NIST Hosts Second Botnet Workshop
Last week, the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) hosted its second workshop on enhancing resilience of the Internet and communications ecosystem. The workshop focused on substantive comments from stakeholders on the draft Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. This is the last workshop before the final report is due to the President on May 11, 2018.
The workshop intended to refine the report’s recommendations to the President. Workshop topics included: proposals for Internet of Things (IoT) security; possible assessment, certification, and evaluation schemes; incentivizing security in the IoT marketplace; broadening international engagement; and appropriate roles for various stakeholders involved.
Wiley Rein previously highlighted important aspects of the report, its potential impact on the private sector, and the opportunity to file public comments.
Background on this Effort
The Departments of Commerce and Homeland Security developed the report in response to Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which directed the Secretaries of Commerce and Homeland Security, to “lead an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
In July, we covered the first workshop, which helped inform topics included in the draft report.
Nearly 50 stakeholders have filed comments since its release. We highlighted that several major comments note the draft report does not fully address important issues concerning barriers to greater collaboration between private industry and government. For example, a number of commenters emphasized the need for the government to consider ways to limit liability for companies that quickly disclose cyber vulnerabilities or share threat indicators:
- CTIA argues that “[t]he Report does not address barriers to implementing many of the Actions it calls for. Information sharing, certification regimes, and labeling involve some risk related to public disclosure of sensitive information, responsibility, and liability. . .The Report should explicitly consider barriers.”
- The U.S. Chamber of Commerce believes that “[i]ndustry and government should look for novel ways to limit liability for private entities that employ defensive measures in good faith.”
- The Aviation Information Sharing and Analysis Center (ISAC) “recommend[s] consideration to limit liability to companies who make swift public disclosures of vulnerabilities and expeditiously issue patches. This will incentivize two key pillars in reducing cyber risk: the independent researchers will be motivated to continue notifying companies of coding errors and companies will be incentivized to respond quickly.”
- ACT | The App Association claims that “the existing information sharing environment remains vulnerable,” and “[p]rivate sector entities may be reluctant to share this information amongst each other due to concerns about legal liability, antitrust violations, and potential misuse.”
While addressing barriers to greater collaboration was mentioned at the workshop, presenters noted that some issues remained, greater detail would be needed, and that the White House would need to direct certain actions or decisions.
Key Takeaways from the Workshop
NIST presenters noted that, based on stakeholder comments, several sections would expand from the draft report, including those on:
- Civil Society;
- Infrastructure; and
- Education and Awareness.
NIST stated that the agency generally “had a handle” on these issues, so the workshop would focus on other topics, which required further discussion. The following highlights are from workshop panels and breakout sessions.
In a panel titled “Who Leads?” industry representatives and associations highlighted past, ongoing, and planned efforts to continue to enhance the ecosystem. The roles of industry and government were highlighted and discussed. Panelists noted industry collaboration, shared best practices, notification efforts, and ways to assess and harmonize current activities. One area that could be improved upon is to provide better cross-sector visibility into security plans, initiatives, and threats encountered.
Panelists remarked that the U.S. government is positioned to galvanize cybersecurity response without disrupting the technological successes of the past few decades. For example, agencies can work as conveners (as NIST, NTIA, and DHS have done with this botnet effort). Panelists mentioned that third-party trust groups can improve information sharing, although certain barriers still exist.
It was also noted that the U.S. government can and should lead by example—by improving its own cybersecurity posture. The IT modernization effort was pointed to as a good place to start. Beyond this, the U.S. government should work with industry to develop voluntary best practices for IoT, as it has done with the successful NIST Cybersecurity Framework (CSF). Such an effort could have impacts on a broad, international scale.
DDoS Cybersecurity Framework Profile and IoT Functional Profile
A NIST representative noted that a distributed denial of service (DDoS) CSF Profile may be included in the report and cited the Coalition for Cybersecurity Law’s comments, Appendix A “DDoS Threat Mitigation Profile,” as an example.
A presenter suggested that ISPs and network operators should take (or improve upon) four core steps to mitigate DDoS attacks, including: (1) improved filtering; (2) anti-spoofing; (3) enhanced coordination with government entities, other ISPs, and end-users; and (4) global validation.
Other presenters focused on the need to establish “expectations for baseline security functionality” with consumer IoT devices. A panelist also called for a more consumer-centric model, with greater transparency to be provided by both network operators and device manufacturers, suggesting potential labeling mechanisms and minimum security standards.
Assessment, Certification, and Evaluation
A NIST representative introduced the process for conformity assessments (i.e. standards development). The NIST presenter noted that possible standards in the IoT marketplace could be developed by following a conformity model that includes: (1) coalescing around requirements, or agreeing on a standard of how a device should perform; (2) making that determination based on evidence from standardized testing to ensure that performance; (3) reviewing or attesting to that standard, which may require an independent trusted third-party; and (4) ongoing testing or surveillance, to adjust standards as the ecosystem evolves.
Another panelist advanced that motivations for industry to move towards standards adoption or development could include: company or product reputation, marketing advantages (for highly certified or “scored” devices); security as benefit to shareholders; and enhancing the security of the ecosystem overall.
Some attendees presented questions on the applicability of a ratings system in an ecosystem of comprised of billions of devices, each with varying use-cases, risk profiles, and applications across industries. Others questioned whether assurances of security in the form of a “rating” could lead users to falsely assume a device is immune from attack or that a rating is a replacement for following best security practices at the end-user stage.
Panelists noted that while labeling for consumer devices could have some merit, benefits could be greater by incentivizing sharing security information of an IoT device or its components at the enterprise level. Large enterprises can drive cybersecurity by leveraging their supply chains, establishing minimum standards or setting expectations for the type of information needed to participate in the supply chain.
Cyber insurance was highlighted in this conversation as well. It was noted that premiums can be used to incentivize security. A speaker suggested that change could be incentivized by the following: (1) the tax code; (2) insurance; (3) litigation; (4) regulation; and (5) international treaties. Each one of these, or some used in combination, could impact practices related to security.
It was also noted that a tension exists between accountability and transparency—if a sector or industry actor is punished or exposed to litigation, are they more or less likely to participate in information sharing environments? In terms of encouraging greater collaboration, it was suggested that limiting liability at certain levels, offering immunity on certain terms, and reducing exposure to class action lawsuits, could all advance greater information sharing and collaboration on cybersecurity efforts.
Emphasis was placed on the global—and inherently distributed—nature of the botnet threat. These challenges require an international strategy and approach. The shared responsibility of securing the network does not stop at national borders. Therefore, panelists noted that cooperation is key to botnet mitigation. Representatives from several international organizations highlighted collaborative efforts, IoT consortiums, global and trusted third-party information sharing programs, and law enforcement activities to help build a more resilient ecosystem.
At the conclusion of the workshop, representatives from NIST highlighted that reviewers from the Departments of Commerce and Homeland Security will still consider comments emailed to the designated address found on the initiative’s main page, but the window to help shape the report is quickly closing.
The final Report on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats is due to the President on May 11, 2018. Then, the decision to adopt or follow recommendations of the report will lie with the White House.