SoS Musings #15 - Bolstering Resilience to Defeat Automated and Distributed Cyber Threats

SoS Musings #15

Bolstering Resilience to Defeat Automated and Distributed Cyber Threats

The U.S. Department of Homeland Security (DHS) and the Department of Commerce released a joint report, titled “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” in response to the May 11, 2017, Executive Order (EO) 13800, “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure”. The order required that the Secretaries of Commerce and Homeland Security departments develop a clear process for appropriate stakeholders in the identification and mitigation of threats posed by botnets and other similar cyberattacks. As requested, the Departments of Commerce and Homeland Security collaborated to establish an open and transparent process, which involved hosting workshops, publishing requests for comments, and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC). The Departments of Defense, Justice, and State, along with the Federal Bureau of Investigation, Federal Communications Commission, Federal Trade Commission, sector-specific agencies, and other agencies interested in the effort to combat the threat of adversarial botnets were also consulted during the process. As a result, themes, goals, and actions in relation to the reduction of threats from automated, distributed attacks such as botnets have been determined and identified. 

Principal Themes

Six themes have been established based on information gathered from the input of experts and stakeholders, as well as consultations. The following themes describe opportunities and challenges in regards to pursuing the reduction of threats posed by automated, distributed attacks:

• Botnets and other automated, distributed threats are not limited to one geographical location. These threats are a global problem as most devices targeted in recent notable botnet attacks have been discovered in locations outside of the U.S. International partnerships must be maintained to strengthen the resilience of the entire Internet and communications ecosystem against such threats. 
• Although there are existing tools, processes, and practices available to strengthen the resiliency of the Internet communications ecosystem against automated, distributed threats, they are still not widely applied in the development and deployment of products. 
• Security should be ensured at all phases of the product lifecycle. 
• The awareness and skills of home users, enterprise customers, product developers, manufacturers, and infrastructure operators, surrounding the identification of securely-designed products, as well as the use of tools and practices that bolster the resiliency of the ecosystem must be enhanced. 
• Market incentives need to be aligned in a way that encourages the development of secure products. 
• Stakeholders must work together to address the challenge of automated, distributed attacks. 

Goals and Actions

The following goals and actions are in support of strengthening the resilience of the Internet and communications ecosystem against threats posed by automated, distributed cyberattacks such as botnets.

Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.

The continuous research, development, and adoption of novel security technologies and secure processes must be encouraged and rewarded by the technology marketplace. As the exponential growth and development of insecure IoT devices has contributed to the launch of massive botnets such as the infamous Mirai IoT botnet, it is important that performance-based security capability baselines are developed to establish standards for the secure design, development, and lifecycle of IoT devices and systems in different threat environments. The development of these baselines should be collaborative in that there is participation from customers and the governments, as well as industry leadership. Industry-developed capability baselines should also be used to establish federal IoT security capability baselines in order to ensure that the IoT devices and systems used in the federal environment, fulfill federal security requirements, which could then be used to encourage international standardization. The federal government in collaboration with industry and civil society should support the advancement and adoption of software development tools, approaches, and processes by manufacturers to reduce the vulnerabilities contained by commercial-off-the-shelf software. Research development, and deployment of innovative technologies aimed at preventing and mitigating distributed attacks should also be facilitated and prioritized through collaborative technology transition activities, federal funding, and support from civil society. The government, industry, and civil society must work together in support of the widespread adoption of IoT security best practices, frameworks, guidelines, and procedures for transparency.

Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.

Standards and practices developed for the prevention and mitigation of botnets and other automated, distributed threats should continue to be applied, followed, and improved upon in all areas of the digital ecosystem to manage evolving threats. The arrangements in which information pertaining to threats, network management techniques, and defensive strategies are shared domestically and globally among ISPs and their peering partners, should be enhanced in a way that is comprehensive, up-to-date, and effective. A Framework for Improving Critical Infrastructure Cybersecurity (CSF) Profile in support of guiding enterprises in the prevention and mitigation of DDoS attacks should be developed. There must be collaboration between stakeholders and subject matter experts with consultation from the National Institute of Standards and Technology (NIST) behind the development of the CSF Profile. In order to create market incentives for early adopters of secure IoT technologies and practices, the federal government should demonstrate the effectiveness of such technologies and processes, as well as create procurement guidelines based on IoT security baselines and procurement regulations that encourage the use of securely-developed commercial-off-the-shelf software. Information-sharing protocols must continue to be standardized and improved upon through the collaboration of stakeholders in industry, government, and civil society to combat automated, distributed threats. Best practices and tools for the management of network traffic across the ecosystem should also be enhanced or developed with support from the federal government, industry, academia, and civil society in collaboration with infrastructure providers.

Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.

Infrastructure services with the purpose of providing security against attacks should be strengthened through the improvement of detecting and mitigating the compromise of devices in home and enterprise networks. The advancement of network security products and standards aimed at ensuring the security of network traffic should continue to be encouraged by the networking industry. The secure use and configuration of IT and IoT products used in home and small business networks should be simplified for owners. It is important that enterprises redesign their networks to consider security in a way that isolates insecure devices, controls flows of communication, and more. Enterprises should examine the ways in which their networks pose a risk to others in order to improve upon network security practices. The potential impact of Internet Protocol Version 6 (IPv6) and its widespread adoption on the launch of automated, distributed attacks and the defense against such attacks should also be investigated by the federal government. 

Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.

Critical stakeholder communities must establish alliances and collaborations in support of countering automated, distributed threats. The way in which actionable information in relation to such threats, should be improved upon through increased cooperation from ISPs, cybersecurity and incident response teams, cyber threat intelligence companies, and more, with government agencies, including law enforcement. The increase in shared cyber threat information would greatly facilitate the performance of law enforcement in preventing and mitigating cybercrimes. Engagements in support of cybersecurity between the U.S. and international partners should continue to encourage the use of best practices, tools, and services aimed at strengthening the security of IoT products and prevention of automated, distributed attacks. There should be collaboration between sector-specific regulatory agencies and industry to ensure that the IoT products deployed within a specific sector is appropriately secured and deceptive marketing by IoT and information technology vendors in relation to security claims is prevented. Reputation data and information-sharing measures must be leveraged and implemented in order to identify and examine attackers and the tools they use to launch attacks. Cybersecurity challenges posed by the growing connectivity of operational technology such as SCADA systems should also be addressed through continuous engagement between the cybersecurity community and the operational technology community with facilitation from the federal government. 

Goal 5: Increase awareness and education across the ecosystem.

The prevention and mitigation of distributed threats calls for the rise in cybersecurity awareness and enhancement of skills among all stakeholders. The private sector should establish a labeling approach for home IoT devices through the support of an assessment process to help security-conscious consumers identify securely-designed IoT products and create market incentives for the secure design and development of such products. In addition to home IoT devices, the private sector should also establish voluntary labeling schemes for IoT devices deployed in industrial and critical infrastructure environments with the objective of assisting security-conscious enterprises in identifying securely-designed IoT products as well as create market incentives for the secure development of these products. As the use of security development tools and practices during the design and development of IoT products can significantly reduce the number of vulnerabilities contained by such products, it is important that the government encourage the application of secure-by-design software methodologies and security-aware software development tools within the academia and the training industry. The National Initiative for Cybersecurity Education (NICE) should work with the academic sector to integrate cybersecurity principles into the curriculum of the engineering discipline and other related disciplines in order to further increase awareness surrounding the security of home IoT devices. A public awareness campaign should also be developed by the federal government to encourage users and small organizations to recognize and adopt IoT device security baselines.

Initial Next Steps for Stakeholder Action 

As the five goals and 24 supporting actions identified in the report are mutually supportive by design, failing to execute an action could delay the achievement of multiple goals towards increasing the resilience of the Internet and communications ecosystem. Therefore, stakeholders should take initial steps to drive the execution of actions. The Departments of Commerce and Homeland Security should continue to work with industry, civil society, and international partners to develop an initial road map that prioritizes the identified actions. The federal government should demonstrate the efficacy of best practices in support of reducing automated, distributed threats in order to encourage other parties to take action. The leadership and coordination of industry, academia and civil society should be encouraged to track the implementation of the prioritized road map. A 365-day status report will also be provided by the Departments of Commerce and Homeland Security to the President following the initial publication of the road map. International participation should also be encouraged through greater engagement from stakeholders and the federal government in the development of international policies, standards, and best practices.