Promoting Stakeholder Action Against Botnets and Other Automated Threats, 27042-27044 [2017-12192]
Download as PDF
<![CDATA[
27042
Federal Register / Vol. 82, No. 112 / Tuesday, June 13, 2017 / Notices
with sections 751(a) and 777(i)(1) of the
Tariff Act of 1930, as amended.
Dated: June 8, 2017.
Gary Taverman,
Deputy Assistant Secretary for Antidumping
and Countervailing Duty Operations.
[FR Doc. 2017–12186 Filed 6–12–17; 8:45 am]
BILLING CODE 3510–DS–P
email: mdoscher@ntia.doc.gov, or Allan
Friedman, tel.: (202) 482–4281, email:
afriedman@ntia.doc.gov, National
Telecommunications and Information
Administration, U.S. Department of
Commerce, 1401 Constitution Avenue
NW., Room 4725, Washington, DC
20230. Please direct media inquiries to
NTIA’s Office of Public Affairs, (202)
482–7002, or at press@ntia.doc.gov.
DEPARTMENT OF COMMERCE
SUPPLEMENTARY INFORMATION:
National Telecommunications and
Information Administration
Background: The open and
distributed nature of the digital
ecosystem has led to unprecedented
growth and innovation in the digital
economy. However, it has been
accompanied by risks that threaten to
undermine that very ecosystem. These
risks take many forms online, with
different combinations of threats,
vulnerabilities, and affected parties from
those in the physical world. The
President has directed the Departments
of Commerce and Homeland Security to
jointly lead an open and transparent
process to identify and promote action
by appropriate stakeholders to improve
the resilience of the Internet and
communications ecosystem and to
encourage collaboration with the goal of
dramatically reducing threats
perpetrated by automated and
distributed attacks.1 This RFC focuses
on automated, distributed attacks that
affect large sets of victims, and that put
the broader network and its users at
risk. These types of attacks have been a
concern since the early days of the
Internet,2 and were a regular occurrence
by the early 2000s.3 Automated and
distributed attacks, particularly botnets
due to their ability to facilitate highimpact disruption, form a threat that is
bigger than any one company or sector.
Botnets are used for a variety of
malicious activities, but distributed
denial of service (DDoS) attacks, which
can overwhelm other networked
resources, are a critical threat and
developing collaborative solutions to
prevent and mitigate these attacks is a
priority. As new scenarios emerge,
including those exploiting a new
generation of connected devices (so
called ‘‘Internet of Things’’ (IoT)
devices), there is an urgent need for
[Docket No. 170602536–7536–01]
RIN 0660–XC035
Promoting Stakeholder Action Against
Botnets and Other Automated Threats
National Telecommunications
and Information Administration, U.S.
Department of Commerce.
ACTION: Notice, request for public
comment.
AGENCY:
The National
Telecommunications and Information
Administration (NTIA), on behalf of the
Department of Commerce (Department),
is requesting comment on actions that
can be taken to address automated and
distributed threats to the digital
ecosystem as part of the activity
directed by the President in Executive
Order 13800, ‘‘Strengthening the
Cybersecurity of Federal Networks and
Critical Infrastructure.’’ Through this
Request for Comments (RFC), NTIA
seeks broad input from all interested
stakeholders—including private
industry, academia, civil society, and
other security experts—on ways to
improve industry’s ability to reduce
threats perpetuated by automated
distributed attacks, such as botnets, and
what role, if any, the U.S. Government
should play in this area.
DATES: Comments are due on or before
5 p.m. Eastern Time on July 13, 2017.
ADDRESSES: Written comments may be
submitted by email to counter_botnet_
RFC@ntia.doc.gov. Written comments
also may be submitted by mail to the
National Telecommunications and
Information Administration, U.S.
Department of Commerce, 1401
Constitution Avenue NW., Room 4725,
Attn: Evelyn L. Remaley, Deputy
Associate Administrator, Washington,
DC 20230. For more detailed
instructions about submitting
comments, see the ‘‘Instructions for
Commenters’’ section of SUPPLEMENTARY
INFORMATION.
FOR FURTHER INFORMATION CONTACT:
Megan Doscher, tel.: (202) 482–2503,
nlaroche on DSK30NT082PROD with NOTICES
SUMMARY:
VerDate Sep<11>2014
14:58 Jun 12, 2017
Jkt 241001
1 Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure, Exec. Order
13800, 82 FR 22391 (May 11, 2017).
2 See generally United States v. Morris, 928 F.2d
504 (2d Cir. 1991) (discussing one of the first
known computer worms to spread across the
Internet).
3 See Nicholas C. Weaver, Warhol Worms: The
Potential for Very Fast Internet Plagues, Int’l
Computer Science Inst. (Aug. 15, 2001), https://
www1.icsi.berkeley.edu/∼nweaver/papers/warhol/
warhol.html.
