On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets as well as improving security for Internet-connected devices or the Internet of Things (IoT).
Chief among these was a call to “build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.” The report called upon a wide array of stakeholders spanning different industries and both the public and private sectors. Key stakeholders mentioned in the report, along with corresponding recommendations, encompassed the following:
- IoT Product Industry. The report calls for private sector organizations, such as IoT product developers, to take significant steps towards improving security. These include establishing standards for assessing and labeling IoT device security, which would allow consumers to make informed choices and would offer assurance for the use of IoT products in critical infrastructure. The report also recommends providing better interfaces in IoT products for user administration.
- Network Industry. The report also recognizes that improving IoT security depends not just on secure product development but also on innovation at the edge of the network. The report calls on the network industry to develop and standardize efforts for effective and secure traffic management in home and enterprise environments. It also recommends that enterprises adopt network architectures better designed to deal with automated, distributed threats, and collaborate with the federal government to investigate facilitating the transition to IPv6. (IPv6 is an upgraded version of the protocol underpinning data transfer over the Internet that accommodates improved network management and security features.)
- Internet Service Providers (ISPs) and Large Enterprises. The report recommends that ISPs, their peering partners, and other large enterprises expand their cybersecurity information-sharing programs for more timely and effective sharing of actionable threat intelligence both domestically and globally. The report specifically recommends increasing information sharing with law enforcement regarding botnets and other distributed threats.
- National Institute of Standards and Technology (NIST). The report recommends that NIST lead the development of a framework for the prevention and mitigation of distributed denial of service (DDoS) attacks in the enterprise context. The current NIST Cyber Security Framework provides guidance on establishing enterprise data security programs generally, but does not focus on specific issues. The report also recommends that agencies such as NIST collaborate with industry stakeholders and subject matter experts to improve information-sharing protocols.
- Consumer Protection Regulators. The report recommends that regulatory agencies such as the Federal Trade Commission work with industry to develop better non-deceptive marketing and sector-specific security requirements to help improve transparency in IoT product security.
- Federal Government, Generally. The report recommends that the federal government establish security guidelines for the federal procurement of IoT devices, creating market incentives to provide secure products. The report also recommend that the federal government participate in international engagement efforts to promote the adoption of best practices.
- Academia and Training Sectors. The report calls on the academic and training sectors to integrate secure coding practices into computer science programs and establish cybersecurity as a fundamental requirement across engineering disciplines.
The DHS and DOC report is a result of the executive order that President Trump issued in May 2017 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The executive order also called on the Secretary of State, the Director of National Intelligence, and the Secretary of Defense to provide similar reports on cybersecurity workforce development and international cooperation.
As concerns about botnets and IoT security continue to increase, private organizations such as those mentioned above may face increased scrutiny from regulators. Such organizations should consider reviewing the data security and product development standards in light of these recommendations and providing input on the draft report.