News & Insights  |  Newsletters

Botnet ‘Road Map’ Tees Up Actions for Government and Industry

December 2018

Privacy in Focus®

On November 29, 2018, the U.S. Departments of Commerce (DOC) and Homeland Security (DHS) released a Road Map Toward Resilience Against Botnets (“Road Map”). It builds upon and aims at implementing actions and recommendations from the report “Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats” (“Botnet Report”) published in May. The tasks identified in the Road Map tie together multiple streams of effort across government and industry. Many proposals are global in nature, will continue to evolve based on the threat environment, and – in order to be successful – require substantial participation from the private sector. In short, the Road Map envisions a long-term whole-of-ecosystem effort to mitigate the threat posed by botnets and distributed denial-of-service (DDoS) attacks.

Tasks range from identifying Internet of Things (IoT) security baselines, drafting procurement regulations, developing international IoT standards, and raising security awareness across the board. While the Road Map underscores that the private sector, as a whole, must shore up the security of its networks and systems, looking ahead, companies developing secure technologies and implementing best practices could have market growth opportunities – and the ability to help shape domestic and international security standards and expectations.

Overview and Background

The Road Map “charts a path forward, setting out steps to stop the cyber threat to our internet infrastructure. It outlines a plan for coordination among government, civil society, technologists, academics, and industry sectors to develop a comprehensive strategy for fighting these threats.”[1] The actions laid out in the Road Map include numerous tasks for all stakeholders – including private sector players in the communications, Internet, and information technology industries – which “could dramatically reduce the threat of botnets and similar attacks consistent with Administration priorities as set forth in the National Cyber Strategy.”[2]

The Botnet Report was called for in the President’s May 2017 Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” and sets out 24 actions for public- and private-sector stakeholders to take on. A Wiley Rein LLP summary of the Report can be found here.

What’s in the Road Map?

The newly released Road Map is broken into five “Lines of Effort,” including:

  1. Internet of Things
  2. Enterprise
  3. Infrastructure
  4. Technology Development and Transition
  5. Awareness and Education

Each line of effort relates directly to actions called for in the Botnet Report and lays out subtasks and potential timelines for completion. “Some tasks will be the direct responsibility of the federal government, while others are specific to the private sector.”[3] Further, “where applicable, [the Road Map] identifies existing private-sector leaders or governance structures for the relevant tasks.”[4]

The Road Map states that while government has the power to convene stakeholders, “achieving the outcomes set forth in the Botnet Report will require industry and civil society engagement from across the ecosystem. The identified tasks and associated information should be seen as non-binding and flexible to accommodate changes in the digital ecosystem over time.”[5] The Road Map states “the U.S. government values innovation, and expects the market to determine the most expeditious solutions to the identified concerns.”[6]

Lines of Effort and Workstreams Involving Industry

As stated above, the Road Map is organized into five lines of effort. Within each line, the Departments identify primary “workstreams” which include multiple “tasks” for various actors. Below, we provide high-level summaries of the major lines of effort and the workstreams involving industry contributors.   

1. IoT: Raising the Bar for IoT Security

The first workstream in the IoT line is Developing Robust Markets for Trustworthy IoT Devices “that offer security capabilities for three sectors: consumers/home users, industrial users, and the federal government.”[7] 

In order to do this, the first goal sets out to Define a Core Security Capability Baseline “that could be supported by the full range of assessment schemes. At a minimum, the capability baseline would address device and data security. [The National Institute of Standards and Technology (NIST)] will publish the consensus baseline as a NIST white paper or Interagency Report (NISTIR) for reference and use in future tasks.”[8]

Under the three-sector approach, each of the following goals apply to a specific operational environment. The second goal is Establishing a Robust Market for Trustworthy Consumer/Home IoT Devices.[9] This includes such tasks as: Developing Consumer/Home IoT Security Baseline; Establishing or Supporting Assessment Programs for Consumer/Home IoT Devices; and Exploring Labeling for Consumer/Home IoT.

The third goal is Establishing a Robust Market for Trustworthy Industrial IoT Devices.[10] The tasks mirror those in the Consumer/Home environment, but also include Promoting Adoption of an Assessment Regime by Critical Infrastructure.

The last goal follows the same pattern for Federal IoT Devices,[11] but notably, sets out that “[t]o encourage acquisition and deployment of conforming devices, federal procurement regulations [will be] established that reference the federal baseline.”[12] Tasks include: Identifying Federal IoT Security Requirements; Specifying a Federal IoT Security Capability Baseline; and Establishing Federal IoT Procurement Regulations. The Road Map notes that a series of meetings will be convened with stakeholders.

The second IoT workstream relates to Adoption and Sustainability for IoT Security, focusing “on the development of the global ecosystem for IoT devices[.]”[13] These tasks concentrate “on collaboration between cybersecurity and operational technology communities, and international policy advocacy, harmonization, and standards.”[14]

The first goal in this workstream is Enabling Risk Management Approach to IoT Security. The Road Map’s goal is to publish NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” to support risk management approaches to IoT security. Further tasks include Publishing Best Practices for IoT Device Manufacturers; Aligning Usability and Manageability with Customer Abilities; among others.

