Home / Blogs

Use STIX to Block Robocalls

Anthony Rutkowski

It is one of those oddities that occurs around Washington from time to time. During the same hour today, the Federal Communications Commission (FCC) was meeting at its downtown headquarters trying to stop robocalls, while a large gathering of government and industry cybersecurity experts were meeting a few miles away at Johns Hopkins Applied Physics Lab advancing the principal means for threat information sharing known as STIX. It turns out that STIX may be a perfect match for meeting FCC robocall mitigation objectives.

Structured Threat Information Sharing (STIX) emerged from industry collaboration with the DHS US-CERT as a best-of-breed platform for observing cyber threats, packaging the sighting information, and distributing the bundle in trusted ways to users to stop the threats. The platform was initially perfected by MITRE working closely with the several industry groups — especially the financial industry. It captured such a significant cross-section of security communities in the U.S. and internationally that the entire platform was turned over to the standards body OASIS where it resides today under the aegis of the Cyber Threat Intelligence (CTI) Technical Committee. STIX is now envisioned as the principle platform for implementing both the U.S. Cybersecurity Act as well as the EU Network Information Security Directive.

As many of the cyber security experts noted, unwanted calls — often with spoofed caller IDs or disguised origins — are a well-known threat faced constantly in dealing with network traffic. It makes effectively no difference if the traffic is a voice call, text SPAM, malware, or a DDoS attack. They all represent threats to users and network operators.

Indeed, during the course of the years of Federal agency proceedings and workshops, industry innovators (as opposed to legacy incumbents) have urged reliance on the capture and exchange of robocall threat patterns among providers and end users rather than heavy-handed, complicated governance models. Indeed today, the dichotomy in approaches is posed as "deterministic" (i.e., governance schemes, registrations, certificates, and registry database lookups) versus "probabilistic" (i.e., capturing and exchanging threat signatures).

So the FCC Robocall NOI/NPRM released today will doubtlessly unleash many thousands of irate complaints about the robocall/spoofed call problem. However, the FCC would be best served by eschewing onerous, deterministic platforms like STIR and SHAKEN with their certificate governance schemes, and relying instead on the more lightweight and already proven probabilistic solutions of the cyber security community and agencies like STIX. Robo/spoofed calls for STIX are simply another threat exchange profile. The latter approach is also more scalable, global, pro-competitive, encourages greater innovation, and leverages the enormous work within the cyber security community. It also comports with the minimalist approaches favored by policy makers today.

By Anthony Rutkowski, Principal, Netmagic Associates LLC
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC