HOW TO BEAT FRIED WORMS

The only consistency found in estimates of the financial damage caused by Internet attacks is that they are big — Sobig. Collectively, worms and viruses such as Bagle, Netsky and MyDoom have cost the worldwide economy more than $100 billion in cleanup, equipment and software replacement, and lost productivity. MyDoom alone did $22.6 billion in damage last year, according to London-based security and digital risk management firm mi2g. In its first 24 hours of existence, the Blaster virus racked up approximately $525 million in inoculation costs.

The numbers are staggering, but they're not what motivated a group of ISPs to band together with Microsoft, as they did in February, to form the Global Infrastructure Alliance for Internet Safety. After all, spread out over the globe and divvied up by the enterprise and consumer communities at large, even pain this acute can be absorbed without much collective outcry.

This group of ISPs, including BT, Cox Communications, EarthLink, MSN, NTT Communications, Shaw Communications, Tiscali S.p.A., Wanadoo and Xtra (Telecom New Zealand), was motivated not by short-term economic impact alone, but also by the prospect of long-term erosion of its customer base because of frustration and a lack of confidence.

“The last thing anyone wants is for the Internet to become unusable,” said Jeff Hartley, GIAIS sponsor at Cox Communications.

GIAIS is an alliance built by Microsoft, using primarily Microsoft monetary, personal and technical resources to get it off the ground, but in practice will be a collaborative effort among ISPs to improve incident response to future attacks and eventually turn its attention to preventing them.

“We may host the program, but I shy away from saying we lead the program,” said Bill Stillwell, GIAIS program manager at Microsoft. “We found that ISPs were just looking for Microsoft to facilitate the conversation.”

Stillwell said the Blaster virus' shortened 25-day horizon indicated Microsoft had to do something more than just release patches and rely on its own messaging to communicate the proper action to the community at large. ISPs were asked to join the alliance to develop procedures that would provide consumers with a safer Internet experience. GIAIS members will share information on developing threats, provide feedback to Microsoft to improve support and reduce response time through better coordination, conference bridges, contact points and call trees within each company.

“The sooner we can get information to service providers about specific viruses we see in the wild, the quicker we can come up with strategies not just to solve the problem, but also to slow the propagation,” Stillwell said.

According to analyst firm Gartner, the MyDoom virus reached more than 160 countries, hitting one out of every 10 e-mails sent worldwide.

“Spam and viruses are not something you can fight yourself,” said Linda Beck, executive vice president of operations and information security at EarthLink. “They require us all to be more creative and work across boundaries and find news ways to thwart attacks by combining resources.”

In addition to sharing and improving the flow of timely information, each member will bring a little something to the table in terms of experience. For example: EarthLink is a leader in tracking down and prosecuting spammers across boundaries. “We can prevent them from spamming in any ISP's network, not just EarthLink's,” Beck said.

The company also has developed, using Symantec technology, its own Spam Blocker and Virus Blocker products and is helping to develop cryptographic schemes that prevent spoofing and ensure sender identity across the network.

Cox brings experience dealing with security issues across technologies such as telephony, Internet and video services. The company prides itself on its best practices.

“We have the most fully automated abuse processing system I have seen in the industry,” Hartley said. It's called the Cox Abuse Tracking System and is already being used by three other ISPs, one internationally.

Participants agree that another important component to the alliance is the inclusion of international and multinational providers. One such company is Tiscali, a broadband and narrowband access provider in Cagliari, Italy, that serves 7.8 million Internet (mostly narrowband) customers in 15 European countries plus South Africa.

Tiscali contributes to the group through its ability to gather information from several countries, which last year helped it identify a virus as it moved from Norway to the U.K., then on to France. It also brings its Tiscali International Global Emergency Response (TIGER) team experience to the alliance. It is the company's primary point of contact for disseminating threat or incident information to its engineers in the various geographies.

“I think creating an alliance throughout the Internet industry, and particularly service providers linked up with major software providers, could really be of value to our customers,” said Giorgio Lembo, networks planning manager for Tiscali Corporate.

For Lembo, the alliance couldn't have come too soon. “We were already considering internal countermeasures in terms of security,” Lembo said. “Providing Microsoft a main point of contact in our network operations centers — which are advised by TIGER about security threats in the network — is creating a natural point of communication to the external worlds.”

These ISPs agree that despite the source of the threat, or the cause, customers look to them to solve security problems. “They try to get help from the first people they know. And in all cases, that is the ISP,” Lembo said.

EarthLink's Beck agrees. “Customers can't always tell why their computer is acting the way it is,” she said. As a result, her support team spends a lot of time helping customers clean off their systems in the name of customer satisfaction. One of the goals of GIAIS is to get the right information from Microsoft out to the ISPs so they can educate their customers about a particular new virus or worm in a more timely fashion.

“Customers don't always understand where a virus or worm comes from or how it is caused, so they attribute it to their Internet service,” Beck said.

That's where Beck sees the value of the alliance: “In the early notice.” She said this alliance and others EarthLink is involved in around the world are also the answer to broader issues such as SPAM, identity management and tracking criminals across ISP boundaries. “You can't do that yourself. And the more collaboration you have to solve cross-ISP or cross-country issues, the better,” Beck said.

But it's not always practical, said Cox's Hartley. The prospect of competing ISPs sitting down to discuss sensitive security information with one another in a setting designed by Microsoft had Hartley scratching his chin with skepticism at first. “However, after the first few hours of the kick-off meeting, I found myself sitting shoulder-to-shoulder with people who are otherwise competitors, saying this is a good idea,” Hartley said.

What turned him around? “If there was one take-away from the meeting, it was that I hadn't realized how seriously Microsoft had been taking this whole security makeover,” Hartley said.

He also said the makeup of the alliance gives him confidence it will succeed. “It's a cross-discipline, cross-technology consortium of similarly minded people intelligently discussing and debating ideas in a non-competitive environment,” Hartley said. “The first meeting was extremely productive.”

As for Microsoft, the Alliance will strengthen what Stillwell called its burgeoning OEM relationship with ISPs and make it more like the OEM relationship it has with vendors where the communications are better.

Microsoft hopes to extend GIAIS or similar alliances to other regions of the world. It is hoping that can be accomplished by the regional providers themselves. “Once you get past the biggest ISPs, there are hundreds of them worldwide that would benefit from this type of relationship,” Stillwell said.

Microsoft will deem the effort a success if the number of infected PCs worldwide is ultimately reduced. Short-term success will come, or not, with the next attack. “If there is 100% member participation and every member is able to get the information and content they need to assist in the mitigation of the problem, that will be a measure of success,” Stillwell said.

Ultimately, the two-way information loop is necessary for getting Internet attacks under control. While the operating system most often under attack is Microsoft's, the providers agree that security is everyone's concern. “We are all responsible for our own infrastructure. We have to make sure our mail servers can't be compromised,” Beck said. “Microsoft needs to do the same for their desktop software. They are the ones profiting from it.”

Hartley said it is clear when there is a software problem or a network problem to be fixed. It is also clear when there is a customer action problem that requires education. “So a lot of people may be looking for a scapegoat, but it is an arms race,” he said. “We are all in this together.”