1. Working Group 7: Botnet Remediation Status Update September 12, 2012 Michael O’Reirdan (MAAWG) - Chair Peter Fonash (DHS) – Vice-Chair

2. 2 WG 7 Objectives Working Group 7 – Botnet Remediation Description: This Working Group will review the efforts undertaken within the international community, such as the Australian Internet Industry Code of Practice, and among domestic stakeholder groups, such as IETF and the Messaging Anti-Abuse Working Group, for applicability to U.S. ISPs. Building on the work of CSRIC II Working Group 8 ISP Network Protection Practices, the Botnet Remediation Working Group shall propose a set of agreed-upon voluntary practices that would constitute the framework for an opt-in implementation model for ISPs. The Working Group will propose a method for ISPs to express their intent to op-into the framework proposed by the Working Group. The Working Group will also identify potential ISP implementation obstacles to the newly drafted Botnet Remediation business practices and identify steps the FCC can take that may help overcome these obstacles. Finally, the Working Group shall identify performance metrics to evaluate the effectiveness of the ISP Botnet Remediation Business Practices at curbing the spread of botnet infections.

3. 3 WG 7 Members NameOrganization Michael O'Reirdan (Chair)MAAWG Peter Fonash (Vice Chair)DHS Robert Thornberry (Editor)Alcatel-Lucent Uma ChandrashekharAlcatel-Lucent Michael Little Applied Communication Sciences Alex BobotekAT&T John DenningBank of Amer. Neil Schwartzman (Secretary)CAUCE Chris LewisCAUCE Michael GlennCenturyLink Paul Diamond (Editor)CenturyLink Jay OppermanComcast Matt CarothersCox NameOrganization Gunter OllmannDamballa Brian DoneDHS Daniel BrightEMC Inc Mats Nilsson Ericsson Kurian JacobFCC Vern MosleyFCC Bill McInnisIID Chris SillsIID Tim RohrbaughIntersections Barry GreeneISC Merike KaeoISC Ed WhiteMcAfee Kevin SullivanMicrosoft Jon BoyensNIST Craig SpiezleOTA Bill SmithPayPal Gabe IovinoREN-ISAC NameOrganization Johannes UllrichSANS Institute Adam O'DonnellSourcefire Alfred HugerSourcefire Greg HolzapfelSprint James HolgersonSprint Michael FiumanoSprint Kevin FrankSprint Maxim WeinsteinStopBadware Patrick GardnerSymantec Tice MorganT-Mobile John GriffinTCS Chris RoosenraadTWC Joe St Sauver (Glossary) Univ of Oregon/Internet 2 Robert MayerUSTelecom Assoc. Eric OsterweilVerisign John St. ClairVerizon Timothy VogelVerizon

4. 4 Work Plan Phase 1: Produce initial Code of Conduct Phase 2: Identify Barriers to Code Participation Phase 3: Develop Bot Metrics

5. 5 Status Phase 1: U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs) completed – ISPs representing 86% of the U.S. residential subscriber market are either currently participating, or have agreed to participate, in the Code – Efforts underway to outreach to the smaller ISPs to increase awareness and participation

6. 6 Phase 2: Barriers to Code Participation – Identified five dimensions that can represent obstacles, in various degrees, depending upon individual guidelines: Technology Consumer/Markets Operations Legal/Regulatory Financial – Working Group members are providing substantive input as part of a worksheet matrix that will evolve over time as additional implementation guidance is identified and proven effective Status (Cont.)

7. 7 Phase 2: Barriers to Code Participation (Cont.) – Lower threshold initiatives will be identified in the December Final Report which should provide mid- and small- size ISPs greater latitude to adopt selected guidelines – December Final Report will include Barriers Worksheet Matrix along with a snap-shot of current information – On-going analysis of the barriers may be the basis for an IETF RFC Status (Cont.)

8. 8 Phase 3: Bot Metrics – In the process of querying ISPs to identify performance metrics to evaluate the effectiveness of following the voluntary U.S. Anti-Bot Code of Conduct for ISPs at curbing the spread of botnet infections – Encountering extreme challenges: Most ISPs are reluctant to share, are collecting information in different ways, and the information is not comparable from one company to the next Australian iCode is only now starting work on developing metrics after two years of operation Likely outcome is a work plan for developing metrics Status (Cont.)

9. WG7 Effort is Part of Multi-Stakeholder Approach to Cybersecurity ISPs End Users App Dev. AV Vendors Platform Vendors e-Commerce Orgs. Critical Infra. OS Vendors Enterprises Int’l Partners Research Inst. Gov’t D/As Regulators Web Hosts Content Providers Privacy Advocates ISPs are in a position to detect botnets operating within their networks and notify end-users of suspected bot infections Other members of the Internet ecosystem have equally important roles to fulfill A multi-stakeholder approach is necessary in order to fully combat the botnet threat 9

10. 10 Next Steps Continue Phase 2 - Identification of Barriers to Code Participation Continue Phase 3 – Identification of Bot Metrics Deliver Final Report on Anti-Bot Code of Conduct - Barriers and Metrics – in December 2012