The Council to Secure the Digital Economy, which USTelecom coordinates with the Information Technology Industry Council (ITI), partnered with the Consumer Technology Association (CTA) to develop the 2018 International Anti-Botnet Guide.
The Guide comes at an opportune time, since the botnet threat has never been more serious. In 2016, the Mirai botnet was able to wreak havoc on a global scale—disrupting online services for companies such as Airbnb, Amazon.com, BBC, CNN, Netflix, and others—by taking over more than 400,000 Internet of Things (IoT) devices. In 2017, the most costly cyber-attack in history, NotPetya, spread across Europe, Asia, and the Americas, causing more than $10 billion in damage.
This year, the number of IoT devices exceeds 27 billion worldwide according to research by IHS Markit, and the rogues’ gallery of bad actors, which includes nation states, criminal organizations, hacktivists, and opportunists who rent or buy botnets, continually threatens both the resilience and transactional integrity of the internet commons. In response, industry has taken collective and decisive action—the International Anti-Botnet Guide highlights impactful voluntary practices for combating botnets and other distributed threats to the ecosystem.
Perhaps the Guide’s most significant contribution to the global conversation on botnets is the identification of expertly vetted baseline practices that responsible stakeholders should adopt. The Guide also features advanced capabilities that industry leaders are presently using to secure the ecosystem, but which may be under-utilized by industry as a whole.
By encouraging collective and responsible action throughout diverse segments of the internet and communications ecosystem, the Guide tackles the problem of botnets from many angles. Specifically, the Guide addresses five ecosystem segments: (1) Infrastructure, (2) Software Development, (3) Devices and Device Systems, (4) Home and Small Business Systems Installation, and (5) Enterprises.
The Guide calls on different types of infrastructure providers, including ISPs, backbone providers, DNS providers, CDNs, and providers of cloud and hosting services, to detect and mitigate against distributed threats. Infrastructure providers acting on the Guide’s recommendations will coordinate with a broad set of stakeholders, from customers and peers to law enforcement and like-minded governments.
For software developers, the Guide identifies practices for secure-by-design development and transparency in secure development process. Developers will also find guidance on conducting risk assessments and managing security vulnerabilities in a strategic manner.
Because modern devices are often connected, the Guide features practices applicable to devices and “device systems”, a category that recognizes the additional layers of connectivity that change the nature of how a device operates. The recommended practices relate to secure-by-design development, roots of trust, product lifecycle management, and security-focused toolchains use. Likewise, installers of device systems will find specific recommendations to increase resilience against botnets.
Finally, the Guide addresses the security responsibilities of enterprises—governments, private companies, academic institutions, nonprofit groups, and others that own and use networked devices and systems. Acknowledging that enterprises are often the victims of attacks, the recommendations for enterprises empower organizations to increase their networks’ resilience and help secure the ecosystem at large.
Following the publication of the International Anti-Botnet Guide, USTelecom will work with CSDE and CTA to engage numerous stakeholders, including governments of like-minded countries, to encourage broad adoption of the Guide’s practices.
USTelecom and other parties that contributed to the Guide plan to update the contents on an annual basis with new highly effective and timely practices for combating the ever-evolving botnet threat. Through ecosystem-wide engagement, USTelecom and its members will continue to lead the way in making the internet more resilient against botnets.