A scant week after researchers identified a massive botnet made up of hundreds of thousands of Internet-connected devices around the world comes a report from the United States government calling on the industry to change how it develops and secures Internet-connected devices.
The fight against botnets—a network of compromised devices which online adversaries use to carry out powerful attacks—is both an industry-wide challenge and a global issue, said the report, which was jointly released by the Departments of Commerce and Homeland Security. The report is the result of last May’s Executive Order “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” asking for recommendations “to improve the resilience of the internet and communications ecosystem” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
While acknowledging that botnets can be used to spread malware and other types of fraud, the report focused exclusively on botnets used to launch distributed denial-of-service attacks.
The Department of Commerce chose not to immediately wield the regulatory stick, as it can stifle innovation. Instead, the report emphasized marketplace-based solutions to secure computers and Internet-connected devices so that they can’t be hijacked into a botnet as well as better botnet-fighting technologies. The federal government should “lead by example” to ensure its devices are protected. By not calling for regulations, Commerce is giving the private sector the time to develop solutions on how to keep devices secure over the course of its lifetime and develop anti-botnet technologies.
“Since they don’t have the ‘how’, they are holding off on regulation, for now,” said Andy Ellis, the CSO of Akamai. The report recognizes that “these are really hard problems we are trying to solve here,” he said.
The 51-page report laid out five overarching goals with 24 action items: working with international and private sector partners to reduce DDoS attacks, utilizing anti-DDoS mitigation tools that are available but not being used effectively, securing devices at all stages of their product lifecycle, boosting education and awareness, and changing market incentives so that developers prioritize building in security over speed-to-market.
The government will work with industry to make these changes, such as closely collaborating with international partners. As many of the botnets use devices outside the United States, international cooperation is critical to disrupt operations.The United States need to be present, and lead, at relevant international forums to develop international security standards.
The report called on the industry to adopt security baselines for Internet-connected devices such as sensors and cameras as well as to encourage secure software development. Many Internet-connected devices don’t have any, or weak, security controls. Many of them cannot be updated when vulnerabilities are found, and others have overly-complicated updated mechanisms. There are too many products that are supported for only a short period of time. The industry needs to create market incentives so that manufacturers and developers prioritize these security concerns.
These are really hard problems we are trying to solve here.
“Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates,” the report said. “Market incentives must be realigned to promote a better balance between security and convenience when developing products.”
The government can help by adopting these baselines and mandating them in federal contracts.
“While federal procurement no longer dominates the market, its buying power and influence is still strong, and the U.S. government can lead by example,” the report said, noting that there can be market incentives for early adopters.
Private sector research and development should expand its work on technologies fighting botnet, and the government can help by prioritizing R&D funding for those types of work. R&D in data analytics, machine learning and artificial intelligence is “urgently needed” to fight botnets, the report said.
Considering the White House has eliminated the role of the cybersecurity coordinator, it is not clear who would coordinate within the agencies or manage these public-private partnerships.
The report recommended using commercial off-the-shelf software and enterprise business software for IoT. Since many IoT devices are already based on common operating systems like Linux and are written in the same high-level languages as enterprise software, security features such as changeable passwords and software update mechanisms can be implemented in IoT.
“The fundamentals of secure software can be used to make IoT devices more hardened from attackers,” said Chris Wysopal, CTO and co-founder of CA Veracode.
The market is not helping the consumers right now, as they cannot diffrentiate between secure and insecure products. Market incentives will improve the situation for consumers. The report suggested labelling devices with security information that users can understand as well as establishing common standards. Wysopal suggested adopting UL’s Secure by Design approach.
Market incentives must be realigned to promote a better balance between security and convenience when developing products.
While the report balanced broad recommendations and tactical steps for enterprises, there wasn't much guidance for home users and small businesses. Noting that they often don’t even know their devices are part of a botnet, the report suggested improving education and awareness.
“Our ability to give them meaningful and actionable guidance [to small businesses and home users] is still limited,” Ellis said.
The Commerce Department suggested an industry-led effort, in consultation with NIST, academia, and other experts, to develop a CSF [Cyber Security Framework] Profile for Enterprise DDoS Prevention and Mitigation as a follow-on to this report. The profile would provide enterprises a framework to plan how to defend themselves from DDoS attacks and how to develop their strategy. “The CSF Profile would provide guidance to enterprises and establish a common language for discussions regarding DDoS protection mechanisms with product vendors, ISPs, and other infrastructure providers,” the report said.
Developing such a profile “would be a positive outcome of this report,” Ellis said.