The Trump administration’s new roadmap for the cyber fight against “botnets” is an incremental but significant step toward defeating those armies of hijacked computers and devices — a threat identified by the White House as one of the most pernicious in cyberspace.
Botnets allow bad actors to launch denial-of-service attacks like the infamous 2016 assault on Internet service provider Dyn that temporarily knocked offline Twitter, Amazon, HBO and numerous other platforms and services across North America and Europe.
The “Mirai” botnet used in the Dyn attack was created by three college-age “gamers” — since incarcerated — and subsequently repurposed by actors with far worse intentions.
The digital havoc caused by botnets includes something as annoying as a hacker pushing spam past email filters by hijacking 100,000 home routers, or the discovery by Kaspersky Labs that existing botnets are being “reprofiled” to spread malware targeting cryptocurrency “mining,” the process for creating bitcoins.
Botnets can also be used to paralyze entire industries and government functions, which is why they were featured prominently in President Trump’s 2017 executive order on cybersecurity.
And it’s a problem that will only grow with the expansion of the “Internet of Things,” the interconnected devices and services that increasingly make up our digital economy.
“The botnet/DDOS market has been and continues to be a prolific product on the dark net and underground markets,” said Kurtis Minder of the cybersecurity firm GroupSense. “We have observed an increase in sophistication of the product. For example, you can order DDOS and botnet capability with full support and maintenance for your operation. This indicates a commoditization and competitive market dynamic.”
That’s a troubling sign for cyber defenders, and the growing vulnerability has grabbed attention on Capitol Hill, where Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., are already pledging to reintroduce in the new Congress their bill demanding a minimum baseline of security in Internet-connected products so they can’t be captured and used as botnets.
Warner and Gardner were mindful and supportive of the emerging Commerce Department-Department of Homeland Security botnet initiative when they first introduced their bill last year, and see the actions as complementary.
Commerce and DHS crafted a series of recommendations on fighting botnets under the Trump executive order and on Nov. 29 released their roadmap to implementing those ideas, addressing security of the “Internet of things” as well as the underpinnings of the Internet itself, emerging technologies, public education and other issues.
The 27-page roadmap foresees a major role for industry and will be followed by an update to the president in one year.
A major alliance of telecom and tech industry groups on the same day released its report on how the private sector is organizing to combat botnets that threaten their systems and very operations.
“The accelerating deployment of Internet-connected consumer and industrial devices in homes and businesses creates a vast attack surface that bad actors now exploit on a daily basis,” USTelecom vice president for cybersecurity Robert Mayer said in an interview. “With 20 billion connected devices expected by 2020, the risk of disruptive activity to our global digital ecosystem has never been greater.”
Mayer said that “any hope for changing this deteriorating trajectory rests with collective and coordinated actions across the information, communications and technology sectors. This realization is the foundational underpinning that brought 14 global infrastructure providers together in the Council to Secure the Digital Economy, which just released the 2018 International Anti-Botnet Guide urging organizations around the world to adopt a set of baseline security practices.”
USTelecom, the Information Technology Industry Association and other groups crafted a private-sector strategy on botnets while contributing to the DHS-Commerce work on the roadmap; federal and industry sources see the whole process as an integrated collaboration.
“The government and private sector spent a year developing the [roadmap] report in an open and transparent process. The report maps out an ecosystem-wide view of the botnet threat, and lays out actions that could dramatically reduce the threat of botnets and similar attacks,” according to a blog post by Commerce’s Diane Rinaldo and Kevin Stine of the National Institute of Standards and Technology.
“This is just a starting point and the road map will evolve to address the rapid changes in digital technologies and the threat environment,” they wrote. “The departments will track progress through regular stakeholder meetings as well as a workshop. In addition, the departments will provide a status update to the President that reviews progress, tracks the impact of the road map, reassesses the botnet threat, and sets further priorities.”
Outside reviews of the roadmap were positive, if somewhat guarded.
“This policy formulation is in the same state as many other pieces of cybersecurity policies and proposals — it enumerates many good ideas but will not be effective without strong regulation with incentives. While awareness is important, regulation is necessary for success,” said Andrew Howard, global chief technology officer of Kudelski Security.
But Howard stressed that “cooperation between the government and the private sector is not only essential, it is required.”
“There is no single stakeholder that can address this problem alone. This challenge, like many security challenges, requires broad commitment across the board to have any impact. If one part of the ecosystem, such as product manufacturing, does not improve, improvements by other parts of the ecosystem will be dampened,” Howard said.
“I appreciate the spirit of the roadmap,” said GroupSense’s Minder. “It is detailed in the objective and stakeholder organizations which would contribute. It is so preliminary/academic, though, I cannot comment on its effectiveness. Many of the objectives do not have defined timelines and while I’m sure each organization has assigned an owner to implement and collaborate, it isn’t outlined here. Of most interest to me is the threat sharing components. Intelligence is a fundamental part of building a security program, happy to see this included in the roadmap.”
He said, “My overall thoughts are that while this document primarily focuses on infrastructure and vulnerable [Internet of things] and networked systems, that some focus on the marketplace that drives the economy behind these [botnet] attacks would be fruitful. A ‘follow the money’ approach, if you will.”
