As large-scale, automated “botnet” attacks become a matter of increasing concern for the internet of things, the U.S. Department of Commerce and the Department of Homeland Security are looking for insights on how to prevent and address such attacks.
The department recently released a draft report to President Donald Trump that outlined the threat posed by automated “botnet” attacks and laid out a series of conclusions and goals to reduce them.
Trump signed a cybersecurity-related executive order last May aimed at strengthening federal and critical infrastructure against cyber attacks, and the Commerce Department’s report is a piece of the response to that order, which directed the Commerce and Homeland Security secretaries to “lead an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.” The report made note of a number of other government initiatives to encourage better network resilience and anti-botnet measures in recent years, but “impacts have been incremental and significant challenges remain.” The report said that attacks fueled by massive numbers of co-opted internet of things devices have overwhelmed the usual tools for fighting distributed denial of service attacks.
“Traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, are designed to protect against botnets of an anticipated size. With new botnets that capitalize on the sheer number of ‘Internet of Things’ (IoT) devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations,” the report said, specifically citing 2016’s Mirai botnet attack as a watershed moment for IoT-device-based attacks.
The draft report drew half a dozen primary conclusions, including:
– Botnet attacks are a global problem and the “majority of the compromised devicesin recent botnets have been geographically located outside the United States,” according to the report. “Increasing the resilience of the Internet and communications ecosystem against these threats will require coordinated action with international partners.” The department also concluded that automated botnet attacks are “an ecosystem-wide challenge” that “no single stakeholder community can address … in isolation.”
– Effective tools exist, but are not evenly applied across various sectors. The Department of Commerce said that best practices and cybersecurity tools “are widely available, if imperfect, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.”
– Security needs to be applied at all points in the product lifecycle, and devices that are vulnerable at the time of deployment and lack the ability to integrate patches are easy targets.
– More education and awareness of security tools and practices is needed, the report said, across customers, product developers, manufacturers and infrastructure operators.
– Finally, “market incentives are misaligned,” the report concluded. “Perceived market incentives do not align with the goal of ‘dramatically reducing threats perpetrated by automated and distributed attacks.’ Market incentives motivate product developers, manufacturers, and vendors to minimize cost and time
to market, rather than to build in security or offer efficient security updates. There has to be a
better balance between security and convenience when developing products.”
The draft report also includes five goals for promoting innovation to fight automated botnet attacks, increase knowledge and build coalitions among various players around the world in order to make progress toward better ecosystem resilience.
The publication of the report opens up a 30-day comment period on the report; comments must be submitted by February 12. Then the Commerce Department and Homeland Security will hold a two-day workshop to “discuss a way forward” at the end of February at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence in Rockville, Md. The final report on botnet threats is due to the president on May 11.