- There must be greater resilience against botnets and other distributed, automated threats in an effort to properly combat evolving cybersecurity threats, according to a recent report from federal agencies.
The Departments of Commerce and Homeland Security (the Departments) published a draft in response to the executive order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which was published in May 2017.
“The recommended actions and options include ongoing activities that should be continued or expanded, as well as new initiatives,” the report’s executive summary explained. “No single investment or activity can mitigate all harms, but organized discussions and stakeholder feedback will allow us to further evaluate and prioritize these activities based on their expected return on investment and ability to measurably impact ecosystem resilience.”
The Departments also determined that the following were six key themes characterizing the opportunities and challenges in reducing threats:
- Automated, distributed attacks are a global problem
- Effective tools exist, but are not widely used
- Products should be secured during all stages of the lifecycle
- Education and awareness is needed
- Market incentives are misaligned
- Automated, distributed attacks are an ecosystem-wide challenge.
The draft also discussed “complementary and mutually supportive goals” that would reduce the automated attack threats. First, stakeholders must “identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.”
It will also be important to promote infrastructure innovation, and to do so “at the edge of the network to prevent, detect, and mitigate bad behavior.”
Stakeholders should also work toward building coalitions between domestic and global security, infrastructure, and operational technology communities. Overall, there must be an increased “awareness and education across the ecosystem,” according to the Departments.
Botnets and automated attacks include distributed denial of service (DDoS) attacks, ransomware attacks, and computational propaganda campaigns, the report noted.
“Traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, are designed to protect against botnets of an anticipated size,” report authors wrote. “With new botnets that capitalize on the sheer number of ‘Internet of Things’ (IoT) devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.”
Stakeholders in all industries must be willing to coordinate and collaborate together to combat these threats. Problems must be proactively addressed “to enhance the resilience of the future Internet and communications ecosystem.”
There must be effective policies that clearly outline standards and best practices, but also be flexible to account for evolving security risks.
“Better information sharing across the domains will improve the ability of ecosystem members to mitigate the botnet threat,” the Departments explained. “Meanwhile, some coordination models may require the creation of new standards, guidelines, and metrics.”
The Departments also noted in the draft report that stakeholders have underlined the need for clarifying potential legal risks with regard to information sharing. For example, DHS’s National Cybersecurity and Communications Integration Center (NCCIC) allows for private-sector and government organizations to work together in establishing strong cybersecurity measures.
The Cybersecurity Information Sharing Act of 2015 (CISA) also has certain protections on disclosure laws and protections on sharing cyber threat indicators.
“These NCCIC cybersecurity capabilities and CISA legal protections apply to IoT cybersecurity in much the same way that they apply to cybersecurity more broadly. Moreover, nothing in CISA precludes robust sharing by private entities with law enforcement as part of the normal course of a criminal investigation; indeed, CISA authorizes the sharing of cyber threat indicators and defensive measures with law enforcement—or any other federal entity—and, in addition, its liability protection applies when such information is shared with law enforcement under certain circumstances.”
Securing IoT devices is a critical issue and will only grow in importance as more devices are implemented into daily operations, report authors stated.
“Liability is a complex area of law, as is the emerging IoT market, and care must be taken to avoid static and ineffectual compliance requirements, especially in the midst of a dynamic cybersecurity landscape,” the Departments wrote. “Investment must be made to address risk through innovative practices, and with stakeholders engaged in cross-sector coordination.”
The draft is available for public comment until February 12, 2018.
When the Executive Order was first released, HITRUST said it was an important step forward and that risk management was the “key to cybersecurity success.”
“HITRUST stands ready to help identify and inform what risk management practices should be given priority,” HITRUST CEO Daniel Nutkis said in a statement. “In the face of the growing cyber threats to the healthcare industry, HITRUST believes the measures in the Executive Order are needed to encourage best practices, encourage investments in risk management and cyber resilience, and leverage information sharing.”