DHS, Commerce Department Identify How to Respond to Botnets

The federal government should lead by example in helping the private sector respond to the cybersecurity threat posed by botnets, according to a recent report produced by the Homeland Security Department and Commerce Department.

Botnets, SearchSecurity notes, are “a collection of internet-connected devices, which may include PCs, servers, mobile devices and Internet of Things devices that are infected and controlled by a common type of malware.” Botnets have the potential to wreak havoc. For example, in 2016, the Mirai botnet was used to take control of Internet of Things devices and launch a massive distributed denial of service (DDoS) attack that hit domain name system provider Dyn, temporarily taking down many key internet services with it.

The draft report, released earlier this month, was requested in President Donald Trump’s May 2017 cybersecurity executive order. The report identifies six key themes related to botnets, including:

1. Automated, distributed attacks are a global problem.

2. Effective tools exist but are not widely used.

3. Products should be secured during all stages of the lifecycle.

4. Education and awareness are needed.

5. Market incentives are misaligned.

6. Automated, distributed attacks are an ecosystemwide challenge.

The Threat Botnets Pose

“Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone,” Walter Copan, director of the National Institute of Standards and Technology, an arm of the Commerce Department, says in a statement. “The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses.”

The two departments also identify five goals for the public and private sector to achieve that would “dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem.” The goals are:

1. Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace

2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats

3. Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior

4. Build coalitions between the security, infrastructure and operational technology communities domestically and around the world

5. Increase awareness and education across the ecosystem.

For the federal government, the report recommends establishing security guidelines for government IoT devices, putting in place basic DDoS prevention and mitigation measures, and securing software tools.

How Agencies Can Defend Against Botnets

Private sector technology companies should be incentivized to enhance the security of their products, the report says. The report recommends that efforts be made to “establish broadly accepted baseline security profiles for IoT devices in home and industrial applications, and promote international adoption through bilateral arrangements and the use of international standards.”

The government should “accelerate this process by adopting baseline security profiles for IoT devices in U.S. government environments,” the report notes. Once that is done, the government “should establish procurement guidelines to provide market incentives for early adopters.”

Many IoT product vendors have expressed desire to enhance the security of their products, according to the report, “but are concerned that market incentives are heavily weighted toward cost and time to market” and that “without evidence that customers will absorb the additional cost to develop more secure products, the industry continues a race to the bottom.”

The government’s buying power is still strong and agencies can be led by example via the development of compliance guidelines for federal procurement actions based on the baseline security profiles for IoT devices. The Office of Management and Budget, General Services Administration and Defense Department can “facilitate these procurement requirements through policy and modifications to the GSA schedule and federal acquisition regulations,” the report recommends.

It also suggests that interested stakeholders in industry and academia should work with NIST to create a “Cybersecurity Framework Profile for Enterprise DDoS Prevention and Mitigation.” Such a profile would “focus on the desired state of organizational cybersecurity to mitigate DDoS attacks.”

After that is published, the government should “implement basic DDoS prevention and mitigation measures for all networks operated by or on behalf of departments and agencies to enhance the resilience of the ecosystem and demonstrate practicality and efficacy of the profile,” the report says.

Federal networks have been used in the past to launch DDoS attacks, the report notes, adding that “hackers have leveraged open resolvers and other agency resources to amplify their attacks.”

Therefore, the government should work to ensure that “federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate and respond as necessary.”

DHS and the Commerce Dept. recommend that the administration “mandate implementation of the ‘Federal CSF Profile for DDoS Prevention and Mitigation’ by all government agencies within a fixed period after completion and publication of the profile.”

Finally, the report says the government should enhance the security of the software it uses. Agencies “should evaluate and implement effective ways to mandate the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through certification requirements.”

To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software developed using such processes, when available.” Additionally, the report says the government “should also ensure that internal software development projects use the best available tools to obtain insight into the impact of these regulations.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.