Last Friday, the U.S. Departments of Homeland Security and Commerce released a draft White Paper on enhancing the resilience of the Internet against Botnets and Distributed Attacks. They are inviting comments from all stakeholders regarding the issues raised and goals set until February 12, 2018.
The report is in response to an Executive Order from under the Obama administration on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That order directed the Secretaries of Homeland Security and Commerce to “lead an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
In the last year, botnets have been a major driver of a massive spike in distributed denial-of-service (DDoS) attacks worldwide. Botnets are a network of infected devices remotely controlled by cybercriminals, often without the user’s knowledge. Their collective computing power is then used in DDoS attacks to send massive numbers of requests to the target’s servers until they are forced offline, disrupting business. Botnets and the growing availability of DDoS-for-hire services led to a 91% increase in DDoS attacks on businesses between Q1 and Q3 of 2017 alone, according to a report from Corero Network Security.
A lack of rigorous security software and out-dated devices, accompanied by the increasing number of connected devices available is helping foster conditions for this startling growth in DDoS capability. IoT devices are particularly susceptible to being incorporated into botnets, helping dramatically release the size of DDoS attacks lately, “thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs), and Internet routers,” according to Brian Krebs, cybersecurity journalist (himself the victim of a massive DDoS attack in 2016).
The government draft lays out the “urgent need for coordination and collaboration across a diverse set of stakeholders” and has received input from private industry, academia and civil society. It lays out “five complementary and mutually supportive goals intended to dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem”. Each goal is accompanied by a set of suggested activities to be taken both by the government and private sector to implement change.
The five goals are:
Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace
Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats
Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior
Goal 4: Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world
Goal 5: Increase awareness and education across the ecosystem
The report also identifies six principal themes in recognizing the challenges faced and opportunities to dramatically reduce threats from automated, distributed attacks. These themes are:
- Automated, distributed attacks are a global problem. Coordination with international partners is essential as most of the compromised devices used in recent botnets have been located outside the U.S.
- Effective tools exist, but are not widely used, for a variety of reasons, including lack of technical knowledge, wanting to keep prices low and insufficient market incentives.
- Products should be secured during all stages of the lifecycle. Many devices are vulnerable even at the initial stage of deployment, let alone that they lack facilities to patch vulnerabilities after discovery.
- Education and awareness is needed among home and business customers to make the ecosystem more resilient by making more secure choices when buying products.
- Market incentives are misaligned (encouraging developers, manufacturers, and vendors to minimize cost and time to market, instead of building in rigorous security or offering effective security updates).
- Automated, distributed attacks are an ecosystem-wide challenge, requiring a collaborative response to their mitigation.
The Consumer Technology Association (CTA) responded to the draft paper with a statement on their website from Gary Shapiro, president and CEO:
“We agree with the report’s findings that botnets and related automated attacks are an ongoing problem, often launched from outside the U.S. Fighting them requires cooperation between the public and private sectors.
The Internet is a critical platform for innovation, job creation, economic growth and technologies that benefit the world. We have welcomed the opportunity to work participate with NTIA, the Department of Commerce and the Department of Homeland Security, other government agencies, and the rest of the technology industry to help ensure make the internet and communications ecosystem a more resilient, collaborative, and secure for people and businesses worldwide—and we look forward to providing additional input on the draft report released today.”
Following the comments period, the National Institute of Standards and Technology (NIST) will hold a workshop to discuss unresolved comments and next steps for the Report. The final White Paper will be submitted to the President on or before May 11, 2018.