This post is part of a continuing DBR on Data series on Executive Order 13800 and updates on its implementation a year after passage.

The U.S. Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), has released the final report on enhancing the resilience of the Internet and communications ecosystem against botnets and automated distributed threats.

As previously discussed, the Secretaries of the Department of Commerce and the Department of Homeland Security, through the NTIA, issued a draft report in January and sought public comment. This report continues the work initiated under Presidential Executive Order 13800 titled “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.”

The  “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and other Automated, Distributed Threats” final report aims to build upon consensus on various governmental and private initiatives and new approaches for the government either to adopt or to encourage the development of a more resilient ecosystem that can more effectively defend against threats and attacks by botnets. These attacks are expected to gain in both scale and complexity over time as vectors for attack (both end user devices and Internet of Things endpoints) proliferate. The final report does not differentiate between threats from nation states, cybercriminals or other actors; it observes that developing better cooperation and countermeasures within the ecosystem will generally be effective against all threats regardless of the threat origin.

The Botnet final report reiterates the six principal themes of the draft report that emerged from the government’s analysis of comments on identifying and mitigating botnet and other cyber threats, namely that:

1. Automated distributed attacks are a global problem.
2. While effective tools exist, they are not widely used.
3. Products should be secured during all stages of their life cycle.
4. Education and awareness are key.
5. Market incentives to ameliorate threats and mitigate harms should be more effectively aligned.
6. Automated distributed attacks are an ecosystem-wide challenge.

The final report assesses current state and future visions for a range of elements within the overall Internet and communications ecosystem, including challenges with infrastructure, enterprise networks, edge devices and home and small business networks. It also contains an assessment of current and aspirational goals for governance and policy coordination in this area.

Goals and actions to improve the ecosystem   

Drawing from the six overarching themes, the final report identifies a range of mutually supportive goals and actions designed to reduce the threat of botnet attacks and improve the resilience of the ecosystem. They are:

Identify a clear pathway towards an adaptable, sustainable, and secure technology marketplace.  Proposed actions include using industry led processes to establish internationally applicable IoT performance-based security capability baselines that support lifecycle security for both home and industrial applications. These baselines would be based on voluntary, industry driven standards that might over time be adopted as de facto standards. The focus on performance rather than design is deliberate, as the report observes that innovation should not be stifled in the name of security.

The report recommends that the federal government accelerate this process by adopting security capability baselines for IoT devices deployed in U.S. government environments as one way to encourage broader participation and quicker progress. Another recommended action is the widespread use of software development tools and processes to reduce the incidence of security vulnerabilities in commercial off-the-shelf software. Bugs in software create exploitation opportunities and the report suggests that better development and testing can eliminate many software bugs, as well as the use of existing tools.

The report suggests that the federal government collaborate with industry to encourage innovation and further enhancement and application of better software tools to improve both marketplace adoption and industry accountability. It is suggested that the industry expedite the development and deployment of new technologies for prevention and mitigation of distributed threats. Where applicable, the report proposes that the government prioritize the application of R&D funds and technology transition efforts to support advancements in the Distributed Denial of Service (DDoS) prevention mitigation arena, as well as to foundational technologies to prevent botnet creation.

Finally, the report proposes that government and industry collaborate to ensure existing best practices frameworks and guidelines relevant to IoT are more widely adopted across the digital ecosystem. Achieving that goal should allow all actors in the IoT space with the capacity to openly and inclusively address emerging risks.

Promote innovation in the infrastructure for dynamic adaptation to evolving threats.  To have more effective defenses and countermeasures for maintaining the Internet and communications ecosystem, the report recommends that Internet Service Providers (ISPs), peering partners and enterprise networks should expand timely information sharing on actionable international and national threats. It is expected that this will improve coordinated responses to actionable information, and speed the standardization of information sharing protocols.

The report also recommends use of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF), which represents a flexible approach to managing cybersecurity risk. The CSF can be supplemented by Framework Profiles, that apply the Framework to specific situations. The development of a CSF Profile for Enterprise DDoS prevention and mitigation, with government stakeholders participating, is recommended. As in other areas, the report recognizes that the federal government should lead by example and demonstrate the practicality of technologies and uses of CSF profiles. Information sharing should be robust and include small businesses as well as larger enterprises and government. A broad coalition of industry experts should examine the extent to which inter-autonomous system, internetwork peering and transit agreements might improve traffic management accountability in assisting with anti-spoofing and filtering. Finally, existing tools and frameworks should be updated and new solutions explored.

