A report on combatting botnets released today by the departments of Commerce and Homeland Security, while largely the same as a draft version issued in January, proposes continued action by the federal government, including a road map for implementing the report’s recommendations and plans for a follow-up report in a year. “This effort will not end with the publication of this report,” it says. “There is much work to do.”
The report, titled “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats,” was developed in response to a May 2017 executive order on strengthening the cybersecurity of federal networks and critical infrastructure (TR Daily, May 11, 2017).
Its conclusions and recommendations are largely the same as a draft version that was issued in January to gather public comment (TR Daily, Jan. 5).
But the final report aims to spur continued action on its recommendations. “The departments of Commerce and Homeland Security, in coordination with industry, civil society, and in consultation with international partners, should be tasked with developing an initial road map with prioritized actions within 120 days after approval of this report,” it says.
“Government and the private sector will work together to ensure that the road map is updated and maintained as stakeholders accomplish the identified actions,” it says.
“Many of the road map actions should be led by an industry sector, academia, or civil society. Identification or establishment of private-sector governance structures for these activities will be a critical factor in sustainability and international acceptance of work products,” it says.
“Where existing bodies are already pursuing related actions, or already represent key communities, they should be encouraged to lead,” it adds. “As communities form to implement these actions, establishing a venue for regular coordination between these communities will be increasingly important.”
“Until a mutually agreed party or parties from the private sector are identified, the federal government will provide a coordination and communication mechanism for continued implementation, and will convene periodic meetings of the relevant parties,” the report says.
“To track progress, the departments of Commerce and Homeland Security will develop a 365-day status update for the president, due one year after the road map’s initial publication. This update will review (1) progress the community as a whole is making against the road map; (2) the impacts of those road map activities; (3) a reassessment of the threat of automated, distributed attacks, including whether the threat is increasing or decreasing, and any known reasons for such a change; and (4) whether any adjustments are required to the road map,” it says.
“Automated and distributed attacks form a threat that reaches beyond any single company or sector,” the report says. “These threats are used for a variety of malicious activities, including distributed denial of service (DDoS) attacks that overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware; ransomware attacks distributed by botnets that hold systems and data hostage; and computational propaganda campaigns that manipulate and intimidate communities through social media.”
The report concludes that automated cyber attacks are a global problem, with most “compromised devices” used in recent attacks located overseas. “To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners,” it says.
It also notes that tools exist to block or mitigate botnet attacks but are not widely used. “The tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors,” it says.
“However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives,” it says.
“Market incentives do not currently appear to align with the goal of ‘dramatically reducing threats perpetrated by automated and distributed attacks,’” the report adds. “Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates.”
“Market incentives must be realigned to promote a better balance between security and convenience when developing products,” it says. Different market incentives will be needed for different markets and different types of users and devices, the report indicates. But the federal government, through its purchasing power, can encourage developers of products and services to take security seriously, it says.
“Careful enforcement actions” by the Federal Trade Commission can also create incentives, the report adds. “The FTC has taken action in numerous privacy and security-related cases,” it notes. “By halting and deterring deceptive marketing, the FTC can enhance consumer confidence in security claims by IoT and information technology vendors and support positive market incentives.”
The report generated positive feedback from several outside groups.
“The report’s authors understand the need for consensus and collaboration between industry, society, and government agencies to prevent and mitigate cyber attacks,” said Jonathan Spalter, president and chief executive officer of the U.S. Telecom Association.
“We are particularly pleased the report calls for follow-up coordination with industry and other stakeholders; a transparent and collaborative approach that will forge a smother path – making America safer by protecting our nation’s cyberspace,” Mr. Spalter said in a statement.
Cinnamon Rogers, senior vice president-government affairs at the Telecommunications Industry Association, said TIA was “encouraged by the emphasis the final report places on prioritizing recommended actions and [we] look forward to building on this work with our government partners in the months ahead.”
The Cybersecurity Coalition, a collection of tech companies seeking cybersecurity policy solutions, said it agreed with the findings and recommendations of the botnet report. “Specifically, the coalition was encouraged by the report’s findings that public-private partnerships are critical to addressing the ongoing and growing threat automated, distributed threats present to the global cybersecurity ecosystem,” it said.
“DHS and Commerce put a lot of hard work into this report and the end result is strong,” said Ari Schwartz, the coalition’s executive director. “The Cybersecurity Coalition wishes to thank them for this excellent report and looks forward to partnering with DHS, Commerce, and the White House on the needed public-private partnership for its implementation.”
Julie Kearney, vice president-regulatory affairs at the Consumer Technology Association, said, “For the Internet of Things ecosystem to thwart cyber threats, the Department of Commerce (DoC) and the Department of Homeland Security (DHS) have jointly released a roadmap that gives the industry and government the flexibility to strengthen our country’s cybersecurity. Public-private partnerships will be the vital ingredient needed to mitigate botnets and distributed forms of attack. Both network operators and manufacturers need to work together to address IoT standardization through voluntary standards and increase the awareness and importance of software upgrades to consumers. We thank DoC and DHS for their leadership role in convening private sector input on cybersecurity issues. And in the coming days, CTA looks forward to releasing further details about industry efforts to build on these and other efforts to secure our IoT ecosystem.”– Tom Leithauser, firstname.lastname@example.org