The long-awaited botnet report from the Commerce and Homeland Security departments paint government as a facilitator, not a leader in the fight.
The federal government should “lead by example” when it comes to ensuring its computers and internet-linked devices aren’t hijacked by botnets, but industry should take the lead in determining just how those devices should be secured, according to a report released Wednesday.
The report from the Homeland Security and Commerce departments stops short of recommending specific new regulations to counter botnets or tasking the government with developing major counter-botnet strategies.
Instead, government should play an instigating role, the report states.
For example, government should urge industry to adopt security baselines for internet-connected devices, such as sensors and cameras, and then incentivize device builders to adopt those baselines by mandating them for federal agencies and in federal contracts.
The government should similarly use federal contract requirements to incentivize more secure and resilient methods of software building, the report states.
“Without evidence that customers will absorb the additional cost to develop more secure products, the industry may be incentivized toward a race to the bottom,” the report states.
“While federal procurement no longer dominates the market, its buying power and influence is still strong, and the U.S. government can lead by example … [and] establish market incentives for early adopters,” the report continues.
The report does urge federal agencies to use existing regulatory tools to make internet-connected devices more resilient against botnets, such as by targeting deceptive advertising about products’ security.
The authors warn, however, that “due to the complexity and diversity across the [internet of things] landscape, it is difficult to envision a set of one-size-fits-all rules that could ensure security while keeping pace with the rate of change.”
The long-awaited report was mandated by President Donald Trump’s May 2017 cybersecurity executive order, which came out about six months after the massive Mirai botnet left numerous major websites inaccessible, including Netflix and The New York Times. Mirai was powered largely by internet-of-things devices.
Botnets are essentially armies of thousands of zombie computers and devices that have been compromised by malware. Those devices are then used to overwhelm websites’ ability to function in a process known as a distributed denial-of-service attack.
Because the botnet only steals a portion of each device’s digital power, the rightful owner is often unaware that her device has been compromised.
Commerce and Homeland Security issued a draft version of the report in January.
The report is divided into five overarching goals with 24 action items. Many of those action items are described as industry’s responsibility with government helping to facilitate, incentivize and convene.
Homeland Security and Commerce should draw up a roadmap outlining specific plans for the government’s role within three months, the report suggests. Those agencies should then brief the president on how the road map is faring one year later.
“As the world becomes more interconnected, it also becomes more difficult to secure, and our work … will help the department confront this challenge,” Homeland Security Secretary Kirstjen Nielsen said in a statement.
Among the actions items, the government should:
- Champion industry efforts to create nutrition-style security labels for commercial and industrial internet-of-things devices.
- Help improve cyber information sharing within the private sector and between industry and government.
- Devote more research and development money to counter-botnet research.
- Urge industry to make the security of commercial internet-of-things devices easier to understand and implement.