US Commerce on Security and Market Incentives

In a report published by the U.S. Departments of Commerce and Homeland Security concluded what most security professionals have known for years: that botnets are a global threat, that technologies exist to mitigate the threats but aren’t widely used for multiple reasons, poor product security design and development, counter-productive market incentives, and low education and awareness across all market participants.

The draft report was requested as part of Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That executive order sought "resilience against botnets and other automated, distributed threats," and directed both the Department of Commerce and Homeland Security to bring forward an " open and transparent process to identify and promote action by appropriate stakeholders" with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets)," The US Department of Commerce said in a statement announcing the report. 

Both departments did jointly produce the report, the Department of Commerce said, with the efforts including a workshop, a request for comment, and working with the President's National Security Telecommunications Advisory Committee (NSTAC).

What did they find? Their conclusions were organized into six categories:

1. Automated, distributed attacks are a global problem. The majority of the compromised devices in recent botnets have been geographically located outside the United States. Increasing the resilience of the Internet and communications ecosystem against these threats will require coordinated action with international partners.
2. Effective tools exist, but are not widely used. The tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available, if imperfect, and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertise, and lack of market incentives.
3. Products should be secured during all stages of the lifecycle. Devices that are vulnerable at time of deployment, lack facilities to patch vulnerabilities after discovery, or remain in service after vendor support ends make assembling automated, distributed threats far too easy.
4. Education and awareness is needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would make the ecosystem more resilient.
5. Market incentives are misaligned. Perceived market incentives do not align with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.” Market incentives motivate product developers, manufacturers, and vendors to minimize cost and time to market, rather than to build in security or offer efficient security updates. There has to be a better balance between security and convenience when developing products.
6. Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem in isolation.

The departments established five goals that they concluded would reduce the risks associated with automated, distributed attacks and build more resiliency:

•  Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace
•  Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats
•  Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate bad
•  Goal 4: Build coalitions between the security, infrastructure, and operational technology
•  Goal 5: Increase awareness and education across the ecosystem

Much of this is reasonable, such as increasing awareness across all market participants, but other goals are more exotic than what is really necessary at this point to improve security, while others still are the same findings many, many reports from the Government Accountability Office, presidential reports, findings from other agencies as well as calls from private industry – all going back nearly 20 years. And nothing has been really achieved from any of it. Since the Bush administration, these plans are developed, mostly shelved, and little is done.

Take Goal 1, for instance, there have been calls for the government to mandate more secure software be developed, as well as goals that the federal government require applications be developed that are more secure and defensible. Never really happened. Same for goal two, outside a few ISACs, there has been very little success when it comes to information security sharing.

Goal 5 is also something that has been called for more than 20 years and precious little has happened. 

As for Goal 2, the goal of more innovative defenses and more adaptable networks and applications is laudable — but security is always going to be a step behind the latest attack techniques. It’s not reasonable to expect network equipment makers, application developers, and security vendors to anticipate future attack techniques.

What can be done? Better design on the basics at the edge, including IoT devices, such as requiring password changes from default, no hardwired passwords, and simple and straightforward security patch updates.

What else can be done? As the report stated, “Market incentives are misaligned.” And that perceived market incentives do not align with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks.” The reason these market incentives don’t exist is because buyers of technology haven’t cared. There’s been very little shown that enterprises, government agencies, and consumers will pay more for products because they have been developed to be more secure. Enterprises, consumers, and such have consistently purchased based on the functionality the want and cost. 

The result is the mess were are on now. And I’m not hopeful regulations would find the right balance between demanding good security without throttling innovation. Industry regulations such as PCI DSS certainly didn’t stem the tide of credit card breaches, and HIPAA certainly hasn’t done much to protect patient information. The reason isn’t for lack of trying among all parties — the fact is this security is hard – from application and network design, to implementation, through day to day management.

This report is a draft, and the departments of commerce and homeland security are requesting comment on the report, the draft will be finalized later this spring and the final report issued to the President on May, 11, 2018. Please send them your thoughts and ideas, they could use them.