The Federal Communication Commission, working with communications companies including Verizon, Cox, and Comcast, passed a voluntary code on Thursday that spells out the steps participating ISPs must take to combat botnets. Those same companies, along with CenturyLink, AT&T, Sprint, and Time Warner Cable, have already committed to follow the code, comprising a customer base that accounts for at least half of all US-based Internet subscribers.

ISPs agreeing to abide by the code must "take meaningful action" in each of the following areas: education, detection, notification, remediation, and collaboration. Detection, for example, would require the provider to "identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices." Those who follow the code are added to a kind of "safe list" maintained by the FCC.

The measure was drafted by a working group of the FCC's third Communications Security, Reliability and Interoperability Council. A report (PDF) issued by the working group said benefits of following the code included fewer calls to help desks from customers with infected machines, reduced upstream bandwidth consumption from denial-of-service attacks and spam, increased customer goodwill, and a drop in spam-related complaints from other ISPs. Compliance requires participants to "share with other ISPs feedback and experience learned from the participating ISP’s Code activities."

"It's got a pretty good prospect of being widely adopted," Michael O'Reirdan, who is chair of the FCC’s CSRIC Working Group 7, told Ars. "It is in the interests of ISPs to do so. It benefits them to keep their networks free of malware. We are codifying to some extent what they've done already."

The code of conduct was forged by the FCC's Working Group 7 in collaboration with industry security specialists under the Messaging, Malware and Mobile Anti-Abuse Working Group, which O'Reirdan also chairs.

"The obstacle I foresee," he added, "is fear of additional costs." One element of the code is a notification requirement to let users know when they're infected by a bot. "Some ISPs are scared of additional calls to call centers after notification." This has not happened, however, to companies who have already instituted this aspect of the code, he said.