Botnets are being fought the wrong way, according to the Council to Secure the Digital Economy. That's particularly bad news because the threat is growing. The organization, in a guide released late last month, says that the results may be devastating if strategies and tactics don't change quickly.
The "International Anti-Botnet Guide 2018," which was also the work of the Consumer Technology Association and other groups, describes a dire landscape. "Today, the destructive potential of botnets has increased exponentially as they attack and leverage the billions of Internet of Things (IoT) devices, estimated to reach 20 billion connected devices by 2020," the guide says. "With this substantial and growing attack surface, it is no coincidence that the global cost of cyber-crimes is expected to reach trillions of dollars. Botnets are the industrial-scale driver of these losses."
That's half of the bad news. The other half is that the industry's current response is hidebound. The report says that "the imposition of prescriptive, compliance-focused regulatory requirements will inhibit the security innovation that is key to staying ahead of today’s sophisticated threats" and that "earlier policy efforts were based on utopian solutions to these threats, premised on the notions that internet service providers (ISPs) can simply shut down all botnets, or that manufacturers can make all devices universally secure."
Translation: Checking the box of deploying static silver-bullet antibotnet security software may enable stakeholders to say that they are confronting the problem, but they are not. Indeed, it's making the problem worse by creating a false sense of security and preventing more effective steps from being undertaken.
The real remedy is diametrically opposite: The good guys have to use emerging tools that, in many cases, have already been weaponized by the bad guys. And they must do it in a highly disciplined manner. Wenger told FierceTelecom that there must be "shared and interdependent" cooperation between government, service providers, enterprises and consumer IT companies. "We have to work together to use that same power of automation, artificial intelligence, and machine learning to drive security into the network and limit the ability of the attackers to do bad," he said.
The guide structures the fight to control botnets in a number of different ways. A key step is to segment the ecosystem that is doing battle. The centers of focus are infrastructure, software development, devices and device systems, home and small business systems installation and enterprises.
The guide defines each of these and provides "baseline practices and advanced capabilities." For instance, key steps for infrastructure are developing the ability to detect malicious traffic and vulnerabilities, to mitigate against distributed threats, to coordinate with customers and peers and to address domain seizure and takedown. The devices and device systems group must use secure-by-design development practices, employ roots of trust, and institute product life cycle management including end-of-life and security-focused toolchains.
The overarching theme is that security must be proactive, dynamic, flexible and shared across a broad ecosystem that works as a team. The approach must be highly reactive, agile and fought at multiple levels.
The theme of the guide is that the road to botnet hell is paved with antiquated approaches. "It is the openness of the internet that has allowed it to serve as an engine of unprecedented economic development," Wenger wrote. "The bad actors are using that openness, the connectivity, the bandwidth that we’ve built to enable all these bad things and turn it around on us. We have to work across sectors to leverage the power of the network that is being used against us right now."
USTelecom, the Information Technology Industry Council and the Consumer Technology Association contributed to the guide, which will be updated next year, Wenger wrote.