Home / Blogs

Use STIX to Block Robocalls

It is one of those oddities that occurs around Washington from time to time. During the same hour today, the Federal Communications Commission (FCC) was meeting at its downtown headquarters trying to stop robocalls, while a large gathering of government and industry cybersecurity experts were meeting a few miles away at Johns Hopkins Applied Physics Lab advancing the principal means for threat information sharing known as STIX. It turns out that STIX may be a perfect match for meeting FCC robocall mitigation objectives.

Structured Threat Information Sharing (STIX) emerged from industry collaboration with the DHS US-CERT as a best-of-breed platform for observing cyber threats, packaging the sighting information, and distributing the bundle in trusted ways to users to stop the threats. The platform was initially perfected by MITRE working closely with the several industry groups—especially the financial industry. It captured such a significant cross-section of security communities in the U.S. and internationally that the entire platform was turned over to the standards body OASIS where it resides today under the aegis of the Cyber Threat Intelligence (CTI) Technical Committee. STIX is now envisioned as the principle platform for implementing both the U.S. Cybersecurity Act as well as the EU Network Information Security Directive.

As many of the cyber security experts noted, unwanted calls—often with spoofed caller IDs or disguised origins—are a well-known threat faced constantly in dealing with network traffic. It makes effectively no difference if the traffic is a voice call, text SPAM, malware, or a DDoS attack. They all represent threats to users and network operators.

Indeed, during the course of the years of Federal agency proceedings and workshops, industry innovators (as opposed to legacy incumbents) have urged reliance on the capture and exchange of robocall threat patterns among providers and end users rather than heavy-handed, complicated governance models. Indeed today, the dichotomy in approaches is posed as “deterministic” (i.e., governance schemes, registrations, certificates, and registry database lookups) versus “probabilistic” (i.e., capturing and exchanging threat signatures).

So the FCC Robocall NOI/NPRM released today will doubtlessly unleash many thousands of irate complaints about the robocall/spoofed call problem. However, the FCC would be best served by eschewing onerous, deterministic platforms like STIR and SHAKEN with their certificate governance schemes, and relying instead on the more lightweight and already proven probabilistic solutions of the cyber security community and agencies like STIX. Robo/spoofed calls for STIX are simply another threat exchange profile. The latter approach is also more scalable, global, pro-competitive, encourages greater innovation, and leverages the enormous work within the cyber security community. It also comports with the minimalist approaches favored by policy makers today.

By Anthony Rutkowski, Principal, Netmagic Associates LLC

The author is a leader in many international cybersecurity bodies developing global standards and legal norms over many years.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API