FW: Public Notice: FCC asks for comments on network security

["Livingood, Jason" <Jason_Livingood () cable comcast com>]

FYI. The U.S. Public Safety and Homeland Security Bureau released a Public Notice on Friday (copied below), seeking 
comment on the “implementation and effectiveness of the CSRIC III recommendations”.

Comments are due by September 26.  Some folks here may wish to send the FCC comments on this, especially areas 
pertaining to preventing IP address spoofing.

- Jason

DA 14-1066 Released: July 25, 2014

FCC’S PUBLIC SAFETY AND HOMELAND SECURITY BUREAU REQUESTS COMMENT ON IMPLEMENTATION OF CSRIC III CYBERSECURITY BEST 
PRACTICES

In March 2012, the FCC’s third Communications Security, Reliability and Interoperability Council (CSRIC III)1 
unanimously adopted voluntary recommendations for Internet service providers (ISPs) to combat three major cybersecurity 
threats: (1) botnet attacks; (2) domain name fraud; and (3) Internet route hijacking.2 Among other stakeholders, 
leading ISPs participated in the development of these recommendations and publicly committed to implementing them.3 The 
recommendations included voluntary measures in three areas: an Anti-Bot Code of Conduct to mitigate the proliferation 
of distributed denial of service (DDoS) attacks,4 steps to better secure the Domain Name System (DNS) through 
incremental implementation of DNSSEC, and steps to strengthen the security of the Internet’s inter-domain routing 
infrastructure.5

CSRIC III also recommended that the FCC encourage ISPs to implement source-address filtering 
topreventattackersfromspoofingIPaddressestolaunchDDoSattacks. Specifically,CSRIC recommended that the FCC encourage 
implementation of the following best current practices (BCPs) to mitigate this risk:6

  1.  1)  BCP 38/RFC 2827 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source 
Address Spoofing;7 and

  2.  2)  BCP 84/RFC 3704 – Ingress Filtering for Multi-homed Networks.8

All CSRIC best practices are available on the Commission’s website in a searchable database.9

Since CSRIC III adopted these important recommendations, stakeholders have not yet provided the FCC’s Public Safety and 
Homeland Security Bureau (Bureau) information regarding their implementation that is sufficient for a meaningful 
understanding of either their effectiveness or lessons learned from implementation. Meanwhile, the vulnerabilities 
these recommendations were intended to address continue to be exploited.10 For example, recent DDoS attacks of 
unprecedented scale11 add to the urgency of ISPs’ implementation of CSRIC recommendations or of alternative approaches 
that ISPs believe are superior to the CSRIC recommendations.

Request for Comment

By this Public Notice, the Bureau seeks comment from ISPs, the Internet community, consumer organizations, and the 
broader public on the implementation and effectiveness of the CSRIC III recommendations and/or alternatives that 
stakeholders have developed since the time of the CSRIC’s original work to address these challenges.

The purpose of this Public Notice is to promote a robust, stakeholder-driven discourse drawing on broad perspectives 
from throughout the cyber ecosystem to provide the communications sector and the Commission new information, insights 
and situational awareness regarding innovative solutions to these

[page1image21240] [page1image21408]

Federal Communications Commission 445 12th St., S.W.
Washington, D.C. 20554

[page1image22856]

News Media Information 202 / 418-0500 Internet: http://www.fcc.gov TTY: 1-888-835-5322



particular cyber risks. To the extent that companies or stakeholders may prefer that their submissions remain 
confidential, we intend to protect the confidentiality of submissions according to the requests and consistent with FCC 
rules, as described below. This inquiry is part of the Commission’s effort to develop effective and proactive private 
sector-driven cyber risk management;12 in particular, it complements and supports ongoing work in CSRIC IV to create 
measurable, accountable cyber assurances across a wide variety of IP-based communications technologies and services.13

The Bureau seeks public comment on the implementation status and effectiveness of these voluntary recommendations, or 
alternatives, by ISPs and other members of the Internet community. We are particularly interested in comment on the 
following questions as they relate to the four broad areas of CSRIC’s previous best practices and recommendations cited 
above:

  1.  What progress have stakeholders made in implementing the recommendations?

  2.  What barriers have stakeholders encountered in implementing the recommendations?

  3.  What significant success stories or breakthroughs have been achieved in implementing the recommendations?

  4.  What are stakeholders’ views and/or plans for full implementation of the recommendations?

  5.  How effective are the recommendations at mitigating cyber risk when they have been

implemented? Given the experiences gained in the past two years, are there alternatives to full implementation that 
could be more effective than full implementation at mitigating cyber risk risks posed by botnets, DNS vulnerabilities, 
routing infrastructure vulnerabilities, and source address spoofing? On what basis do stakeholders believe that these 
alternatives are more effective than the CSRIC III recommendations? Do stakeholders undertake qualitative or 
quantitative evaluations of the effectiveness of these various approaches, or both?

