IIA plans amendments to iCode by late September

The Internet industry seeks to update its voluntary cybersecurity best practices, iCode, to better reflect technological trends and also improve education and messaging to Internet users, industry officials said at an Internet Industry Association (IIA) event in Sydney.

IIA aims to issue a plan for amendments to the iCode by the end of September, said IIA deputy chairman, Patrick Fair. Before that, IIA will write recommendations for changes and circulate it to IIA members for feedback. IIA also plans to put the draft recommendations out for review by the larger community, he said.

The Department of Broadband, Communications and the Digital Economy plans to follow IIA with a “broader” review of iCode “toward the end of the year,” said DBCDE assistant secretary for cybersecurity policy, Sabeena Oberoi. The IIA review will be one input into the government’s process, she said.

A strength of iCode is its "flexibility," Oberoi said. "Technology is moving so fast, you don't want to mandate anything."

IPv6 and mobile are among challenges the IIA hopes to tackle in its review of iCode, said Sophos director, Rob Forsyth. IPv6 means a “massive number” of new IP addresses to track, he said. Mobile devices present a challenge because they “wander in” and out of many networks, he said. Another challenge is the “Internet of Things,” which refers to TVs and other previously dumb appliances linking to the Internet, he said.

The Australian Communications and Media Authority also sees mobile as a challenge, said ACMA manager of e-security, Bruce Matthews. Recipients of data about infections “are struggling to correlate that IP address information with their mobile network data,” he said.

Several officials pointed to messaging to customers as another area for improvement in the iCode. “The biggest reaction is confusion,” said Studentnet business manager, Kevin Karp.

Telstra, Optus and Internode officials said their customers often mistake the carriers’ security warnings for scams.

“Our Telstra security branch quite often phones up customers and the customers are so well educated on scams, they say, ‘I don’t believe you’re from Telstra,’” said Telstra principal domain expert, Barrie Hall. Only about one in five Telstra security emails get opened by customers, he added.

Even with better data about security problems, actions are not always taken, said Matthews. ISPs don’t always forward data to customers, or if they do, customers are not taking the recommended action, he said. That’s “a challenge that needs to be looked at more broadly and potentially in the context of the iCode.”

Educating consumers early on may make notification later easier, as well as improve customer response, said Internet Society of Australia executive director, Holly Raiche. Consistent messaging across the industry is also important to improving the effectiveness of notification, she said.

Customers frequently receive conflicting messaging on how to protect their systems, said Optus senior regulatory analyst, Ana Tabacman. For example, Optus now tells customers to set their anti-virus software to automatically update, but in the past told customers not to allow automatic updates to prevent unwanted downloads, she said.

Reviewers of iCode are also rethinking the design of the iCode website, said Tabacman, who serves with Raiche on the IIA iCode Review Taskforce. The site currently greets users with a message saying they have been redirected to the site because his or her computer may be infected. But the taskforce has heard requests for a more general information page to better engage users who have not been redirected but seek information, she said.

Many countries, including the U.S. and Europe, are watching Australia’s iCode, Forsyth said. “We can actually do something in Australia which the rest of the world will follow and it will make a difference.”

Follow Adam Bender on Twitter: @WatchAdam

Follow Computerworld Australia on Twitter: @ComputerworldAU