• by Wendy Davis  @wendyndavis, November 17, 2017

A Democratic lawmaker wants federal agencies to install ad blockers on government computers, unless the online ad industry develops a plan in the next six months to defeat malvertising.

"Although the vast majority of internet advertisements are legitimate, the fact that hostile actors can remotely target and potentially infect the computers of U.S. government employees means that this cyber threat vector can no longer be ignored," Senator Ron Wyden (D-Oregon) says in a letter sent Thursday to Rob Joyce, cybersecurity coordinator at the White House. "Using targeted ads, it is simply far too easy for foreign governments to deliver malicious code directly to the computers of government employees."

He adds that malware "is increasingly delivered through code embedded in seemingly innocuous advertisements online," and that users can become infected without even clicking on ads.

Wyden specifically asks Joyce to begin talks with the "online ad industry" and direct the industry to develop a plan within six months to prevent foreign governments from delivering malvertising to federal computers.

"After 180 days, if you are not completely confident that the advertising industry will effectively address this cyber threat, direct the Department of Homeland Security to issue a Binding Operational Directive requiring federal agencies to block the delivery to employees' computers of all internet ads containing executable computer code," Wyden writes.

The senator doesn't specify which companies or organizations he wants contacted. The letter does not mention the Trustworthy Accountability Group -- an industry organization created by the American Association of Advertising Agencies, Association of National Advertisers and Interactive Advertising Bureau -- that currently works to prevent the spread of malware.

Last year, TAG moved forward with a program that certifies buyers, sellers, and intermediaries in the digital advertising supply chain that have taken steps to combat malware. TAG also recently launched a platform to share malware-related information with other companies and law enforcement agencies.

Mike Zaneis, CEO of TAG, calls Wyden's letter "a little bit out of left field."

"I wouldn't expect it to have legs," Zaneis says, referring to Wyden's proposal. "Having the federal government unilaterally block a $70 billion U.S. industry is a short-sighted approach to what has been a long term, very complex problem."

John Montgomery, executive vice president for brand safety at GroupM Global, adds that computers are more likely to become infected with malware through a link in an email, or interactions on sites carrying pirated content, than from ads on legitimate sites -- particularly when the ads aren't clicked on.

"He's making ads the enemy here," Montgomery says of Wyden. "There are many, many ways a government computer could be infected."

Montgomery also points out that ad-blocking technology is imperfect, especially on mobile devices and social networking sites. He suggests that other measures, including malware detection technology, or restricting access to sites with questionable content, would be more effective than installing ad blockers.

TAG's Zaneis adds that even though the industry can make efforts to combat malware, it's impossible to completely prevent infections. "Malware is not a new issue," he says. "The criminals are really dedicated, and they're proficient, and they have a profit motive."