DHS, Commerce Department Identify How to Respond to Botnets

Presented by FedTech FedTech's logo

The report calls on agencies to boost Internet of Things security and find ways to guard against federal networks being used in distributed denial of service attacks.

The federal government should lead by example in helping the private sector respond to the cybersecurity threat posed by botnets, according to a recent report produced by the Homeland Security Department and Commerce Department.

Botnets, SearchSecurity notes, are “a collection of internet-connected devices, which may include PCs, servers, mobile devices and Internet of Things devices that are infected and controlled by a common type of malware.” Botnets have the potential to wreak havoc. For example, in 2016, the Mirai botnet was used to take control of Internet of Things devices and launch a massive distributed denial of service (DDoS) attack that hit domain name system provider Dyntemporarily taking down many key internet services with it.

The draft report, released earlier this month, was requested in President Donald Trump’s May 2017 cybersecurity executive order. The report identifies six key themes related to botnets, including:

  1. Automated, distributed attacks are a global problem.

  2. Effective tools exist but are not widely used.

  3. Products should be secured during all stages of the lifecycle.

  4. Education and awareness are needed.

  5. Market incentives are misaligned.

  6. Automated, distributed attacks are an ecosystemwide challenge.

The Threat Botnets Pose

“Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone,” Walter Copan, director of the National Institute of Standards and Technology, an arm of the Commerce Department, says in a statement. “The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses.”

The two departments also identify five goals for the public and private sector to achieve that would “dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem.” The goals are:

  1. Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace

  2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats

  3. Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior

  4. Build coalitions between the security, infrastructure and operational technology communities domestically and around the world

  5. Increase awareness and education across the ecosystem.

For the federal government, the report recommends establishing security guidelines for government IoT devices, putting in place basic DDoS prevention and mitigation measures, and securing software tools.

How Agencies Can Defend Against Botnets

Private sector technology companies should be incentivized to enhance the security of their products, the report says. The report recommends that efforts be made to “establish broadly accepted baseline security profiles for IoT devices in home and industrial applications, and promote international adoption through bilateral arrangements and the use of international standards.”

The government should “accelerate this process by adopting baseline security profiles for IoT devices in U.S. government environments,” the report notes. Once that is done, the government “should establish procurement guidelines to provide market incentives for early adopters.”

Many IoT product vendors have expressed desire to enhance the security of their products, according to the report, “but are concerned that market incentives are heavily weighted toward cost and time to market” and that “without evidence that customers will absorb the additional cost to develop more secure products, the industry continues a race to the bottom.”

The government’s buying power is still strong and agencies can be led by example via the development of compliance guidelines for federal procurement actions based on the baseline security profiles for IoT devices. The Office of Management and Budget, General Services Administration and Defense Department can “facilitate these procurement requirements through policy and modifications to the GSA schedule and federal acquisition regulations,” the report recommends.

It also suggests that interested stakeholders in industry and academia should work with NIST to create a “Cybersecurity Framework Profile for Enterprise DDoS Prevention and Mitigation.” Such a profile would “focus on the desired state of organizational cybersecurity to mitigate DDoS attacks.”

After that is published, the government should “implement basic DDoS prevention and mitigation measures for all networks operated by or on behalf of departments and agencies to enhance the resilience of the ecosystem and demonstrate practicality and efficacy of the profile,” the report says.

Federal networks have been used in the past to launch DDoS attacks, the report notes, adding that “hackers have leveraged open resolvers and other agency resources to amplify their attacks.”

Therefore, the government should work to ensure that “federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate and respond as necessary.”

DHS and the Commerce Dept. recommend that the administration “mandate implementation of the ‘Federal CSF Profile for DDoS Prevention and Mitigation’ by all government agencies within a fixed period after completion and publication of the profile.”

Finally, the report says the government should enhance the security of the software it uses. Agencies “should evaluate and implement effective ways to mandate the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through certification requirements.”

To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software developed using such processes, when available.” Additionally, the report says the government “should also ensure that internal software development projects use the best available tools to obtain insight into the impact of these regulations.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.