Exactly one year after a heralded cybersecurity commission unveiled recommendations for President-elect Trump, the Obama-appointed body's work is helping to inform a key White House initiative on “botnets,” the seemingly ubiquitous cyber weapons behind many high-profile attacks.
The report of the Commission on Enhancing National Cybersecurity, released Dec. 1, 2016, set a series of goals for the new administration. At the top of the list: Addressing so-called denial-of-service attacks, particularly those launched by botnets.
But it was unclear whether Team Trump would have much interest in a work product developed at the direction of former President Barack Obama, even if the commission comprised cybersecurity leaders from industry, the military and academia.
In fact, the report did find a welcome audience within the new president's cyber team, which made addressing botnets — highly dangerous automated cyber attacks that can emanate from millions of hijacked computers — a central feature of President Trump's May 11 cybersecurity executive order.
“The commission helped define a signature aspect of the executive order on botnets,” said Kiersten Todt, who served as executive director. She added that the Trump administration's emerging botnet initiative “could be a very strong work stream that helps define how to look at cybersecurity” across a vast enterprise like the federal government.
Todt noted “how open the new administration was to the commission's ideas and integrating them into the EO.”
Industry sources made similar observations about how the Trump White House is approaching the botnet issue and cyber in general.
“This is an entirely new administration — and new in different ways,” said Larry Clinton, president and CEO of the industry-based Internet Security Alliance. “But there has been a pretty consistent, nonpartisan approach [to cybersecurity]. The philosophy remains the same. You see that in the executive order … botnets is an example.”
The departments of Commerce and Homeland Security are on track to send Trump a draft package of recommendations by Jan. 5 on combating botnets, as directed in the executive order. The president has committed to releasing the recommendations for a 30-day public comment period. The package will be issued in final form next May.
That package is expected to include and expand upon another presidential advisory panel's recent call for a “moonshot” effort, with industry developing standards in collaboration with the federal government to secure the Internet against botnet attacks.
Todt's panel also identified the need for such a joint industry-government response, saying “The Department of Commerce, in consultation with all other appropriate departments and agencies, should undertake a multi-stakeholder process that focuses on mitigating the impact of botnets, including denial-of-service attacks.”
The Commerce Department — in particular, the National Institute of Standards and Technology — will figure prominently in the report to Trump.
The small agency out in Gaithersburg, Md., has frequently served as the key point of interaction between government and industry on cyber issues over the past five years, and has already scheduled a March workshop on the botnet report.
“Commerce would be best to lead it, with NIST as the lead agency,” one industry source said of a multi-stakeholder process on botnets.
This source said the botnet challenge is screaming out for a coherent strategy and suggested that key industry groups will rally behind a presidential call for a focused, collaborative effort to secure the so-called Internet of Things, which is the basis of the emerging digital economy. It's also where botnets thrive.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America's Struggle to Secure Cyberspace,” published by Rowman and Littlefield.