NIST Hosts Botnet Workshop
On July 11-12, 2017, NIST’s National Cybersecurity Center of Excellence (“NCCoE”) held a workshop entitled Enhancing Resiliency of the Internet and Communications Ecosystem. The workshop was part of the effort to reduce the botnet threat, launched by President Trump’s Cybersecurity Executive Order.
The workshop focused on the security of IoT devices. NCCoE spent a good bit of time on what it sees as a market failure: the lack of incentives for devices to be made more secure. NCCoE said that workshop participants generally discussed one of two approaches: (1) finding a way to bring more secure devices to market (e.g., focusing on upgradability and patchability, educating developers and device manufacturers, putting in place new business models for manufacturing companies who have become software companies overnight, dealing with end-of-life issues, etc.), or (2) limiting the damage from unsecure devices (e.g., utilizing the Manufacturer Usage Description (MUD) standard, developing smarter gateways, etc.).
Key takeaways from the workshop included:
Good News/Bad News: Participants highlighted the work that industry has been doing over the past decade to combat botnets. There is a body of standards, practices, and norms, and the ecosystem is not starting from a blank slate. However, some participants noted that existing solutions are not enough.
Nature of the Threat: The botnet threat has evolved dramatically over the years, moving from a nuisance to an existential threat. Bad actors have also evolved, with many being nationalized and well-coordinated, and with more resources. This is a global problem that requires an international solution.
Nature of the Ecosystem: The multi-faceted nature of the internet ecosystem contributes to the complexities of the botnet challenge. Many actors need to respond: consumers, small-medium sized business, enterprises, government, law enforcement, device manufacturers, developers, ISPs, and cloud computing services, among others.
Education and Awareness: A major theme focused on what NCCoE identified as a systemic awareness problem. From end users to developers, they see a lack of understanding and/or awareness of the scope of the problem. While participants recognized that consumer education alone cannot solve the problem, there was a call for increased awareness to help all players make better decisions.
Information Sharing and Collaboration: Participants stressed the need for additional information sharing within industries, across industries, between industry and government, across government agencies, and internationally.
Role of the Government: Much of the discussion revolved around what government could do to help industry. Government participants highlighted the cyber work that government is engaged in, including regulation, enforcements, guidance, education, and collaboration. Many from industry warned against a regulatory approach.
NCCoE plans to release a workshop proceedings document that will summarize the workshop, with initial analysis. That document, with the workshop and comments in response to NTIA’s Request For Comments due July 28, will inform the draft botnet report from the Department of Commerce and the Department of Homeland Security that is due to the White House in January 2018.