The US Department of Commerce (DoC) and Department of Homeland Security have put out a draft cybersecurity report that recommends, among other things, that the American government fund a public awareness campaign on IoT security, and make cybersecurity a compulsory part of future engineering degrees.
The 38-page report [PDF] titled "Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats" is the first of many that are heading to the president's desk following an executive order signed in May, following a number of abortive attempts.
The report is pretty good: it identifies the current issues facing government, industry and consumers when it comes to cybersecurity – focused specifically on botnets, as the title suggests – and is largely written in plain English. It doesn't gloss over problems, nor does it hype up some threats or diminish others. In short, it is the kind of professionally produced policy paper that the government still, fortunately, produces despite the noise and nonsense above civil servants.
The only issue that is notable by its absence is the inter-agency battle going on within the US government to take the lead on internet security and the internet-of-things (IoT).
As is typical in such documents, however, many of the actual recommendations are a little wishy-washy. Such as the key "goal" to "identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace." Or "promote innovation." Or "build coalitions."
Due to its traditional hands-off approach to industry and the fact that the internet mostly resides in private hands, there is little that the DoC or DHS can do in real, solid terms. But it does identify where the problems lie and the best way to fix them.
Perhaps the most useful part of the report is the recognition that you cannot and should not expect consumers to be responsible for the internal security of devices that they buy in a store and then connect to their home wireless.
This is especially true when it comes to the "internet of things" – a market that the report correctly notes is "much like that of desktop computing in the 1990s" i.e. massively insecure.
"IoT devices are often sorely lacking in such security-focused features," the report stated. "These systems now offer the most attractive target to malicious actors, and are an increasingly large percentage of the devices in the ecosystem."
It went on: "The reality is that consumers are not directly affected by compromises of their devices; in fact, the consumer may never know that the device is part of a botnet. From the consumer's perspective, the webcam is still streaming, or the refrigerator is still chilling.
"For this reason, it is impractical to hold the owners responsible if their devices are used in a botnet. This lack of clear consequences of infection creates a challenge in motivating consumers to take steps to improve security, for example, to update even those devices that are updateable."
Which is hardly news to IT professionals but it is good to see the problem stated clearly and succinctly in a US government report.
The dossier also noted that software and firmware security updates and similar best practices are a pretty effective solution to IoT insecurity but the problem is that too few companies or individuals actually do it. And so, it argued, as many have for years, that security needs to be baked-in to devices, including secure automated updates.
"Ideally, devices marketed toward consumers should be designed with security built in," the document read. "Consumer products should be designed as securely as possible, should include secure automated update mechanisms, and should have few to no requirements for managing the products."
The US government is not going to impose rules on industry so instead it argues the case for working with businesses to develop "broadly accepted baseline security profiles for IoT devices in home and industrial applications." And it suggests using the US government's role as a big procurement organization to "accelerate this process by adopting baseline security profiles for IoT devices in US government environments" – which sounds like a smart approach and has worked to some degree with things like DNSSEC and IPv6.
Perhaps the most public-facing recommendation, however, is for the government to fund a consumer awareness campaign over IoT security. "The federal government should establish a public awareness campaign to support recognition and adoption of the home IoT device security profile and branding," it argues.
Later on, it also advocates for more federal dollars to be spent on research and development "to support advancement in DDoS prevention and mitigation, as well as foundational technologies to prevent botnet creation."
Speaking of IPv6, the report is a little concerned about the potential impact of widespread adoption of the new protocol on cybersecurity.
IPv6 will give every device its own IP address and so, potentially, make many millions of new devices susceptible to being attacked and hacked. In this respect, the use of IPv4 and NATs may produce a more secure environment by putting arrange of devices behind a single IP address.
It's not backing away from IPv6 adoption – in fact it argues for incentives to ensure faster take-up by ISPs – but it does recommend investigating "how wider IPv6 deployment can alter the economics of both attack and defense."
One plus to IPv6 is that people will be able to more easily discover which specific device has been compromised. But at the same time it references the Mirai botnet as being especially effective because it attacked devices (typically webcams) that had their own IP address. By contrast: "NAT tools act as an incidental firewall, preventing devices in the home from being directly reached by the sort of mass-scanning tools that spread malware and lead to widespread infection."
It even digs into the issue of a greatly expanded namespace: "In theory, the IPv6 address space is so large that it would not be scannable using existing tools, but experts have observed that patterns would allow new scanning techniques to still discover vulnerable devices."
So what's the solution? Studies with a focus on "further innovation at the edge of the network."
There are lots of other ideas, suggestions and recommendations – most of them containing the word "should" somewhat undercutting a sense of urgency – but one that stands out is ensuring that the next generation of engineers are trained in what will undoubtedly be a critical skill from this point on.
"The academic sector, in collaboration with the National Initiative for Cybersecurity Education, should establish cybersecurity as a fundamental requirement across all engineering disciplines."
That's just one of many good ideas contained in this report, which was published late last week. It is open for public comment from now until February 12 – so a little over a month (email: Counter_Botnet@list.commerce.gov). If you have strong feelings about any of this, now would be a good time to let the US government know. ®