The U.S. Department of Commerce recently released an interesting report on the increasingly sophisticated threat of botnets – groups of computers and/or computerized devices that can be used for malicious purposes, such as large-scale DDoS attacks or spamming messages.
The report makes 6 specific notes worth chewing on:
1. Automated, distributed attacks are a global problem. The majority of the compromised devices in recent noteworthy botnets have been geographically located outside the United States. To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work closely with international partners.
2. Effective tools exist, but are not widely used. While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.
3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.
4. Awareness and education are needed. Home users and some enterprise customers are often unaware of the role their devices could play in a botnet attack and may not fully understand the merits of available technical controls. Product developers, manufacturers, and infrastructure operators often lack the knowledge and skills necessary to deploy tools, processes, and practices that would make the ecosystem more resilient.
5. Market incentives should be more effectively aligned. Market incentives do not currently appear to align with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.” Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.
6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.
BotNets are extremely versatile and capable – and the Internet of Things presents a wealth of innovative opportunities for crooks to take advantage of networked devices for malicious purposes. With great power comes great responsibility – as a superhero’s deceased uncle once said – and networked devices will require an increased attention to security as the inevitable growth of the IoT continues.