Four key principles are proposed for implementation by ISPs to address malicious activities being carried out online that impact a high number of consumers. Each principle is considered from the perspective of the challenges it seeks to address and proposes demonstrable evidence from service providers on the benefits of implementation. More technical detail on how each principle could be implemented is also provided in recommendations linked to each principle. An annex details known information sharing forums which ISPs should consider joining.

Areas for further work are also proposed, in particular the consideration of how governments and the public sector might do more to establish appropriate policy frameworks that would provide the best incentives to ISPs to act securely. Key areas of focus for a second phase of work will include defining roles and responsibilities for securing online ecosystems while ensuring that lines of accountability are clear; ensuring that actions taken are transparent and uphold principles relating to maintaining an open internet; and work to define frameworks which incentivize adoption of best practice in a harmonized manner.

The best-practice principles are intentionally set at a high level to allow them to be easily understood by a senior, non-technical audience. Further details on implementation are provided in recommendations under each principle.

It is recommended that ISPs adopt the following key principles:

1. Protect consumers by default from widespread cyberattacks and act collectively with peers to identify and respond to known threats
2. Take action to raise awareness and understanding of threats and support consumers in protecting themselves and their networks
3. Work more closely with manufacturers and vendors of hardware, software and infrastructure to increase minimum levels of security
4. Take action to shore up the security of routing and signalling to reinforce effective defence against attacks

The intention here is not to provide technical guidance on protecting networks or critical infrastructure from external risks – these are dealt with in numerous other fora and guidance. This set of principles focuses on the more strategic actions that the ISPs that have collaborated on this work believe an ISP should be able to take for the purpose of protecting consumers from common online crimes, thereby helping to “clean up” the internet on the whole.