Public-private partnerships are one critical tool in combatting botnet attacks, say government experts at RSA 2019.
SAN FRANCISCO – As the specter of botnet attacks continues to take on new dimensions, experts say organizations need to enlist partnerships to meet attackers on their playing field rather than be vanquished on their own.
Nelly Ghaoui, senior policy coordinator at the Ministry of Economic Affairs and the Climate of the Netherlands, said botnets challenge organizations to review their entire cybersecurity stance.
“The Dutch national cybersecurity center characterized botnets as the Swiss Army Knife of malicious actors,” Ghaoui explained ruefully during a panel discussion at RSA Conference 2019 on how various countries are tackling botnet proliferation.
She noted that governments need to use the botnet threat as an opportunity to get their security house in order. “They are such a diverse problem, so it’s about solving cybersecurity problems first.”
Botnet attacks can take several forms. Botnet-attacked devices are remotely controlled and sometimes paralyzed by malicious actors. These spurious bits of code can send spam emails, generate malicious traffic for distributed denial-of-service attacks, or engage in click-fraud campaigns, among other nefarious acts. Control of users’ systems may go undetected by users. In some cases, the attackers’ objective is to extract financial ransom from victims; in others, the goal is simply to undermine trust or reputation of compromised systems.
Botnet attacks are costly in productivity and dollars. The Mirai botnet attack disabled hundreds of thousands of computers. And according to some estimates, responding to a DDoS attack now costs enterprises more than $2 million on average.
Internet of Things (IoT)-connected devices have made botnet attack damage exponentially worse.
“Botnets aren’t a new issue, Ghaoui said. “But with the growth of IoT, we have to deal with an entirely new set of issues.”
Today, IoT-connected webcams, baby monitors, thermostats and myriad other systems may not be properly secured with passwords and updated patches. They are easy targets for malicious attackers, with possible widespread impact given their Internet connectivity.
As Internet of Things devices continue to proliferate—with as many as 31 billion IoT devices expected by 2020 and 75 billion by 2025, according to Statista—the incidence and impact of botnet attacks may proliferate as well.
Countries that are actively combatting botnet attacks believe that keeping pace with malicious attackers takes a global approach. Given the nature of the botnet threat, countries need to create coordinated responses by fostering collaboration with traditionally siloed entities.
Ghaoui outlined two practices that helped the government in the Netherlands tackle botnet attacks. First, the Abuse Information Exchange, a nonprofit consortium of Internet service providers (ISPs) and other stakeholders, banded together to combat botnet attacks. ISPs worked to clean up infections, partitioning IP addresses and contacting customers that might unknowingly spread infections. Hosting providers also worked to clean up their ecosystem and developed a code of conduct to encourage the hosting community to keep networks clean.
Second, the Netherlands recognized that public and private institutions needed to work together to combat botnet attacks. The power of these coalitions provided a brain trust and resources to be equipped to fight the attacks equally. But, Ghaoui emphasized, this requires an environment that embraces partnerships and crowdsourcing of information.
“Most Dutch people will agree with the approach [of public-private partnerships; it is engrained in our culture,” Ghaoui said.
The U.S. has embraced that culture as well. A keynote session affirmed that public-private partnerships are crucial to cybersecurity strategy. “We couldn’t do what we do without the private sector,” said Christopher Wray, director of the US. Federal Bureau of Investigation, during a keynote session at RSA. “At the end of the day, we need each other.”
Wray noted that the terrorist group ISIS obtained a “kill list” made up of the email addresses, phone numbers and other information of 1,400 members of the military. The FBI became aware of the list because of information provided by the private sector.
Reiko Kondo, director at Japan’s Office of the Director-General for Cybersecurity at the Ministry of Internal Affairs and Communication, likened a botnet attack to a human outbreak of the common cold. Both require vigilance, and those affected need to take responsibility for thwarting its spread.
Just as Japan’s residents often use facemasks during the winter to avoid spreading illness, Kondo said IoT-connected devices need more rigorous password protection. So, too, IoT device security can be better addressed with security-by-design concepts, where security is built into the device itself. Many devices already on the market can be vulnerable because security isn’t part of their design, though new devices being built are now factoring in security-by-design principles.
National governments also need to recognize that just as the public and private sectors can’t work in isolation, countries need to join forces to effectively neutralize cybercriminals.
“This is a global problem,” said Evelyn Remaley, deputy associate administrator for policy at the National Telecommunications and Information Administration in the U.S. Department of Commerce. Remaley said that U.S. cybersecurity stakeholders came together to address the problem of botnet attacks and soon recognized that “no matter what we do in U.S., there would be global threats” remaining.
As a result, the working group in the U.S. developed several strategies to combat botnet attacks. Among them were efforts to align incentives in the IoT marketplace to ensure that vendors not only design secure devices but that the larger ecosystem helps secure these environments.
“The ISPs and DNS [Domain Name System] providers ... can create ‘muscle movements’ but also at the gateway level, where IoT devices are in homes,” Remaley said. “If we don’t build in resiliency at those layers, we will just never be able to stay ahead of the threats.”
While panelists noted that thus far the effort to combat botnet attacks has only helped governments keep pace with malicious actors, vigilance and collective responsibility for thwarting attacks are key.
“If only vendors care about security, it isn’t enough,” Kondo said. “Everyone has to have awareness. Everyone is responsible.”
For more news from RSA, check out our RSA 2019 conference coverage.
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”