Comment Submission

Interested parties are invited to comment by September 26, 2014. Please submit comments or meeting requests by email 
directly to the Associate Bureau Chief for Cybersecurity and Communications Reliability, Jeffery Goldthorp, at 
jeffery.goldthorp () fcc gov, with a copy to the Deputy Chief of the Bureau’s Cybersecurity and Communications 
Reliability Division, Lauren Kravetz, at lauren.kravetz () fcc gov.

Requests for confidential treatment of information submitted should follow the procedures set forth in section 0.459 of 
the Commission’s rules, under which all submissions with an appropriate request for confidential treatment will be 
treated as presumptively confidential pending a ruling on the request. Additionally, upon request and on a case-by-case 
basis, the Bureau may accommodate classified comment submissions or discussions.

Alternatively, those who desire to submit comments in hard copy only should submit an original and one copy of each set 
of comments. Hard copy comments can be sent by hand or messenger delivery, by commercial overnight courier, or by 
first-class or overnight U.S. Postal Service mail. All such submissions should be addressed to the Commission’s 
Secretary, Office of the Secretary, Federal Communications Commission and reference DA 14-1066.

  *     All hand-delivered or messenger-delivered paper submissions for the Commission’s Secretary must be delivered 
to FCC Headquarters at 445 12th St., SW, Room TW-A325, Washington, DC 20554. Delivery hours are 8:00 a.m. to 7:00 p.m. 
All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of 
before entering the building.

  *     Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9300 
East Hampton Drive, Capitol Heights, MD 20743.



2

 U.S. Postal Service first-class, Express, and Priority mail must be addressed to 445 12th Street, SW, Washington DC 
20554.

To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio 
format), send an e-mail to fcc504 () fcc gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 
(voice), 202-418-0432 (tty).

For further information, contact Jeffery Goldthorp, at jeffery.goldthorp () fcc gov or (202) 418- 1096 or Lauren 
Kravetz, at lauren.kravetz () fcc gov or (202) 418-7944.

– FCC –

1 CSRIC is a federal advisory committee composed of leaders from the private sector, academia, engineering, 
consumer/community/non-profit organizations, and government partners from tribal, state, local and federal agencies. 
See FCC Encyclopedia, Communications Security, Reliability and Interoperability Council III, 
http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.

2 See CSRIC III FINAL REPORTS, WORKING GROUPS 5, 6, 7, available at 
http://www.fcc.gov/encyclopedia/communications-security-reliability-and-interoperability-council-iii.

3 See AT&T Public Policy Blog: Cybersecurity and the FCC’s CSRIC Recommendations (March 22, 2012), available at 
http://www.attpublicpolicy.com/cybersecurity/cybersecurity-and-the-fccs-csric-recommendations/; CenturyLink Public 
Policy Blog: CenturyLink Takes Cybersecurity Seriously (April 2, 2012), available at 
http://community.centurylink.com/regulatoryblog/2012/04/centurylink-takes-cybersecurity-seriously/; and Comcast Voices: 
Comcast Applauds Work of the FCC’s CSRIC on Online Security and Safety (March 22, 2012), available at 
http://corporate.comcast.com/comcast-voices/comcast-applauds-work-of-the-fccs-csric-on-online-security-and- safety.

4 In a distributed denial-of-service (DDoS) attack, an attacker uses multiple computers to prevent legitimate users 
from accessing information or services by sending large amounts of data to a website or spam to particular e-mail 
addresses. See Security Tip (ST04-015), Understanding Denial-of-Service Attacks, US-CERT, (Feb. 06, 2013), 
http://www.us-cert.gov/ncas/tips/ST04-015. Source-address spoofing may lead to “attacks where the unreachability of the 
source can be exploited” by attackers who transmit packets that appear to come from a victim’s IP address. See CSRIC 
III WORKING GROUP 4 FINAL REPORT at 18 (March 2013), available at 
http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG4_Report_March_%202013.pdf (CSRIC III WG4 REPORT).

5 See News Release: FCC Advisory Committee Adopts Recommendations to Minimize Three Major Cyber Threats, Including an 
Anti-Bot Code of Conduct, IP Route Hijacking Industry Framework and Secure DNS Best Practices, (March 22, 2012), 
available at http://www.fcc.gov/document/csric-adopts-recs-minimize-three-major-cyber-threats.

