The Trump administration’s new report on botnets, which are networks of hijacked computers and devices that can unleash increasingly destructive cyber attacks, is a prelude to a cybersecurity strategy that will test the will and resourcefulness of federal agencies and private industry alike.
“If this doesn’t work, we’re screwed,” said one industry source who has worked extensively with the federal government on cybersecurity issues.
The May 30 report was mandated by President Trump’s 2017 cybersecurity executive order and drafted by the departments of Commerce and Homeland Security. The executive order identified botnets as one of the most dangerous threats facing the nation’s critical infrastructure, including telecommunications systems, the financial sector and other targets that are being constantly bombarded by these automated cyber attacks.
“These threats are used for a variety of malicious activities, including distributed denial of service (DDoS) attacks that overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware; ransomware attacks distributed by botnets that hold systems and data hostage; and computational propaganda campaigns that manipulate and intimidate communities through social media,” the report said.
In the coming days, federal officials will detail how they plan to draft a “roadmap” for prioritizing and implementing the report’s 24 action items in support of five overarching goals: promoting “a clear pathway toward an adaptable, sustainable, and secure technology marketplace”; encouraging innovation in response to “evolving threats” to the underpinnings of the Internet; promoting security innovation by so-called edge providers such as social media companies; promoting coalitions; and raising awareness of the threat.
The roadmap is due in 120 days and a progress report must be delivered to the president in one year.
The key to industry stakeholders, who helped DHS and Commerce develop the report, is that the strategic approach leans toward private-sector leadership and away from regulation. “The federal government will not lead the implementation of actions specific to industry,” the report states.
That wording came as a relief to industry.
But the cybersecurity challenge is growing amid increasingly sophisticated botnet and distributed denial of service attacks, one industry source noted, “and there’s more pressure on federal agencies to make things happen.”
With that in mind, the source said, “This is an important opportunity to show that industry can take the initiative, work with government and show results.”
“There are things the U.S. government can do, but there are limitations,” said Kent Landfield of McAfee. “They need to pull in the industry stakeholder community,” he said, adding that the government heard and has responded to that message.
The report was originally expected to be released on May 11, the anniversary of the Trump executive order, but “it was worth waiting for,” said Robert Mayer, United States Telecom Association senior vice president for cybersecurity.
Mayer said the requirement for a status update to the president in 365 days shows “a serious effort to track progress.” The report also signals a recognition that “regulation is too static,” Mayer said.
The Cybersecurity Coalition, led by Obama White House cyber official Ari Schwartz, said in a statement that it “supports and agrees with the findings and recommendations of the Botnet Report. Specifically, the Coalition was encouraged by the report’s findings that public-private partnerships are critical to addressing the ongoing and growing threat automated, distributed threats present to the global cybersecurity ecosystem.”
The initiatives that will unfold under the DHS-Commerce report start off with strong backing from industry groups and across the cyber policy ecosystem, but the next steps will be the hard part, as noted by former Federal Communications Commission homeland security chief David Simpson.
“By and large this report does a good job of cataloging previously well-known best practices for botnet risk mitigation,” according to Simpson, a retired rear admiral well-versed in the cyber threat environment. But “it ‘kicks the can down the road’ in many areas and falls well short of an implementation plan commensurate with the risk to critical infrastructure from botnets and other automated and distributed threats.”
Writing and executing such a plan is now in the hands of both federal officials and the private-sector entities that operate most of the nation’s critical infrastructure.