The next goal is Establishing Globally Relevant IoT Standards. “The Botnet Report noted that ‘U.S. government and industry should jointly engage with developers of industry-led, voluntary international standards and specifications to establish globally relevant standards.’ This series of tasks encourages U.S. government and industry to jointly pursue international standards consistent with the capability baselines developed in the previous workstream.”[15] Tasks include identifying incentives for IoT adoption of security standards.

2. Enterprise

The Enterprise line of effort has four complementary workstreams: Cybersecurity Framework (CSF) profiles for mitigation and protection, migration to advanced enterprise network architectures, federal adoption of enterprise best practices, and operational technology.

This first workstream is Implementing CSFs For Mitigating Distributed Denial of Service (DDoS) Threats and Combatting Botnets. Industry efforts have been led by the Cybersecurity Coalition, which published a framework core.[16] Efforts will revolve around working to develop industry consensus for CSF Profiles for DDoS and Botnet Threat Mitigation. After completion of the industry-led profiles, the federal government will tailor these profiles for the federal environment.

The second workstream is Advancing Enterprise Network Architectures. “Enterprises should migrate to network architectures that facilitate detection, disruption, and mitigation of automated, distributed threats. They should also consider how their own networks put others at risk.”[17] Tasks directly involve network operators and service providers and will include: Enhancing and Evolving Best Practices on Enterprise Network Traffic Management; Promoting Enterprise Network Architectures that Mitigate Risks of Automated, Distributed Threats; Accelerating and Domestic Availability of and Transition to IPv6 Internet Services and Networks; Establishing Requirements for Zero Trust Networking (ZTN); and Identifying Best Practices for IoT Network Management; and others.[18]

The next workstream under the Enterprise line of effort is Federal Adoption of Enterprise Best Practices. This includes activities the government can take to reduce automated, distributed threats, such as implementing egress filtering to prevent network address spoofing. “In this series of tasks, the federal government performs activities to ensure that these best practices are properly reflected in federal agency policies, standards, guidelines, and oversight.”[19]

Related to the Operational Technology workstream, tasks will focus on “clos[ing] gaps in understanding between the cybersecurity and operational technology (OT) communities.”[20] Tasks include: Expanding Collaboration between Cyber and OT communities; Expanding OT-Cybersecurity Information Sharing; and Expanding Federal Government Involvement.

3. Infrastructure

The Infrastructure effort “focuses on actions that will require coordination across the vast diversity of digital ecosystem players, or that impact the core functional capabilities of the global digital infrastructure.”[21] It has four workstreams: improvements to routing security, information sharing in practice, information sharing protocols, and research and development.

The first workstream of Improving Routing Security notes that “the state of routing security on the Internet falls far below what can be achieved with both common and newer tools and practices. This series of tasks advances deployment of longstanding anti-spoofing technologies and newer technologies to protect against route hijacks and leaks.”[22] One task is to Develop Security Requirements for Internet Services, and requires publishing NIST Special Publication 800-189, “Secure Inter-Domain Traffic Exchange: BGP Robustness and DDoS Mitigation.” Additional tasks include: Removing Legal and Policy Barriers to Resource Public Key Infrastructure (RPKI) Adoption; Federal Adoption of RPKI; Extending Adoption and Awareness of Anti-Spoofing Mechanisms; and others.

The second workstream relates to improved Information Sharing in Practice. The Road Map’s tasks are geared towards “extending information sharing to smaller ISPs and foreign network providers, and ensuring that law enforcement is alerted at the earliest possible stage, while respecting privacy guidelines and regulations.”[23] Tasks revolve around: Increasing Smaller ISPs’ Access to Industry-Shared Threat Information; Expanding Information Sharing Agreements; Sharing Timely and Actionable Information with Law Enforcement; Improving U.S Government Information Sharing with Industry; and Enhancing the Accuracy of Security-Critical Data Resources.

Another workstream focuses on standardization of Information-Sharing Protocols to increase speed and permit automated response.[24] Tasks include: Supporting Information Sharing Automation; Supporting Collaborative Incident Response; and Establishing International Standards to Facilitate Information Sharing; among others.

The final workstream in the Infrastructure line of effort is bolstering Research and Development. Tasks include: Incorporating Infrastructure Best Practices into the NIST Cybersecurity Framework and Disrupting the Attacker Ecosystem Through Transparency and Traceability.[25]

4. Technology Development and Transition

The line of effort for Technology Development and Transition has three workstreams: establishing a secure software marketplace, international coordination, and research and development.

