Revisiting the Cybercrime Prevention Principles for Internet Service Providers

In the everyday operational world of making sure that network services are up and running correctly, that bits are flowing to and from customers, and that business is growing, it can be easy to lose sight of the fact that On the Internet, no network is an island. If one has an issue, it can easily propagate to others, whether that is a routing problem, or DDoS, or an IoT attack.

Functionally, the Internet is a network of networks, but, also, practically. It works better when network operators collaborate to identify and address problems, especially security issues.

In January 2020, the World Economic Forum (WEF) published the Cybercrime Prevention Principles for Internet Service Providers, put together through the efforts of several leading organizations in networking and cybersecurity, including BT and the Global Cyber Alliance (GCA).

Although some of the principles of that document focus on how to better serve Internet Service Providers (ISP) customers, it also includes specific recommendations to improve the overall level of security in networks, and the Internet as a whole, as well. The publication identifies four key principles for improving efforts to prevent cybercrime, discussed below.

Principle I
Protect consumers by default from widespread cyberattacks and act collectively with peers to identify and respond to known threats

Network operators have the best view of the traffic in their networks, and the best likelihood of detecting negative patterns— whether they correspond to excessive traffic (DDoS), spam, or even some level of phishing (by reviewing DNS resolution logs). If you care to take action, then there are resources available (MISPs and others) for determining what suspicious activities might be occurring in your network, and potentially put a stop to them.

Of course, you have to be careful— early efforts to block the prevalence of spam led to the widespread blocking of port 25 (SMTP), when there were actually legitimate use cases for it, and it actually did little to address the spam problem.

You can also share information about what you see in your network. At GCA, we have AIDE, a global IoT honeyfarm that has been tracking attacks on IoT devices for three years. Are you curious to see if some of those attacks are originating in your networks? How would you know? (Hopefully, no-one from any of the networks that house the five IP addresses that have attacked us every single day for the last three years is reading this 😉.)

Principle II
Take action to raise awareness and understanding of threats and support consumers in protecting themselves and their networks

People are less likely today to click on random links in e-mail, but it still helps to remind them why they need to be careful. And it is important to deploy updated infrastructure standards, especially for e-mail.

For example, using DMARC to validate inbound messages is important. If the World Health Organization (WHO) has identified which mail servers are authorized to send mail from the domain, and you get a message from that domain that is not from one of those mail servers— do you think it is likely to be legitimate? What do you think you should do with it? (Hint: DMARC policies will tell you what WHO wants done with it 😁.)

Principle III
Work more closely with manufacturers and vendors of hardware, software, and infrastructure to increase minimum levels of security

I have often heard network operators express the sentiment that they are at the mercy of what vendors will give them. This is another area where collaborating with other network operators can be helpful— in identifying key features for workable routing security, for example, and getting them into routers.

There are venues for having those conversations, such as at network operator groups, within the context of the Internet Society’s MANRS community, and so on.

And, if you are supplying Customer Premise Equipment (CPE), you have buying power to ensure that base security features are properly addressed.­ (No default passwords. Just don’t do it. Ever. 🤨)

Principle IV
Take action to shore up the security of routing and signalling to reinforce effective defence against attacks

I alluded to the MANRS effort above. The Mutually Agreed Norms for Routing Security initiative captures how operators believe they can best work to secure the routing system.

No single operator can have secure routing unless all operators are careful with their routing announcements. Clearly, sometimes routing incidents are self-inflicted (like the recent multihour outage at Facebook), but we live in an age where it is imperative that traffic gets to where it needs to go (without outages) and does not take a sightseeing trip (through malicious networks) to get there.


The whole WEF report is worthy of a read, to understand just how much ISPs can help foster a more secure and trustworthy Internet— for their customers, as well as other networks sharing the globe.


The author, Leslie Daigle, is the Chief Technical Officer and the Director of the Internet Integrity Program at the Global Cyber Alliance. You can follow her on Twitter or connect with her on LinkedIn.

This post is a summary of the presentation offered by Leslie Daigle on the Cybercrime Prevention Principles for Internet Service Providers at the LAC-ISP meeting last October 19, 2021.