Flexible Security Standards Needed to Help Fight Botnets, Say Tech Comments Filed With NTIA
Collaboration between government and industry in developing industry-led security standards, plus more public-private information sharing, were some of the top suggestions that technology trade groups and others filed with NTIA, which sought comments on how address botnet and automated threats. Deadline for comments to the agency was Friday and several groups shared their public suggestions with us.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The government and industry should jointly develop "voluntary consensus-based, industry-led" cybersecurity standards for IoT devices, which is the most appropriate approach, "given the diversity of platforms, functionalities, and industries involved in the IoT market," wrote Tommy Ross, senior director-policy for BSA|The Software Alliance, whose members include Adobe, IBM, Microsoft, Oracle, Siemens and Symantec. Ross cited the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity" as an approach to follow in developing IoT standards. The standards should focus on identity management and authentication, baking in security as software is developed, authentic updates, patches and consumer notification when problems are detected, and application of updates, he said. In the seven-page document, Ross wrote it's equally important to continue to secure other IT platforms and networks as well as IoT devices.
Past NTIA- and NIST-led multistakeholder processes through which cybersecurity standards and practices were developed "set the stage for moving forward with this initiative to reduce malicious botnets and other automated and distributed threats," and the government should make them "central to cybersecurity policymaking," said CTA in its 18-page filing. It also said information and awareness gaps among stakeholders are a "significant challenge" in addressing threats, requiring effective industry and government to "promote clarity" and solutions to threats.
The U.S. Chamber of Commerce said cybersecurity standards are most effective when developed and recognized globally, which helps IoT adopters avoid "requirements of multiple, and often conflicting, jurisdictions." The Chamber said "international policymakers should align IoT security programs with industry-backed approaches to risk management," citing the NIST framework as a model. The Chamber also said IoT-specific security and privacy mandates or guidance are "unnecessary" since they would hamper innovation and become obsolete. The Chamber said it will "push back" on such governmental actions.
The Coalition for Cybersecurity Policy and Law, which represents AT&T, Cisco, Intel, Microsoft, Rapid7 and others, said the frequency and scale of distributed attacks will threaten critical systems and availability of information "unless more work is done to increase the baseline security of such devices and the intelligence of the network." A closer relationship between the Department of Commerce and industry such as ISPs, electronics makers, operating systems and e-commerce companies is needed to develop "voluntary, consensus-based, industry-led standards" to respond to attacks, it said.
Enterprise encryption of sensitive data at rest and in motion could help "mitigate more focused attacks," while products like Cloudflare Orbit can help IoT vendors and users push software patches and updates at the network level, suggested Ryan Hagemann, Niskanen Center director-technology policy. He said Cloudflare Orbit, which connects to devices, filters out malicious activity before those devices connect to the internet. "Emerging technologies like this can act as additional layers of security for IoT devices, and could help remedy concerns associated with relying on updates on the user-level," he wrote. Cybersecurity insurance also can help incentivize adoption of better security practices and response plans, he said.
Hagemann said more public-private information sharing about "zero-day" exploits and funding bug bounty programs can improve collaboration and trust with the government. This includes legislation that codifies the government process for stockpiling and disclosing software and hardware weaknesses, called the vulnerabilities equities process (see 1705170025), he said. He also said multistakeholder processes and "soft law governance mechanisms" provide regulatory flexibility for IoT and other emerging technologies, giving diverse participants a seat at the table.