Under the workstream of Establishing a Secure Software Marketplace, “[t]asks establish widely accepted guidelines for secure software development, increase the efficiency and effectiveness of tools for secure software development to increase return on investment, and showcase these advances in government sponsored technology forums.”[26] Specific efforts include: Establishing Secure Software Development Lifecycle Guidelines; Developing Guidelines for Software Component Transparency; Filling Gaps in Software Development Tools; Showcasing Advances in Secure Coding Practices and Sharing Information about Security Risks; Requiring Secure Development for Government Off-the-Shelf (GOTS) Software; Developing Best Practices for End-of-Life Software; and others.

The next workstream is International Coordination, which includes: Improving Existing U.S. Government Coordination on International Standards; Optimizing Industry-USG Standards Coordination; Promoting International Adoption of Best Practices Through Bilateral and Multilateral International Engagement; Promoting Awareness and Adoption of Specific Established Tools, Protocols, and Best Practices at a Global Scale; and Promoting Best Practices for DNS Internationally. While some of these efforts will be led by the government, industry is also expected to engage. 

The third workstream relates to Research and Development. The Road Map highlights that, “Industry-led research activities are needed to develop and deploy innovative technologies. As a key source of funding for basic research in cybersecurity, the federal government should support this action through targeted funding and collaborative technology transition activities.”[27] Tasks include: Accelerating Federally Funded R&D for Mitigating Distributed Threats; Expediting Development and Deployment of Innovative Technologies for Prevention and Mitigation of Distributed Threats; Increasing Accountability in Traffic Management; Accelerating Industry R&D for Mitigating Distributed Threats; Prioritizing Technology Transfer; and Promoting Best Practices.

5. Awareness and Education

The final line of effort is aimed at promoting consumer confidence and educating the workforce.

The first workstream is to Promote Consumer Confidence. The Road Map states that, “[c]onsumers’ lack of confidence in the security of IoT devices may be hindering IoT adoption. This series of tasks focuses on building consumer confidence to allow consumers to identify products that meet their needs, adhere to vendors’ security claims, and that offer real protection by applying commercially available cybersecurity technologies.”[28] Tasks include: Promoting Appropriate Product Deployment; Deterring Illegal Market Practices; and Mitigating IoT-based DDoS.

The second workstream is Educating the Workforce. The Road Map outlines that “Product designers are deeply steeped in traditional risks associated with their products, but are often unaware of the new risks that can be introduced when the products are connected to the network. This series of tasks focuses on educating the existing and emerging workforce, regardless of engineering discipline, on basic cybersecurity.”[29] Tasks are: Preparing the Programming Workforce; Preparing the Engineering Workforce; Promoting the National Initiative for Cybersecurity Education (NICE) Framework; and Establishing Cybersecurity Educational Program for Engineers.

Tracking Stakeholder Progress and Next Steps

In an accompanying announcement, DOC’s National Telecommunications and Information Administration outlines that “[t]his is just a starting point and the road map will evolve to address the rapid changes in digital technologies and the threat environment. The departments will track progress through regular stakeholder meetings as well as a workshop. In addition, the departments will provide a status update to the President that reviews progress, tracks the impact of the road map, reassesses the botnet threat, and sets further priorities.”[30] 

The DOC and DHS “will develop a 365-day status update for the President, due [November 29, 2019].” This update will cover:

  1. Progress the community as a whole is making against the road map;
  2. The impacts of those road map activities;
  3. A reassessment of the threat of automated, distributed attacks, including whether the threat is increasing or decreasing, and any known reasons for such a change; and
  4. What activities should be prioritized in the coming year.[31]

The Departments seek feedback on all elements of Road Map tasks, particularly the identification of contributing partners for specific actions and proposed timelines. Comments on the Road Map may be submitted to Counter_Botnet@list.commerce.gov.


[1] See https://www.ntia.doc.gov/blog/2018/road-map-building-more-resilient-internet

[2] Departments of Commerce and Homeland Security, A Road Map Toward Resilience Against Botnets, 3 (Nov. 29, 2018) (Road Map).

[3] Road Map at 3.

[4] Road Map at 4.

[5] Road Map at 3.

[6] Road Map at 4.

[7] Road Map at 5.

[8] Road Map at 5.

[9] Road Map at 6-7. 

[10] Road Map at 7-8.

[11] Road Map at 8-9.

[12] Road Map at 8.

[13] Road Map at 9.

[14] Road Map at 9.

[15] Road Map at 10.

[16] See https://docs.wixstatic.com/ugd/86b770_df02de6fc3ae422ea492200018c34217.pdf.

[17] Road Map at 12.

[18] Road Map 12-14.

[19] Road Map at 14.

[20] Road Map at 15.

[21] Road Map at 16.

[22] Road Map at 16.

[23] Road Map at 18.

[24] Road Map at 19.

[25] Road Map at 20.

[26] Road Map at 21.

[27] Road Map at 24.

[28] Road Map at 25.

[29] Road Map at 26.

[30] See https://www.ntia.doc.gov/blog/2018/road-map-building-more-resilient-internet.

[31] Road Map at 4.

© 2019 Wiley Rein LLP