On January 5, 2018 the US Secretary of Commerce and Secretary of Homeland Security submitted “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats.”
This draft report responds to the Trump administration’s May 11, 2017, Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
If you care at all about the US federal government’s approach to DDoS protection, it’s worth reading this document. It’s impossible to sum up a 37-page report in a few paragraphs, but here are some of the most salient points:
- Past efforts of collaboration between industry and the federal government have yielded incremental progress, and improved resiliency will require improved coordination on policy and governance issues.
- “Effective tools exist, but are not widely used. The tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, if imperfect, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.”
- The vision for the future includes “shared best practices” across infrastructure (which would include not only hardware and software, but hosting and Internet service providers).
- “An increasingly smart network can segment different types of traffic automatically, to isolate or mitigate applications or devices that are sources of attacks.”
- “Enterprises that understand the risks and implement these mechanisms are the exception. Many at-risk enterprises are unaware of the potential impacts of DDoS attacks on their operations. Such enterprises may not understand fully their ability to protect their networks and respond to an attack. For example, they may not understand the limitations of their contracts with Internet service providers, or the availability of products and services to mitigate DDoS attacks. They also may not understand fully the cost to recover from such an attack.”
- The vision for the future is one in which enterprises deploy secure devices, and enterprises deploy or procure on- and off-premise DDoS mitigation services.
The draft report contains some lofty goals and visions, and often includes the words “could” and “should,” as in the following excerpt:
"NIST [the National Institute of Standards and Technology] should lead and coordinate federal agencies’ engagement on related standards activities, including engagement with the private sector, exploring a federal government strategy for international standards to address the challenges of botnets and other automated, distributed threats. Complementary actions by the U.S. government and private sector could significantly enhance the impacts of these profiles. The federal government can use acquisition rules and procurement guidelines to amplify the market signal by requiring certain security features or properties (see Action 2.3).”
Here’s another “should” in the report, which basically says that the government needs to walk the talk when it comes to DDoS protection:
“Upon publication of an appropriate CSF profile (Action 2.2), the federal government should implement basic DDoS prevention and mitigation measures for all networks operated by or on behalf of departments and agencies to enhance the resilience of the ecosystem and demonstrate practicality and efficacy of the profile. In the past, federal networks have been implicated in DDoS attacks, where hackers have leveraged open resolvers and other agency resources to amplify their attacks. The federal Government should lead by example, ensuring that federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate, and respond as necessary.”
The draft report is chock-full of many more recommendations and technical observations, pertaining to home and small business networks, the need for international coordination/collaboration and the lack of IoT security standards. It is posted for a 30-day public comment period, and will be finalized based on adjudication of received comments before submission to the President. (The final report is due to the President on May 11, 2018.)
The federal government realizes that it alone cannot manifest the reality of its vision; policies, standards, best practices, regulations and laws can go only so far. For better and worse, the consumer and business market demands often carry equal, if not greater, influence. Nonetheless, it is good to see the DHS and DOC address these issues and offer guidance, because the problem of automated cyberattacks, whether DDoS or other attacks, should not be underestimated. Cyber threats have become a matter of national security and economic stability.
Corero’s DDoS defense technology aligns very well with the DHS and DOC recommendations. We have been a leader in DDoS protection solutions for over a decade. To learn how we can help protect your part of the Internet ecosystem, contact us.