This morning, I’m speaking on a panel at USTelecom’s Cybersecurity Policy Forum about the recently released joint U.S. Commerce Department and U.S. Department of Homeland Security Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.
The report, which stemmed from the President’s May 2017 Executive Order on Cybersecurity (EO 13800), built off the comprehensive private sector input reflected in the National Security Telecommunications Advisory Committee’s (NSTAC) Report to the President on Internet and Communications Resilience, which AT&T played a key role in drafting. The consistency between the two reports is important because it signifies the ongoing collaboration and public-private partnership on addressing cybersecurity issues, the unity between government and industry on the nature of the botnet threat, and the steps that need to be taken to defend against it.
Mitigating the threat from botnets and other automated, distributed threats requires a greater sense of urgency and action from all corners of the ecosystem, particularly with the recent explosive growth of the Internet of Things (IoT). While botnets are not new, the dramatically increasing number of connected devices, people and networks compounds the risk for potential malicious actors to use botnets to facilitate large scale distributed denial of service (DDoS) attacks.
A malicious actor controlling an infected device creates multiple risks. First, the device could be used to generate a DoS event on the device itself or to attack another device. Second, bot software could be used to steal information from, or track, the device. Third, the bot could manipulate data or cause incorrect device behavior, thereby endangering the safety of users or corrupting device data. The threat will only increase as the number and types of IoT devices grow and devices become more autonomous, capable and ubiquitous.
The Commerce/DHS report is significant because it emphasizes that security must be borne by the entire internet ecosystem, not just internet service providers (ISPs) or device manufacturers. The internet ecosystem is diverse and diffuse, and each part must play a role in security. And this ecosystem continues to grow with a proliferation of devices that link everyday items such as cars and thermostats to the internet; that support industrial control systems; and that monitor critical infrastructure.
The report also recognizes the widespread global nature of automated, distributed attacks and the necessity to coordinate international activities and solutions. A significant amount of botnet traffic originates overseas and is designed to look legitimate, and most open domain name system (DNS) resolvers used in attacks are outside the United States. The report also acknowledges that effective tools exist in many sectors but that they are underutilized, and more widespread adoption is needed. To that end, last week, the Council to Secure the Digital Economy (CSDE), an alliance of leading global companies across the technology and communications industry, announced an initiative with the Consumer Technology Association (CTA), which represents many IoT device manufacturers, to develop an international guide to anti-botnet security practices. I will have the pleasure of co-chairing this effort.
We commend the Departments for their work with the industry in preparing this report and we encourage a continued sense of urgency in implementing commonsense security solutions across the entire ecosystem We appreciate the Departments’ focus on industry-driven solutions and on public-private partnerships, and we look forward to continuing to work with them as they create a prioritized road map for undertaking many of the action items outlined in the report.