DHS’ Manfra, Citing Botnet Guide, Urges New Thinking

jeanette manfra dhs nppd oc&c assistant secretary

When it comes to eliminating botnets, Jeanette Manfra, assistant director for cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, stressed the importance of thinking differently and considering new solutions at the unveiling the 2018 International Anti-Botnet Guide today.

Manfra urged everyone to consider, “What are those biggest challenges that we are facing in the internet ecosystem,” and asked, what is the $1 investment companies and governments can incur now that makes it $100 more expensive for the “bad guys” to take advantage of the internet.

The guide, which was put together by the Council to Secure the Digital Economy (CSDE), was released today. CSDE is an industry group led by USTelecom, the Information Technology Industry Council (ITI), and the Consumer Technology Association (CTA). The guide, according to CSDE, “draws on the diverse global perspectives, practices, and experiences of these stakeholders to address a persistent and increasing challenge to the global digital economy: botnets and other automated, distributed threats.”

In the guide, CSDE acknowledged that government has an important role to play in the internet ecosystem; however, it also cautioned that “the imposition of prescriptive, compliance-focused regulatory requirements will inhibit the security innovation that is key to staying ahead of today’s sophisticated threats.” It also stressed that “earlier policy efforts were based on utopian solutions to these threats, premised on the notions that internet service providers (ISPs) can simply shut down all botnets, or that manufacturers can make all devices universally secure.”

In response to its concerns about too much regulation, CSDE suggested that “dynamic, flexible solutions that are informed by voluntary consensus standards, driven by market demands, and implemented by stakeholders throughout the global digital economy, are the better answer to these evolving systemic challenges.”

In her keynote address at today’s event, Manfra agreed that there must be collaboration between private and public sector to solve security problems.

“How can we think differently,” she asked, not only about securing the systems we have today, but also planning for the future.

In order to both secure today and plan for tomorrow, the guide shared a set of baseline practices that should be implemented now, as well as advanced capabilities that are currently available but underutilized. The guide grouped its security recommendations into five main categories:

Infrastructure: CSDE explained that by “infrastructure,” it means “all systems that enable connectivity and operability–not just to the physical facilities of providers of internet service, backbone, cloud, web hosting, content delivery, Domain Name System, and other services, but also software-defined networks and other systems that reflect the internet’s evolution from tangible things to a digital concept.” CSDE says that baseline practices and advanced capabilities that should be implemented include:

  • “detect malicious traffic and vulnerabilities;
  • mitigate against distributed threats;
  • coordinate with customers and peers; and
  • address domain seizure and takedown.”

Software Development: The guide explained that “there are a wide variety of complex development processes and interdependencies that drive software innovation and improvement.” With that in mind, the guide provided three baseline practices and advanced capabilities:

  • secure-by-design development practices;
  • security vulnerability management; and
  • transparency of secure development processes.

Devices and Device Systems: CSDE explained that an individual connected device may actually consist of multiple devices that need to secured. “Beyond the individual device itself are multiple additional layers of connectivity that constitute a highly dynamic new market–including for security innovation,” the guide said. With that in mind, CSDE highlighted a handful of recommendations:

  • secure-by-design development practices;
  • roots of trust;
  • product lifecycle management including end-of-life; and
  • security-focused toolchain use.

Home and Small Business Systems Installation: The guide addressed the growing popularity of connected devices for homes and small businesses. CSDE offered four recommendations for home and small business owners to implement:

  • authentication and credential management;
  • network configuration;
  • network hardware management; and
  • security maintenance.

Enterprises: “As major owners and users of networked devices and systems, including an exponentially increasing number of IoT device systems, enterprises of all kinds–government, private sector, academic, non-profit–have a critical role to play in securing the digital ecosystem,” the group said. CSDE recommendations included:

  • secure updates;
  • real-time information sharing;
  • network architectures that securely manage traffic flows;
  • enhanced DDoS Resilience;
  • identity and access management; and
  • mitigating issues with legacy and pirated products.

“Widespread implementation of the security practices featured in this Guide will dramatically reduce botnets and help secure the global digital economy,” the guide said. “The Guide provides real-world, presently available solutions to a global challenge that cannot be met by one stakeholder set or one country alone or by any governmental mandate.”

Recent