US government takes on botnets and other automated attacks

New federal report makes recommendations on how organizations should defend against threats.

Video: Botnet beast: How to slay the DDoS dragon

Automated, distributed cyber security attacks such as botnets are a global problem. And to increase the resilience of the internet and the communications ecosystem against these threats -- many of which originate outside the US -- the US must continue to work closely with international partners, according to a new report submitted to the White House by the US Departments of Commerce and Homeland Security.

Read also: A new Mirai-style botnet is targeting the financial sector

The extensive report is a response to the May 2017 Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which called for resilience against botnets and other automated, distributed threats.

The order directed the secretaries of commerce and homeland security to "lead an open and transparent process to identify and promote action by appropriate stakeholders," with the goal of dramatically reducing threats perpetrated by automated and distributed attacks.

As part of their research, the departments gathered a range of input from experts and stakeholders from private industry, academia, and civil society. They worked in consultation with the Departments of Defense, Justice, and State, the Federal Bureau of Investigation, the sector-specific agencies, the Federal Communications Commission, Federal Trade Commission, and other interested agencies.

Effective tools against botnets exist, but they are not widely used, the report said. While there remains room for improvement, the tools, processes, and practices needed to significantly enhance the resilience of the internet and communications ecosystem are widely available. And they are routinely applied in selected market sectors.

Still, they're not part of common practices for product development and deployment in many other sectors for a variety of reasons, the study noted. These include a lack of awareness, cost avoidance, insufficient technical expertise, and a lack of market incentives.

One recommendation of the report is that products should be secured during all stages of the lifecycle. Devices that are vulnerable at the time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy, it said.

Read also: Report: Vatican City has the highest botnet density (TechRepublic)

In addition, greater awareness and education about the threats are needed. Businesses are often not aware of the role their devices could play in a botnet attack, and might not fully understand the merits of available technical controls. Product developers, manufacturers, and infrastructure operators in many cases lack the knowledge and skills needed to deploy tools, processes, and practices that would make the ecosystem more resilient.

The report also noted that market incentives should be more effectively aligned. They do not currently appear to align with the executive order's goal of "dramatically reducing threats perpetrated by automated and distributed attacks."

Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, the study said, rather than to build in security or offer efficient security updates. Market incentives must be realigned so that they promote a better balance between security and convenience when developing products.

Related stories