Federal agencies face a thorny path as they try to step up the government’s fight against armies of infected computers and connected devices known as botnets, responses to a government information request reveal.
Industry, academic and think tank commenters all agreed more should be done to combat the zombie computer armies that digital ne’er-do-wells frequently hire to force adversaries offline.
Just what that effort should comprise is a more complicated question.
The government shouldn’t impose any new regulations, industry responders warn, for fear of hindering commerce or damaging government’s ability to respond nimbly to new security challenges.
On the other hand, the government also should be extremely wary of pumping up the investigatory or botnet takedown powers of law enforcement, the Center for Democracy and Technology think tank warns, out of concern for invading computer and device owners’ privacy.
“Botnet bills introduced over the last several years would have made the Computer Fraud and Abuse Act broader and vaguer and would only discourage the types of independent research that could fight botnets in its own right,” the CDT comments note.
The Computer Fraud and Abuse Act is a 1986 law that, despite its vintage, governs many hacking crimes. Critics say the outdated law is interpreted too broadly and unfairly criminalizes the work of ethical hackers who try to find computer vulnerabilities and expose them before nefarious hackers find and exploit them.
Given that narrow path, many responses to the National Telecommunications and Information Administration’s request for comments on what government can do to combat botnets focused on work the government has already done, such as convening stakeholders in industry and promoting security best practices.
A handful of big ideas emerged in the comments published Sunday, though. Here are three of them:
After numerous failed attempts to pass major cybersecurity legislation, Congress succeeded in passing a narrow bill in 2015 that offers liability protection to companies that share cyber threat information with each other and with the government.
If the government wants to enlist companies to combat botnet operations, it may have to go a step further and offer similar protections for certain cyber defense operations, some commenters said.
“While enactment of the Cybersecurity Information Sharing Act (CISA) has helped to clear away some of the legal underbrush that inhibited cyber threat information sharing, the statute only authorizes—but does not offer liability protection for—operation of defensive measures, which leaves companies employing such measures open to potential liability on various legal grounds,” NCTA, the Internet and Television Association, wrote.
Such defensive measures might include probing the botnet for weak points so an internet service provider can shut down its command and control operations.
The wireless industry association CTIA warned that “any uncertainty about defensive steps operators can take may have a chilling effect on rapid action to address attacks.”
Numerous commenters warned that U.S. efforts to combat botnets will do little good if other nations aren’t similarly working to keep their computers and connected devices from being co-opted by botnets.
The software industry group BSA: The Software Alliance recommended surging the government’s global cyber capacity building efforts so there are less fertile grounds for botnet builders.
Much of the U.S. government’s cyber capacity building effort was operated out of the State Department Cyber Coordinator’s Office, which Secretary of State Rex Tillerson is considering shuttering.
The cybersecurity firm Crowdstrike urged surging counter botnet cooperation between technical agencies in different national governments and making it a proving ground for other cyber cooperation.
Numerous commenters urged the government to press counter botnet initiatives at international organizations such as the International Telecommunications Union, which helps manage global internet policy.
Be the Change You Wish to See
The government should also be a good counter botnet role model, numerous commenters said.
It would be a “game changer,” for example, if U.S. law enforcement committed to taking down one botnet every week, Crowdstrike suggested.
The government could also lead by example by only purchasing connected devices that meet strict security guidelines, the New America think tank’s Open Technology Institute suggested.
Unlike laptops and phones, many connected devices, such as cameras and baby monitors, can’t be patched in response to newfound security vulnerabilities and are secured with default passwords set by the company. As a result, they’re more likely to be conscripted by botnets such as the Mirai botnet that forced popular sites such as Netflix and The New York Times offline earlier this year.
Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., introduced legislation that would mandate better security protections for government-purchased connected devices earlier this week.
…to the Secure Systems Lab at New York University, for prefacing its comment with a description of a hypothetical cyberattack that includes mass hallucinations, a masterminding rogue nation and a Washington, D.C. Independence Day party gone horribly wrong. The hypothetical didn’t really have anything to do with botnets, but it was nice break from dry industry prose.