Trump Administration Botnet Report Will Impact IoT Device Makers

Manufacturers of wireless devices used for Internet of Things (IoT) applications should take heed of new Trump Administration proposals aimed at reducing the cybersecurity threats from botnets and other automated and distributed attacks.

Following a year of public and internal discussions and inquiry, the Department of Commerce and Department of Homeland Security (DHS) recently issued a Final Report on the topic, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.” The Report arises from the cybersecurity Executive Order issued by President Trump in May 2017, which required Commerce and DHS to lead a process to determine appropriate action to “dramatically reduc[e] threats perpetrated by automated and distributed attacks (e.g., botnets).”

The Report sets out six themes related to cyber threats and the IoT ecosystem:

1. Automated, distributed attacks are a global problem;
2. Effective tools exist, but are not widely used;
3. Products should be secured during all stages of the lifecycle;
4. Awareness and education are needed;
5. Market incentives should be more effectively aligned; and
6. Automated, distributed attacks are an ecosystem-wide challenge.

The Report then identifies five principal goals aimed at dramatically reducing threats toward the IoT ecosystem:

1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace;
2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats;
3. Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks;
4. Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world.; and
5. Increase awareness and education across the ecosystem.

From these themes and goals, the Report recommended twenty-four actions to be taken by stakeholders – government, industry, and others – the most relevant of which for device manufacturers are outlined below.

Action 1.1. Using industry-led inclusive processes, establish internationally applicable capability baselines for IoT devices supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards.

Action 1.2. The federal government should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization

Action 1.3. Software development tools and processes to significantly reduce the incidence of security vulnerabilities in commercial-off-the-shelf software must be more widely adopted by industry. The federal government should collaborate with industry to encourage further enhancement and application of these practices and to improve marketplace adoption and accountability. 

Action 3.2. Home IT and IoT products should be easy to understand and simple to use securely

Action 4.3. Sector-specific regulatory agencies, where relevant, should work with industry to ensure non-deceptive marketing and foster appropriate sector-specific security considerations. .

Action 5.1. The private sector should establish and administer voluntary informational tools for home IoT devices, supported by a scalable and cost-effective assessment process, that consumers can trust and intuitively understand.

Action 5.2. The private sector should establish voluntary labeling schemes for industrial IoT applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical infrastructure applications of IoT.

[Source https://www.privacyandsecuritymatters.com/2018/06/trump-administration-botnet-report-will-impact-iot-device-makers-things-you-should-know/ ]