Today, the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) issued their recommendations to the FCC on several issues related to cybersecurity including: DNSSEC implementation practices for ISPs; secure Border Gateway Protocol (BGP) deployment; and botnet remediation. As we noted a few weeks ago, keeping the Internet safe for consumers to browse, transact business and communicate is an important objective not only for AT&T but any other business that operates online.
As the Chairman noted in his statement, finding solutions is going to take participation from more than just ISPs and needs to include entities from across the entire Internet ecosystem. For example, DNSSEC is predicated upon a chain of trust across the Internet. While the DNSSEC report recommends that ISPs make their DNS recursive nameservers DNSSEC-aware, it also recommends that key industry segments such as banking, healthcare and others sign their respective domains and that software developers, such as web-browser developers, study how and when to incorporate DNSSEC validation functions into their software. Also, the botnet report anticipates a significant role for other Internet ecosystem participants, including but not limited to security software vendors, operating system developers, end user-focused organizations and providers of Internet content, applications and services.
AT&T has a long history of working to address both physical and cyber threats and has actively participated in the CSRIC process, including having representation on all three working groups. We view cybersecurity to be a cornerstone of the network management functions that we perform in the United States and worldwide. To that end, AT&T is already fulfilling the recommendations in the reports. However, in our opinion, cybersecurity doesn’t lend itself to a “check the box” approach. For every new solution we put in place, the attackers are already looking for a means to exploit or circumvent those solutions. That is why the Chairman’s statements about the need for continued innovation in cybersecurity are probably the most important part of his message today.
Effectively addressing cybersecurity is going to require the various stakeholders experimenting and innovating with different solutions and learning from one another. We need to avoid an outcome where we publish our playbook for our adversaries and potentially prematurely standardize solutions that may ultimately prove inadequate in addressing the changing cyber threat.
While we are continuing to track industry developments in this space, we need to keep these issues in mind and not lull ourselves into a false sense of security.