Draft EO Language on Communications Sector-Centric Botnets Effort Draws Mixed Reviews
Communications sector-specific language in draft versions of President Donald Trump's upcoming cybersecurity executive order (EO) drew mixed reviews from industry lawyers and lobbyists. The White House has continued to revise the anticipated executive order in the weeks since officials first delayed Trump's planned late January signing of the order, several lobbyists said. Then, the order would have directed the Office of Management and Budget to assess all federal agencies' cybersecurity risks and required agencies to manage their risk using the National Institute of Standards and Technology's Cybersecurity Framework (see 1701310066).
Drafts of the EO that circulated in the weeks since the original scrubbed signing date included a section on ways to help critical infrastructure private sector firms, directing the Department of Commerce to explore ways to encourage “core communications infrastructure” companies “to improve the resilience of such infrastructure and to encourage collaboration with the goal of dramatically reducing threats perpetrated by” botnets. The subsection would direct Commerce to work with the Department of Homeland Security, plus the FCC, FTC, DOD, DOJ, FBI, other agencies and the private sector. Commerce and DHS would be required to issue a preliminary report on findings within 240 days of the order's signing and issue a final report within one year.
The EO's intent to explore ways the private sector can better defend against botnets drew a positive response from several communications sector lawyers and lobbyists. They told us the language is particularly important given the problems posed by the Mirai botnet, which caused the October distributed denial-of-service attacks against Dyn (see 1610210056 and 1610250021). “Any move to try and address botnets is a positive one,” said Venable's Jamie Barnett. “I suspect the ISPs would like some incentives and they could be a real important frontline defense against botnets if we provided liability protections or tax incentives for them to do so.” Addressing the issue of botnets “is a critical portion of what the Trump administration should look at” either via the EO or other means, said Norma Krayem of Holland & Knight.
Krayem and others raised concerns about the EO's decision to focus on only the communications sector's defenses against botnets. “The challenge and the problem with botnets is a shared problem across a host of critical infrastructure sectors,” Krayem said. “The communications sector certainly doesn't hold sole responsibility for the problem.” It's “interesting” that the draft EO language singles out the communications sector's handling of botnets, which is “not the best way to address cybersecurity holistically,” said Wiley Rein's Megan Brown.
The draft language appears to have its roots in the Commission on Enhancing National Cybersecurity's December recommendations report, which included a recommendation that Commerce create a multistakeholder effort to further examine botnets, said Wilkinson Barker's Clete Johnson, a Commerce senior policy adviser on cybersecurity at the time of the CENC report's release (see 1612060049). Any Commerce effort on botnets needs to include feedback from those across the internet ecosystem rather than just targeting ISPs, because though ISPs “have a big role to play, they can't address these challenges on their own without solutions from elsewhere in the ecosystem,” Johnson said.
Brown noted other concerns with the draft language, particularly since communications sector stakeholders already are working via multistakeholder efforts and with DHS to address botnet issues. “The communications sector is not asleep at the switch” on botnets, she said. DHS has “a variety of very effective efforts underway” that target botnets so “I'd hate to fragment” that work by instituting the program proposed in the EO draft, Brown said.
The proposed Commerce-led botnets work could partly be an update to past government-private sector efforts like the voluntary 2012 Anti-Botnet Code of Conduct created by the FCC Communications, Security, Reliability and Interoperability Council, said Barnett and Johnson. Barnett is a former FCC Public Safety Bureau chief and Johnson was the bureau's cybersecurity counsel before moving to Commerce. The CSRIC code was aimed at ISPs and other broadband providers but could be adapted by others (see reports in the Feb. 23, 2012, and March 23, 2012, issues). The Industry Botnet Group separately released its own set of principles for mitigating the effects of botnet infections soon after the CSRIC code debuted (see report in the May 31, 2012, issue).
ISPs covering about 90 percent of U.S. customers agreed in 2012 to abide by the CSRIC code, but “the perception is that botnets are no longer affecting individual users' computers as they are using big servers and are constantly shifting,” Barnett said: “It's always good to go back and update things” given the changes in botnet patterns since 2012. He said Commerce might be able to provide guidance on voluntary metrics “so we can tell” if efforts like the CSRIC code “are making a difference or not.” The communications sector has “moved past” the CSRIC code, so it's not clear that Commerce's work should focus on updating that code, Brown said.