YOU ARE AT:Internet of Things (IoT)Five stops on the federal road map toward botnet resilience

Five stops on the federal road map toward botnet resilience

Cybersecurity road map aims to support more secure and resilient IoT development for consumer, enterprise and government users

If there is a path to a digital world that is more secure and resistant to botnet attacks, what would that path look like?

A newly published U.S. federal “road map” aimed at increasing resilience in the face of internet of things-based botnet attacks lays out five areas of focus, with tasks and timelines that would supporting robust markets for IoT while also addressing security concerns. Those tasks range from the general — such as the promotion of industry best practices — to specific work that federal agencies are doing in this area.

The departments of Commerce and Homeland Security collaborated on the initial BotNet Report, which was published in May. The road map is a follow-up effort that lays out priorities for action — for both the federal government and private industry in order to move toward a more resilient internet. It includes five areas of focus and 85 tasks that “could dramatically reduce the threat of botnets and similar attacks,” the road map says.

“Some actions are already in progress, others are dependent on outside factors, and a final set awaits leadership and/or funding,” the road map report concluded. “We do not expect all actions to occur simultaneously, due to considerations such as resource constraints or varying levels of sophistication in the relevant stakeholder communities.”

“While the road map focuses on addressing botnet threats, this effort will make the Internet ecosystem more secure and have an impact far beyond the boundaries of the report,” the National Telecommunications Information Administration said in a blog entry on the work. “This is just a starting point and the road map will evolve to address the rapid changes in digital technologies and the threat environment.”

The road map lays out a series of fairly broad goals — such as establishing robust markets for IoT devices for consumer, enterprise and government users — and the work that it will take to ensure that such markets, and the IoT solutions that they provide, are both more fundamentally secure and better able to bounce back from any attacks which do occur. Acknowledging that such a shift can only be accomplished by the combined efforts of private industry, government and end users, the road map gives five areas of focus for actions that will ultimately lead to better botnet resilience:

1. Internet of Things. Within the IoT ecosystem itself, the road maps says, “security capabilities must be developed that address the needs of three sectors: consumers/home users, industrial users, and the federal government.” The road map seeks the development of baseline, core security capabilities that “should be provided or facilitated by common development platforms to limit impact on time to market and enable innovation” — ideally, the basics would apply across all three sectors. The road map also calls for engagement with developers of international standards to establish such specifications on a global basis. Consumer labeling will need to be developed that help end users select products which meet the baseline requirements, whether for consumer, government or industrial use.

2. Enterprise. Within the enterprise space, the road map calls for working toward industry consensus on profiles to mitigate distributed denial of service attacks through the NIST Cybersecurity Framework, as well as migration toward advanced enterprise network architectures that help businesses to better address threats. Enterprises “should also consider how their own networks put others at risk,” the road map notes, as well as identifying best practices for IoT device management — best practices that the federal government should also adopt.

3. Internet Infrastructure. In this area, the road maps calls for improvements to routing security, since the internet “was designed to facilitate resilient communications between end points, and provided less regard to basic security services.” It also recommends more work in anti-spoofing technologies and increasing information sharing about threats on a regional and global basis and across both large and small ISPs, between government and industry, and between industry and law enforcement.

4. Technology Development and Transition. In this area, the road map recommends the establishment of “widely accepted guidelines for secure software development” as well as guidelines on transparency in software components and promoting secure practices. In addition, it calls for improving U.S. government coordination in the development of international standards and promoting best practices on a global scale, while also accelerating federal funding of mitigation research and encouraging the private sector to speed up its own research to address distributed threats.

5. Awareness and Education. “Consumers’ lack of confidence in the security of IoT devices may be hindering IoT adoption,” the road map notes. In order to address this, the road map calls for consumer education initiatives across the IoT ecosystem to help consumer identify and deploy products that use appropriate security. The road map also notes that programmers and engineers need to be sufficiently educated about security tools and cybersecurity principles, and recommends that academic programs aid in establishing cybersecurity as a fundamental element within all engineering disciplines.

“The problem of automated, distributed attacks cannot be solved by a single entity, and will require action, coordination and the harnessing of innovation across government and the private sector,” the road map concluded.

ABOUT AUTHOR

Kelly Hill
Kelly Hill
Kelly reports on network test and measurement, as well as the use of big data and analytics. She first covered the wireless industry for RCR Wireless News in 2005, focusing on carriers and mobile virtual network operators, then took a few years’ hiatus and returned to RCR Wireless News to write about heterogeneous networks and network infrastructure. Kelly is an Ohio native with a masters degree in journalism from the University of California, Berkeley, where she focused on science writing and multimedia. She has written for the San Francisco Chronicle, The Oregonian and The Canton Repository. Follow her on Twitter: @khillrcr