President Trump recently issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which included a section on Resilience Against Botnets and Other Automated, Distributed Threats. The Executive Order requires the Departments of Commerce and Homeland Security to produce a report on Botnets based on industry and other stakeholder input. As part of this effort, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comment, which included seven broad questions about potential solutions and approaches to the challenge of automated, distributed attacks. Comments are due by July 13, 2017.
NTIA has asked for input from all interested stakeholders – including private industry, academia, civil society, and other security experts – on ways to improve industry’s ability to reduce threats perpetuated by automated distributed attacks, such as botnets, and what role, if any, the U.S. Government should play in this area. NTIA is particularly interested in how these attacks can be mitigated, and how the endpoint sources of these attacks, especially IoT devices, can be better secured. NTIA asks:
- What works in dealing with these attacks and what are the gaps in existing approaches?
- Are there incentives or other public policies that can drive change?
- How can solutions explicitly address the international aspects of the issue?
The Department of Commerce’s National Institute of Standards and Technology (NIST) has also announced a related cross-sector, participatory workshop to accompany the RFC on July 11-12. The workshop titled Enhancing Resilience of the Internet and Communications Ecosystem will allow stakeholders to explore a range of current and emerging solutions to improve the resiliency of the Internet against automated, distributed threats. NIST will produce a document summarizing the workshop, findings, and opportunities for next steps.
The comments submitted to NTIA and the NIST workshop and summary document present an excellent opportunity for the private sector to weigh in on evolving Internet security policies as this public record will be used to inform implementation activities related to the Cybersecurity Executive Order.