Here’s how the private sector wants to fight botnets

Written by

In an effort protect the internet and its denizens from coordinated, automated cyberattacks, an industry group released an “International Anti-Botnet Guide” on Thursday.

The guide offers best practices to collectively secure the digital ecosystem from botnets, the large networks of computer systems that malicious cyber actors use to automate and scale destructive online activity spreading malware like distributed denial of service (DDoS) attacks.

The guide was put together by the Council to Secure the Digital Economy (CSDE), a group of trade associations that represent the technology industry, including USTelecom, Information Technology Industry Council (ITI) and Consumer Technology Association (CTA).

At an event announcing the new guide in Washington, D.C., on Thursday, industry representatives touted the effort as a stepping stone for market self-regulation that will curb the cyber risks that organizations often face when acting alone.

“The fact that our companies touch virtually every single country is proof-of-concept that we can look above the horizon, work across lines and get real work done as industry,” said Jonathan Spalter, president and CEO of USTelecom, talking about the various groups that worked on the Anti-Botnet Guide.

To that end, the guide offers “baseline” practices that can be applied by the various factions of the technology sector: infrastructure, software development, devices and device systems, home and small business systems installation, and enterprises. The idea is that if organizations in each sector, from the ISPs to the smartphone manufacturers, are on the same page about doing their part to keep their products, systems and users secure, the internet overall will be better protected from botnets.

“Like most of the problems in society, there’s no silver bullet answer. It’s a multi-factorial problem and it’s a multi-factorial solution. And the best solutions are those when the most effective players come together and look at all the potential solutions and come up with a result working side-by-side with government,” said Gary Shapiro, CTA’s president and CEO.

As the guide is a product of industry, it does take some anti-regulatory views. For example, while CSDE encourages government involvement in fighting botnets, it asserts that “the imposition of prescriptive, compliance-focused regulatory requirements will inhibit the security innovation that is key to staying ahead of today’s sophisticated threats.”

This is hardly the first effort to raise awareness or call to initiate a call to action when it comes to botnets. A White House-mandated report released in March similarly assessed that the industry needs market incentives to make technology secure by design.

“We keep having these conversations in different pockets of our country and in other countries, but if we don’t bring all that together, … we’re not going to be able to make significant changes across the globe,” said Jeanette Manfra, assistant director at the newly minted Cybersecurity and Infrastructure Security Agency at Thursday’s event. Manfra’s agency (formerly the National Protection and Programs Directorate) leads the federal government’s efforts to coordinate cybersecurity for critical infrastructure.

Botnets come in various sizes with varying capabilities, and while the cost to victims is great, it’s not exactly hard for determined hackers to weaponize botnets. The CSDE report notes that anyone can go online and buy botnet components or order a DDoS attack for pocket change. Meanwhile, the report says that botnet-enabled attacks have cost the digital economy tens of billions of dollars in recent years.

The problem is exacerbated by the rapid growth of the digital economy, representatives said.

“If you go back to the beginning, it was a clear mandate that we all understood as the implications to our incredibly scaling digital economy were becoming apparent in terms of the new threat that we’ve been facing, … we had to figure out new, innovative ways to think cross-sectorally about in our converging ecosystem to join in common cause,” Spalter said.

The CSDE said that it plans to update the Anti-Botnet Guide on an annual basis.