NIST botnet security report recommendations open for comments
Federal agencies opened public comments on a draft botnet security report born from the 2017 White House cybersecurity executive order, and experts are generally favorable.
The Departments of Commerce and Homeland Security opened public comments on a draft of its botnet security report before the final product heads to the president.
The report was commissioned by the cybersecurity executive order published by the White House on May 11, 2017. DHS and the National Institute of Standards and Technology (NIST), a unit of the Department of Commerce, were given 240 days to complete a report on improving security against botnets and other distributed cyberattacks, and they took every minute possible, releasing the draft botnet security report on Jan. 5, 2018.
The public comment period ends Feb. 12, 2018, and industry experts are supportive of the contents of the report. According to a NIST blog post, the draft report was a collaborative effort.
"This draft reflects inputs received by the Departments from a broad range of experts and stakeholders, including private industry, academia, and civil society," NIST wrote. "The draft report lays out five complementary and mutually supportive goals intended to dramatically reduce the threat of automated, distributed attacks and improve the resilience of the ecosystem. For each goal, the report suggests supporting activities to be taken by both government and private sector actors."
The blog post listed the following goals for stakeholders laid out by the draft botnet security report:
Identify a clear pathway toward an adaptable, sustainable and secure technology marketplace.
Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
Promote innovation at the edge of the network to prevent, detect and mitigate bad behavior.
Build coalitions between the security, infrastructure and operational technology communities domestically and around the world.
Increase awareness and education across the ecosystem.
Rodney Joffe, senior vice president, technologist and fellow at Neustar Inc., an identity resolution company headquartered in Sterling, Va., said NIST and DHS took the right approach in putting together the report.
"The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches: hosting a workshop, publishing a request for comment and initiating an inquiry through the president's National Security Telecommunications Advisory Committee," Joffe told SearchSecurity. "We commend the administration for working with and continuing to seek private-sector advice on the best path forward."
A good start, but...
Experts like Michael Patterson, CEO of Plixer, a network traffic analysis company based in Kennebunk, Maine, generally applauded the draft botnet security report as being an in-depth starting point that is missing some key features.
"The report offers a comprehensive framework for threat intelligence sharing and utilizing NIST to work with a variety of industry groups to establish tighter security protocols and best practices, while outlining government and industry transformations to protect the internet," Patterson told SearchSecurity. "However, it is missing the required teeth to propel industry action. Without a mechanism to define a specific compliance standard, service providers will not have enough incentive to take the steps required to mitigate these risks."
Stephen Horvath, vice president of strategy and vision for Telos Corp., a cybersecurity company located in Ashburn, Va., applauded the draft botnet security report for balancing "high-level explanations along with some technical details of merit."
"This report will, hopefully, drive improvements and awareness of the issues surrounding botnets. Given a few of the more important recommendations are taken and funded -- the establishment of an IoT [internet-of-things cybersecurity framework] profile, for example -- a general overall improvement across all domains should be felt in the next few years," Horvath told SearchSecurity. "I believe stronger improvements would be possible more quickly if the recommendations included greater focus on enforcing hard requirements, rather than incentives."
Gavin Reid, chief security architect at Recorded Future, a threat intelligence company headquartered in Somerville, Mass., said NIST's goals are "laudable, and the paper takes the approach of providing as comprehensive of a solution as is possible, given the transient nature of attacks."
"It does not address how the goals and technology approach keep up with and change to match changes to the attack vectors," Reid told SearchSecurity. "The paper also conflates all botnets with IoT botnets. Bots resulting in automated controlled attacks and toolkits are not limited to IoT, but have a much wider footprint covering all IT ecosystems."
The IoT question
Following the highly publicized botnet attacks like Mirai, which preyed on insecure IoT devices, the draft report focused on these issues and even noted "IoT product vendors have expressed desire to enhance the security of their products, but are concerned that market incentives are heavily weighted toward cost and time to market."
Luke Somerville, manager of special investigations at Forcepoint Security Labs, based in Austin, Texas, said the goals and actions within the draft botnet security report are "a good starting point, but the effectiveness of ideas such as baseline security standards for IoT devices will depend entirely on the standards themselves and how they are implemented."
"Any standards would need to be backed up robustly enough to overcome the strong market incentives against security which exist at present," Somerville told SearchSecurity.
"Increasing awareness and security education is also discussed -- something that has been a goal of the security industry for a long time. Ultimately, insecure systems don't fix themselves, and nor do they make themselves insecure in the first place," he continued. "By focusing on the human point of contact with data and systems -- be that point of contact the developers writing the code controlling the systems, the end users configuring the systems, or even prospective users in the process of making a purchasing decision -- we can attempt to build security in throughout the design and usage lifecycle of a product."
Botnet security report outcomes
While experts were generally favorable to the draft botnet security report, some were less optimistic about real-world changes that might come from such a report.
Jeff Tang, senior security researcher at Cylance, based in Irvine, Calif., said he was "not convinced this report will make any significant strides toward deterring the spread of botnets."
This is not the work of a moment; this is evolution over thousands of software design lifecycles.
Pam Dingleprincipal technical architect at Ping Identity
"Trying to develop an accepted security baseline through a consensus-based process when one of your stakeholder's primary goal is to sell you a new shiny IoT device every year is only going to result in watered-down standards that will be ineffective. As the recent spectacle of CPU bugs has shown, speed is the enemy of security. If you're rushing to release a new device every year, security is going to be nonexistent," Tang told SearchSecurity. "Additionally, secure development best practices haven't changed much in the last decade, but judging by the reports of various device vulnerabilities, manufacturers have not voluntarily adopted these best practices."
Pam Dingle, principal technical architect at Ping Identity, an identity security company headquartered in Denver, said "changing ecosystems is difficult," and it will take a concerted effort by vendors and CISOs alike to make the change real. Otherwise, "the effects will likely be limited."
"It is up to those who see the value in the recommended actions to put the manpower into participating in standards groups, collaborating with adjacent vendor spaces to make integration easier and more pattern-based, and demanding that a shared defense strategy stay high in priority lists," Dingle told SearchSecurity. "This is not the work of a moment; this is evolution over thousands of software design lifecycles. And even then, the mass of legacy devices out there with no update capabilities will be shackles on our collective legs for a long time to come. We have to start."
