Expert: Battling botnets requires standards and automation

The Trump administration's cyber executive order has tasked the departments of Commerce and Homeland Security with a year-long study of how to reduce botnets, but one former official says the immediate focus should be on standards and automation.

Ari Schwartz, former senior director for cybersecurity at the National Security Council and now with Venable LLP, said at a July 11 resilience workshop hosted by the National Institute for Standards and Technology that the proliferation of internet-connected devices -- many of which are insecure or can't be updated -- and increasing bandwidth of internet systems are leading to more, and more powerful, distributed denial of service  attacks. Repeaters and other technology are making attacks increasingly complex.

Schwartz said that there were a variety of successes in the battle against bots over the last decade, including the FBI's Bot Roast and DNSChanger operations and the Federal Communications Commission Communications Security, Reliability and Interoperability Council's Anti Bot Code of Conduct for ISPs.

But he said the government failed to build on the momentum.

"The fact that you need a botnet report and we're not at the point of saying 'here is the whole of government approach to this issue' and that the Trump administration needed this report," demonstrates that more could have been done, he said.

Going forward, Schwartz told FCW the first priority is speeding up the development of standards, especially for device manufacturers.

"We're just starting to see the standards be put in place for what they are supposed to do, so I'm worried that it's a long process to get to that point," he said. Schwartz warned that standards need to be put in place before any regulation comes down to avoid ending up "with things locked into place in 2017."

He said NIST and National Telecommunications and Information Agency are playing important roles in developing standards and facilitating public-private partnership.

"There needs to be sustained follow up and sustained participation," he said. "Government is part of that. Industry is part of that, and it's different parts of industry too."

Schwartz stressed that the government needs to hold off on regulations for now.

"You've got to get the standards in place," he said. "You've got to get people doing it voluntarily and see how that goes for some period of time and then start mandating it as people are not doing it or in the areas they're not doing it."

One of the key standards is automated device updating, Schwartz said.

"Education works to some extent, notification works to some extent, but the scale we're talking about, it's not going to be the answer," he said. "So it needs to be more of automated patching in this space."

"How do we make sure that we can update things and the user doesn't have to be involved in that discussion, but yet we're not invading their privacy, we're not breaking stuff on their side, right?" he said. "That's the key."

Schwartz and other panelists at the workshop acknowledged there will be an ongoing challenge posed by expired devices that are still connected but are no longer supported or being updated.