A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

Citation

Department of Homeland Security & Department of Commerce, A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (the Bot Report) (May 22, 2018) (full-text).

Overview

This report responds to the May 11, 2017, Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That order called for "resilience against botnets and other automated, distributed threats," directing the Secretary of Commerce, together with the Secretary of Homeland Security, to "lead an open and transparent process to identify and promote action by appropriate stakeholders" with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)."

The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches — hosting two workshops, publishing two requests for comment, and initiating an inquiry through the President's National Security Telecommunications Advisory Committee (NSTAC) — aimed at gathering a broad range of input from experts and stakeholders, including private industry, academia, and civil society. These activities all contributed to the information-gathering process for the agencies developing the recommendations in this report.

The Departments worked in consultation with the Departments of Defense, Justice, and State, the Federal Bureau of Investigation, the sector-specific agencies, the Federal Communications Commission and Federal Trade Commission, and other interested agencies.

The Departments determined that the opportunities and challenges in working toward dramatically reducing threats from automated, distributed attacks can be summarized in six principal themes.

1. Automated, distributed attacks are a global problem. The majority of the compromised devices in recent noteworthy botnets have been geographically located outside the United States. To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners.

2. Effective tools exist, but are not widely used. While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.

3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.

4. Awareness and education are needed. Home users and some enterprise customers are often unaware of the role their devices could play in a botnet attack and may not fully understand the merits of available technical controls. Product developers, manufacturers, and infrastructure operators often lack the knowledge and skills necessary to deploy tools, processes, and practices that would make the ecosystem more resilient.

5. Market incentives should be more effectively aligned. Market incentives do not currently appear to align with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks." Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.

6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

The Departments identified five complementary and mutually supportive goals that, if realized, would dramatically reduce the threat of automated, distributed attacks and improve the resilience and redundancy of the ecosystem. A list of suggested actions for key stakeholders reinforces each goal. The goals are:

• Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.

• Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.

• Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.

• Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.

• Goal 5: Increase awareness and education across the ecosystem.

The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives. This report calls for a status update that will evaluate the level of progress made by stakeholders in countering automated, distributed threats.