ISPs can help thwart DDoS attacks, but authorities may be lacking

Distributed denial-of-service attacks like the one that recently hit internet infrastructure company Dyn are effective because internet service providers don't have a legal framework to block apparently legitimate traffic overloads, experts say.

Robert Mayer, vice president of industry and state affairs at the U.S. Telecom Association, said telecommunications carriers were ready to engage with the Department of Homeland Security about possibly blocking suspect traffic. However, such defensive measures could pose a legal problem because providers don't have liability protections and are obligated by law to continue service, he added during a panel discussion at the National Cybersecurity Institute on Nov. 8.

Ultimately, Mayer said DHS did not ask telecom carriers to help stem the attack on Dyn, which provides services that undergird other internet-based companies, such as PayPal, Twitter and Reddit.

If they had gotten involved, telecom carriers' lawyers would have had to ensure that they did not violate laws that require them to keep their communications lines open, Mayer added. And Mary Ellen Seale, founder and CEO of the National Cybersecurity Society, said taking defensive measures "would have blocked routers that [carriers] are required to keep open."

That is one of the complex details that must be addressed as the private sector and the government share more and more information, according to the panelists.

Their remarks echoed those of Commerce Secretary Penny Pritzker. In a speech in September, she called for a strengthened legal framework to protect companies when they share information about cyber risks.

"Yet even as companies and agencies begin speaking the same language of cyber risk, we are not yet having truly candid, actionable conversations because we lack the legal support structure necessary for doing so," Pritzker said in her speech.

Some liability protections were enshrined in law under the Cybersecurity Information Sharing Act, which passed as part of the 2016 omnibus spending bill, but she argued that when companies are under cyberattack, they do not immediately turn to the government for help.

Mayer and Seale agreed that sharing information between the government and private sector is critical to preventing or blunting cyberattacks.

Emerging Information Sharing and Analysis Organizations, which are non-critical infrastructure versions of the Information Sharing and Analysis Centers, can be key players in sharing threat information more widely in the private sector, Seale said.

Best practices, the National Institute of Standards and Technology's Cybersecurity Framework and other shared resources are also essential to cementing public/private partnerships that can protect against cyberattacks and intrusions, said Vern Mosley, senior cybersecurity engineer at the Federal Communications Commission.

"We don't hear when things go right," he said, and the telecom carriers that the FCC regulates don't advertise the thousands of attacks they stop every day. "That is valuable information," he added.

Companies don't wait for the government to respond to attacks, and Mosley said their collaboration, including during the attack on Dyn, is one of the most dynamic protections against cyberattacks that the country has. He added that the response to the Dyn attack gave him great confidence in the ability of the private sector to neutralize threats.