6 CSRIC III WG4 REPORT at 20.

7 See P. FERGUSON & D. SENIE, BEST CURRENT PRACTICE 38, NETWORK INGRESS FILTERING: DEFEATING DENIAL OF SERVICE ATTACKS 
WHICH EMPLOY IP SOURCE ADDRESS SPOOFING (2000), available at http://tools.ietf.org/html/bcp38.

8 See F. BAKER AND P. SAVOLA, BEST CURRENT PRACTICE 84, INGRESS FILTERING FOR MULTIHOMED NETWORKS, (2004), available at 
http://tools.ietf.org/html/bcp84.

9 See CSRIC Best Practices, FCC Public Safety and Homeland Security Bureau, 
https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm.

10 See Jim Cowie, The New Threat: Targeted Internet Traffic Misdirection, RENESYS BLOG, Nov. 19, 2013, available at 
http://www.renesys.com/2013/11/mitm-internet-hijacking/. According to an Internet security firm that investigated the 
attack, victims included financial institutions, governments, and network service providers in the United States, South 
Korea, Germany, and several other countries. Id. See also Nicole Perlroth, In Cyberattacks on Banks, Evidence of a New 
Weapon, THE NEW YORK TIMES, Oct. 5, 2012, available at 
http://bits.blogs.nytimes.com/2012/10/05/in-cyberattacks-on-banks-evidence-of-a-new-weapon/. See also Mathew



3


J. Schwartz, Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions, INFORMATION WEEK, March 27, 2013, available at 
http://www.informationweek.com/attacks/bank-ddos-attacks-resume-wells-fargo-confirms- disruptions/d/d-id/1109271?.

11 In a Reflective DNS Amplification DDoS attack, an attacker sends multiple requests to multiple open DNS resolvers 
pretending that they are coming from a victim’s IP address. The open DNS resolvers then reply to the victim’s IP 
address with larger packets thus amplifying the attack size. See David Piscitello, Anatomy of a DNS DDoS Amplification 
Attack, WATCHGUARD TECHNOLOGIES, INC., http://www.watchguard.com/infocenter/editorial/41649.asp. See also John Leyden, 
Biggest DDoS Attack in History Hammers Spamhaus, THE REGISTER (March 27, 2013), 
http://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/; John Markoff and Nicole Perlroth, Firm Is Accused of 
Sending Spam, and Fight Jams Internet, N.Y. TIMES, (March 26, 2013), See also Mathew J. Schwartz, DDoS Attack Hits 400 
Gbit/s, Breaks Record, INFORMATION WEEK (Feb. 11, 2014), available at 
http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d- id/1113787.

12 See remarks of FCC Chairman Tom Wheeler to the American Enterprise Institute, June 12, 2014 available at 
http://www.fcc.gov/document/chairman-wheeler-american-enterprise-institute-washington-dc. Chairman Wheeler stated that 
“the pace of innovation on the Internet is much, much faster than the pace of a notice-and-comment rulemaking” and 
challenged communications providers to create a “new paradigm” of proactive, measurable, accountable, business-driven 
cyber risk management. He cited the “important foundational work” in cybersecurity from CSRIC III that is the subject 
of this Public Notice and announced that “in the coming weeks, we will be seeking information to measure the 
implementation and impact of these industry-defined best practices.”

13 See Remarks of Public Safety and Homeland Security Bureau Chief, Rear Admiral (Ret.) David Simpson to CSRIC IV 
Public Meeting, June 18, 2014, available at http://www.fcc.gov/events/communications-security- 
reliability-and-interoperability-council-iv-meeting-1. Admiral Simpson’s remarks reiterated Chairman Wheeler’s call for 
a “‘new paradigm’ of proactive, measurable, accountable, business-driven risk management for communications security 
and reliability” and further described the “new paradigm” as “a substitute for traditional regulation that is more 
dynamic than complying with rules and more effective than blindly trusting the market. Under this new approach, 
businesses would step up and take responsibility for determining how to manage their risk in a more transparent and 
measurable way that promotes market accountability for cyber risk reduction. The traditional regulatory approach was 
that the FCC would propose a rule, and, after taking in your comments, tell you what you have to do – and, then, we 
would measure whether or not you are doing what we told you to do. The ‘new paradigm’ approach is different, and it is 
more challenging, because if it is going to succeed, it will rely primarily on your action. This is the case both in 
developing best practices and risk management processes in the first place, and then in following through with 
meaningful, measurable, demonstrable implementation.”