customer education has, at this point, been limited to ISPs, Raiche suggested also involving equipment manufacturers, such as Apple, as they have a responsibility to ensure that actions such as applying security settings, is easy and intuitive.

ISOC-AU president Narelle Clark also called for further participation from manufacturers, saying that fundamental security configuration settings in equipment, such as Wi-Fi hotspots and routers, are hard to understand. She said that users should be able to secure themselves simply, not in the complex fashion that is necessary today.

In addition, she advocated for industry forums that promote best practice so ISPs, manufacturers and consumers could understand what best practice truly is and how to achieve it.

Optus senior regulatory analyst for corporate and regulatory affairs Ana Tabacman, who is also on the iCode taskforce, also voted for the inclusion of manufacturers, but realistically, said that the first step was to get ISPs, manufacturers and consumers on the same page.

"What we need to figure out is the best way to move forward, so that we've got everyone working and taking a coordinated approach — government, industry, manufacturers, etc — so we can figure out the best way to get customers to understand these messages."

Government jumps in

While these topics will undoubtedly be raised in the IIA's own review of the code, the IIA isn't the only party to look at it; the government is conducting its own separate review of the code.

Sabeena Oberoi, who acts as the assistant secretary for cyber security policy and Asia-Pacific engagement within the Department of Broadband, Communications and the Digital Economy, said that the government's review would look at broader issues around the iCode, such as who else should be involved in the process.

"The iCode review is focusing on actually strengthening the code itself ... while the government's review is a broader review; looking at whether the current approach of the voluntary scheme is the most effective way, what are the other mechanisms that could be adopted or what are the other industry participants that could be involved."

Oberoi said that the two reviews are designed to complement each other. The IIA's draft report, expected in the next few months, will be used to feed input into the government's report, which is due at the end of the year.

The government's own roundtable discussions with ISPs, including those that have not signed the code or organisations that aren't members of the IIA, continued to find overwhelming support for keeping the iCode voluntary, despite a government inquiry recommending it be made mandatory, she said.

"The majority said that, in fact, the flexibility of the code is its strength and the voluntary nature of the code is its strength. Because technology is moving so fast, you don't want to mandate anything. You want to leave it flexible."