New guidance required under the cybersecurity EO suggests that government purchasing power could induce tech manufacturers, especially in the emerging IoT space, to market more secure devices.
The federal government might have to save itself from botnets and other automated cyber threats. And to do so, it's going to need to revamp its procurement guidelines and acquisition rules, according to a new draft report to the president from the Commerce and Homeland Security Departments.
"Botnets represent a system-wide threat that no single stakeholder, not even the federal government, can address alone," National Institute of Standards and Technology Director Walter Copan said in announcing the report. "The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses."
The report, which was requested in President Donald Trump's May 2017 cybersecurity executive order, outlined five major goals the federal government needs to achieve to enhance network security from emerging cyber threats that included boosting education and awareness, creating a more agile and secure technology marketplace, promoting innovation in infrastructure and for edge network protections, and building global coalitions across tech communities to include security, operations and infrastructure.
But the departments also called on the federal government to change its acquisition rules and procurement guidelines to encourage manufacturers to create security compliant products.
"The federal government should lead by example and demonstrate practicality of technologies, creating market incentives for early adopters" after creating a series of baseline security profiles for home and industrial internet-dependent or IoT devices, the report stated. "Many IoT product vendors have expressed desire to enhance the security of their products, but are concerned that market incentives are heavily weighted toward cost and time to market," creating a "race to the bottom."
The report, which outlined an action plan for each goal, also stated that "While federal procurement no longer dominates the market, its buying power and influence is still strong, and the U.S. government can lead by example," adding that the Office of Management and Budget, General Services Administration and Department of Defense, "through policy and modifications to the GSA schedule and federal acquisition regulations," could facilitate the needed changes.
The report also recommends a presidential mandate for the enterprise adoption of NIST's cybersecurity framework to help the federal government develop basic mitigation and prevention tactics to protect networks from distributed denial of service attacks.
The onus isn't solely on the federal government to protect federal systems from impending cyber threats, however. The report also has major recommendations for industry.
"The private sector could establish an assessment and labeling mechanism for products that comply with the home profile," the report stated. "The private sector could also work with existing programs or establish new programs to evaluate products that comply with the industrial profile."
The report also emphasized that products must be secured throughout their entire lifecycle and that the tools to protect networks and devices exist but aren't widely used – which partly stems from a dearth of security education and awareness.
The public is invited to comment on the report, with submissions due Feb. 12. The final report is due to the president May 11.