Governments should use buying, regulatory power to fight botnets: Expert
Draft U.S. government recommendations on ways to reduce the threat of automated botnets launching denial of service attacks and spreading malware are too weak, says a cyber security expert.
The report from the departments of Homeland Security and Commerce issued last week, “definitely did not go far enough,” John Pescatore, director of emerging security trends at the SANS Institute, said in an interview.
While praising the report’s urging that manufacturers and end users follow best practices in cyber hygiene, much of it came down to “let’s do the same thing we’ve been doing, but more – more information sharing, government standards,” Pescatore complained.
Instead, he said the U.S. – and all governments around the world – should use their existing buying and regulatory power to force organizations to better use current technology and force makers of Internet of Things devices to tighten their security.
For example, Pescatore said, the report suggests Washington develop profiles for denial of service protection, then go to the private sector and say it should be providing denial of protection services. “We (already) have denial of service protection services out there,” Pescatore said. “If the government were simply to say every government Web site that touches data or provides information to the public must use denial of service protection services, that would help drive the entire market to ensure they use those types of services.
“And if it said everyone who does business with the (U.S.) government over the Internet must also be using denial of service protection services that also would help. Instead what this report did is say, ‘OK, once we can write documents that would have a government definition of denial of service protection services, then we can talk about doing something.’”
As for IoT manufacturers, Pescatore said there’s no reason for more study. Most governments already have regulatory agencies covering a wide range of products from food to medical devices to transportation that have safety mandates. They should issue cyber security regulations as well, tailored for those industries.
Instead, he said, the report suggests an ecosystem-wide solution is needed. But “making a self-driving car as secure as a medical implant is impossible.”
Pescatore isn’t the first to say regulators have to do more to control IoT devices. U.S. digital security expert Bruce Schneier said much the same thing at last November’s SecTor conference in Toronto. It was also hotly debated at the RSA Conference.