Promote innovation at the edge of the network to prevent detect and mitigate automated distributed attacks. The goal identified in the report is that the networking industry expand current product development and standardization efforts for more effective and secure traffic management and home and enterprise environments, so that detection and mitigation of threats can be improved. This is a goal for both home and enterprise environments. User interfaces in both the home IT and IoT products should be designed to maximize security, while also reducing or eliminating security knowledge requirements for administration. Enterprises that have valued simplicity over security are encouraged to migrate to network or architectures that facilitate detection disruption and mitigation of automated distributed threats. Finally, the report directs the federal government to investigate how wider IPV six deployment might be used to alter the economics of both attack and defense.

Promote and support coalitions between the security, infrastructure and operational technology communities domestically and around the world.  The specific action suggested is that ISPs and large enterprises increase information sharing with one another and with the government so as to provide timely and actionable information regarding threats. The unique role of law enforcement to take down command and control systems would be more effective in the presence of better and more timely threat information from large and small actors. Timely access to the WHOIS database of registered domain names can facilitate attribution of bad actors. The federal government should promote international adoption of best practices and relevant tools through bilateral and multilateral and international engagement efforts.

Regulatory agencies are encouraged to work with industry to ensure non-deceptive marketing and foster appropriate sector specific security requirements. Because of the diffuse nature of the ecosystem, even relatively light coordination can thwart DDoS attacks. It is recommended that all communities take steps to limit fast flux hosting, which allows the rapid modification of IP addresses and is thus popular for illicit or illegal purposes and to ensure that stolen credentials are quickly identified as such. Finally, the cybersecurity community should continue to engage with the operational technology community to promote awareness and accelerate cybersecurity technology transfer.

Increase awareness and education across the ecosystem.  In order to increase awareness of risks and solutions, the report suggests that the private sector establish and administer voluntary informational tools for home IoT devices that would be supported by a scalable and cost-effective assessment process that consumers can intuitively understand and trust. It is also suggested that the private sector establish voluntary labeling schemes for industrial IoT applications supported by a scalable and cost-effective assessment process to offer sufficient assurance for critical infrastructure applications of IoT.

The report suggests that the government encourage academic and training sectors to fully integrate secure coding practices into computer science and related programs so that common security vulnerabilities can be avoided or remedied. The academic sector, in collaboration with the National Initiative for Cybersecurity Education, are singled out as the best groups to establish cybersecurity as a fundamental requirement across all engineering disciplines.

Finally, to realize this goal, the report exhorts the federal government to establish a public awareness campaign to support recognition and adoption of home IoT device security baseline and branding activities so that consumers are aware that more secure IoT products are available.

Steps for stakeholder action

The report identifies 24 actions designed to assist in achieving the report’s enumerated goals. These are prioritized and the Departments of Commerce and Homeland Security are tasked to work with industry to develop a more detailed road map to operationalize the priorities within 120 days of the report. Commenting stakeholders urged that the federal government to “lead by example” by its procurement activities that mandate the acquisition of more secure products or services than are available today. In areas where the private sector is a natural leader, the report urges the establishment of regular sharing and communications mechanisms so that implementation of activities tied to priorities can be achieved.

Once an initial road map is published, the agencies will provide a one-year status update to the president. This will measure progress towards the goals and activities on the road map, what impact the activities are having and reassessment of the threats of automated, distributed attacks.  This update will assess whether changes to the road map are needed. Finally, reflecting what stakeholders noted about the importance of international standards, policies and best practices, the report ends by observing that while the U.S. government can take a lead role in international engagement, global participation and engagement will be key to industry led standards and voluntary consensus based international standards that will ultimately promote the goals of the report.

While the final report was delayed from its originally scheduled May 11 deadline, it was released in late May 2018, along with a number of other reports relating to cybersecurity and linked to the Presidential Executive Order.  A full list and links to the released reports is available in this previous DBR on Data post.