Botnet Report Comments Urge Additional Protections for Collaboration
With the proliferation of connected devices and services, policymakers are looking at creative ways to address threats, including through stronger collaboration and information disclosures. But stakeholders are pointing out barriers like legal liability and regulatory uncertainty, and calling for more creative solutions. As the federal government advises the President on next steps, liability protection is an issue to watch.
The Draft Botnet Report Encourages Communication About Vulnerabilities
On January 5, 2018, the U.S. Department of Commerce and the U.S. Department of Homeland Security released a draft of their Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. The Report urges the President to pursue policies that enhance security in software and product development, improve enterprise security, account for activity on ISP networks, and encourage the private sector to collaborate more with agencies and regulators. But, as we have indicated, the Report offers little recognition of the serious challenges in getting representative stakeholders engaged on things like labels, standards, and other initiatives.
Many Comments Stress Limiting Liability
NTIA received 47 comments on the Draft Report, which were due February 12, 2018. A number of commenters emphasized the need for the government to consider ways to limit liability for companies that quickly disclose cyber vulnerabilities:
CTIA argues that “[t]he Report does not address barriers to implementing many of the Actions it calls for. Information sharing, certification regimes, and labeling involve some risk related to public disclosure of sensitive information, responsibility, and liability… The Report should explicitly consider barriers.”
The U.S. Chamber of Commerce believes that “[i]ndustry and government should look for novel ways to limit liability for private entities that employ defensive measures in good faith.”
The Aviation Information Sharing and Analysis Center (ISAC) “recommend[s] consideration to limit liability to companies who make swift public disclosures of vulnerabilities and expeditiously issue patches. This will incentivize two key pillars in reducing cyber risk: the independent researchers will be motivated to continue notifying companies of coding errors and companies will be incentivized to respond quickly.”
ACT | The App Association claims that “the existing information sharing environment remains vulnerable” and “[p]rivate sector entities may be reluctant to share this information amongst each other due to concerns about legal liability, antitrust violations, and potential misuse.”
The Administration has an opportunity to think big and creatively about how to address threats through collaboration. Stakeholders—including tech manufacturers, software developers, and government contractors—may want to urge the government to address barriers like liability and concerns about public disclosures.
NTIA will host a workshop from February 28 – March 1, 2018 to discuss comments on its draft botnet report. Questions surrounding disclosure—from consumer labeling to bug bounty and vulnerability disclosure program—are increasingly of interest. For example, the National Telecommunications and Information Administration (NTIA) has examined vulnerability disclosure, and the concept was added to the National Institute of Standards and Technology’s (NIST) revised draft Framework for Improving Critical Infrastructure Cybersecurity. But as Wiley Rein cyber attorneys have noted, the details of such programs are complex, and they may not be right for all companies.
The Final Report on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats is due to the President on May 11, 2018. Hopefully it will reflect the full spectrum of options and dynamics for the President to consider.