The White House today announced a pilot program to be led by the Financial Services Information Sharing and Analysis Center in which ISPs will share data about botnets with financial institutions. ISPs also announced a set of principles for fighting botnets.
This is a positive announcement. You shouldn’t be engaged in online banking if your computer belongs to a botnet and if your ISP knows you’ve been botted, it should tell your bank so you don’t become the victim of cyberthieves.
But why does it take a White House initiative to get this done?
That is the burning question. It’s completely a private exchange; the government is not authorized to join the information sharing loop due to an overbroad privacy provision in current law that punishes ISPs who share information about customers, even botted customers, with the government.
That ACLU gift to hackers is still on the books, and the Obama administration’s threat to veto information sharing bills like CISPA makes it more likely the provision will stay there. So despite this initiative, when a botted customer tries to file tax returns or other confidential information with the government, the IRS — unlike the banks — won’t be able to warn him that his machine is compromised.
Under current law, all the government could do was applaud the sharing, not participate in it. So that’s what it did.