On September 18, 2017, the National Telecommunications and Information Administration (“NTIA”), the executive branch agency that is principally responsible for advising the President on telecommunications and information policy issues, issued a report titled “Report on Responses to NTIA’s Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats.”
The Report was in response to an Executive Order issued on May 11, 2017 titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The Executive Order required the Secretary of Commerce and the Secretary of Homeland Security to “jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
On June 13, 2017, NTIA issued a request for comments (“RFC”) on “Promoting Stakeholder Action Against Botnets and Other Automated Threats” in order to further the aims described in the Executive Order. The RFC requested feedback on approaches for dealing with botnets and other distributed, automated attacks. NTIA expressed a particular interest in mitigating ongoing attacks and securing vulnerable Internet of Things devices that can be used in attacks.
NTIA received 47 comments in response to the RFC. According to the Report, commenters ranged from “large trade associations to individual technical experts associated with a diverse range of industries and sectors, including Internet service providers, security firms, infrastructure providers, software manufacturers, civil society, and academia.”
The Report noted the following themes in the responses:
A general concern over securing devices across the Internet of Things and a desire for more tools and better, more widely adopted practices in the Internet of Things marketplace.
Emphasis on the importance of certifications and standards making it easier to build, deploy, and acquire more secure technology.
The importance of information sharing and collaboration between infrastructure providers, defensive security services that protect against DDoS attacks, and the victims of these attacks.
A call for an active government role in disrupting the networks that helped drive many of these distributed automated attacks, such as when law enforcement authorities use their powers to “take down” these networks through legal and other means.
The RFC comments will contribute to the development of the final report required under the Executive Order to be provided by the White House by May 11, 2018. A draft of the report is scheduled to be released for public comment on January 5, 2018, with a follow-up workshop to be conducted thereafter to discuss the plan of action prior to the drafting and submission of the final report.
The Report can be found here and the Executive Order can be found here.