Every day, it seems like there is a yet another news story about some form of cyberattack. Whether it be a consumer data breach or an attempt by a nation state to compromise U.S. critical infrastructure and systems, it can feel like we are under siege. Well, we kind of are. And, as we become more technologically interconnected, such as with the Internet of Things (IoT), the cyber threats are only going to increase. So, what should we do? Since cybersecurity is an issue the entire internet ecosystem is grappling with, all stakeholders need to play their part – from industry to the halls of Congress. By working together, we can successfully tackle and, ideally, help prevent these threats.
In May, the White House issued an Executive Order (EO) on cybersecurity that builds upon many prior government and industry initiatives. It broadly covers the cybersecurity of federal networks, critical infrastructure and the nation. Federal agencies are hard at work implementing the EO, which encourages government collaboration with industry, strengthening the deterrence posture of the U.S. and international coalitions, and building a stronger cyber work force in the U.S. A major focus of the EO is reducing the risk and impact of automated or distributed forms of attack (i.e., botnets) and improving the overall resiliency of the internet and communications infrastructure.
In addition to the EO, the Administration tasked the National Security Telecommunications Advisory Council (NSTAC), a Federal advisory body to the President on issues related to national security and emergency preparedness, with developing a report on internet and communications resilience focused on mitigating botnets and distributed forms of attack. I recently had the privilege to lead the subcommittee tasked with developing this report on behalf of the NSTAC.
The report is expected to be finalized later this month, but I would like to highlight a few of the key lessons learned in drafting the report. These lessons relate to botnets specifically as well as the broader cybersecurity challenge:
- A greater sense of urgency is required. The threat is only going to grow as devices increase and become more autonomous, capable and ubiquitous. Every part of the ecosystem must make a greater effort to get in front of these threats.
- Public-private partnerships are vital to mitigating the threats. The majority of critical infrastructure in the U.S. is owned by the private sector, thus managing this problem depends upon public-private partnerships between government and private industry.
- Solutions depend upon every part of the internet ecosystem. No single segment can solve this issue alone.
- Unclear international norms complicate the problem.
The NSTAC report offers several recommendations. A critical recommendation is that industry must accelerate the adoption of industry standards across the ecosystem within networks, IoT devices, enterprises, and software and applications. There are a wide variety of standards that have been developed but implementation and adoption is inconsistent. Increasing adoption of commonsense security practices, while not solving the problem, will at a minimum make it more difficult for attackers. Both industry and the government must also focus on commonly-accepted international standards. For example, in the recent Mirai botnet, a large volume of the attack traffic originated outside the U.S. There needs to be a common approach internationally to these issues given that cyberattacks are, by definition, not confined to geographic boundaries.
Further, industry cannot be entirely reliant upon entities adopting standards and best practices, or upon end users, to secure the IoT environment. Increased solutions at both the network and application layer abstract from the device or end user are required to manage security. Fortunately, there is growing innovation in that space which needs to continue. Enterprises also need to adapt their environment to be more inherently resilient, leveraging technologies such as virtualization and the cloud.
The report also offers recommendations for government. One observation is that botnet takedown efforts have proven to be at least somewhat successful in mitigating the impact of botnets and should be expanded. The government can also set an example by improving the security of federal networks. There is also a need to harmonize security requirements at the federal and state level. Internationally, the U.S. should develop a comprehensive standards engagement strategy to explore policies that can at least raise the cost for cyber attackers.
While NSTAC has been working on its report, the U.S. Commerce Department’s National Telecommunications & Information Administration (NTIA) published a Request for Comment (RFC) on promoting stakeholder action against botnets and other automated attacks with a preliminary report due in December and a final report expected in the first half of 2018. And Commerce’s National Institute of Standards and Technology (NIST) conducted a botnet workshop in July.
Members of Congress are also actively considering these issues, and we have seen legislation introduced around IoT security, vulnerability disclosure, DHS’ role in cybersecurity and other emerging issues.
Earlier his month, AT&T hosted a cybersecurity event to explore these issues in more detail. The program featured remarks from AT&T Senior Vice President and Chief Security Officer Bill O’Hern, as well as Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications for the U.S. Department of Homeland Security. A panel discussion with several cybersecurity policy experts followed. You can watch the event here.