PO 00000
Frm 00007
Fmt 4703
Sfmt 4703
coordination and collaboration across a
diverse set of ecosystem stakeholders.
As part of this effort, the Department
will also host a public workshop at the
National Institute of Standards and
Technology’s National Cybersecurity
Center of Excellence on July 11–12,
2017, entitled, ‘‘Enhancing Resilience of
the Communications Ecosystem.’’
Outputs from this workshop will also
help to guide implementation activities
related to the President’s Executive
Order. More information about the
workshop will be available on the NIST
Web site at: www.nist.gov.
The Federal government has worked
with stakeholders in the past to address
new threats as they arise. Previous
efforts include the White House-led
Industry Botnet Group 4 (which led to
an Anti-Botnet Code of Conduct 5), the
Communications Security, Reliability
and Interoperability Council’s (CSRIC)
reports on ISP Network Protection
Practices 6 and Remediation of ServerBased DDoS Attacks,7 as well as the
active and ongoing work by the
Department of Justice and its many
partners on attacking and ‘‘sink-holing’’
the infrastructure supporting these
threats.8 These initiatives, and others
like them, underscore the need for
active collaboration between the public
and private sectors.
The Department has played an
important role in facilitating
engagement around cybersecurity
between public policy interests and the
innovative force of the private sector.
The Department was tasked to work
with industry to develop a framework
4 U.S. Dep’t of Commerce, White House
Announces Public-Private Partnership Initiatives to
Combat Botnets (May 30, 2012), https://20102014.commerce.gov/news/press-releases/2012/05/
30/white-house-announces-public-privatepartnership-initiatives-combat-b.html.
5 Working Group 7—Botnet Remediation,
Communications Security, Reliability and
Interoperability Council III, Final Report, U.S. AntiBot Code of Conduct (ABC) for Internet Services
Providers (ISPs), Barrier and Metric Considerations
(Mar. 2013), https://transition.fcc.gov/bureaus/
pshs/advisory/csric3/CSRIC_III_WG7_Report_
March_%202013.pdf.
6 Working Group 8, Communications Security,
Reliability and Interoperability Council I, Final
Report, Internet Service Provider (ISP) Network
Protection Practices (Dec. 2010), https://
transition.fcc.gov/pshs/docs/csric/CSRIC_WG8_
FINAL_REPORT_ISP_NETWORK_PROTECTION_
20101213.pdf.
7 Working Group 5, Communications Security,
Reliability and Interoperability Council IV Working
Group 5, Final Report, Remediation of Server-Based
DDoS Attacks (Sept. 2014), https://
transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_
WG5_Remediation_of_Server-Based_DDoS_
Attacks_Report_Final_(pdf)_V11.pdf.
8 See, e.g., U.S. Dep’t of Justice, Avalanche
Network Dismantled in International Cyber
Operation (Dec. 5, 2016), https://www.justice.gov/
opa/pr/avalanche-network-dismantledinternational-cyber-operation.
E:\FR\FM\13JNN1.SGM
13JNN1
Federal Register / Vol. 82, No. 112 / Tuesday, June 13, 2017 / Notices
nlaroche on DSK30NT082PROD with NOTICES
for use by U.S. critical infrastructure to
improve cybersecurity practices,9
leading to NIST’s Cybersecurity
Framework.10 Other initiatives include
Green Papers developed by the
Department built on industry input on
cybersecurity 11 and IoT.12 NTIA has
also convened multistakeholder
processes to identify consensus-based
voluntary solutions on security
vulnerability disclosure 13 and IoT
security patching and upgradability.14
The private sector is also playing a
key role in tackling botnets. Internet
service providers in the United States
and around the world have been
experimenting with how to notify
customers that their devices may be
involved in an attack. Standards bodies
have offered guidance on how to
mitigate some styles of attacks.15
Technology providers are innovating
around tools to protect resources from
DDoS attacks. Application and software
manufacturers are working to eliminate
exploitable vulnerabilities. This
community has worked hard to address
the threats over the last decade.
The cybersecurity challenge is
particularly vexing because it involves
adaptive adversaries. Existing tools,
institutions, and initiatives are critical,
but we must acknowledge that the threat
continues to evolve, and more progress
is needed, at an accelerated rate, to
address the current landscape. The
DDoS attacks launched from the Mirai
botnet in the fall of 2016, for example,
reached a level of sustained traffic that
overwhelmed many common DDoS
mitigation tools and services, and even
9 Improving Critical Infrastructure Cybersecurity,
Exec. Order 13636, 78 FR 11737 (Feb. 12, 2013).
10 National Institute of Standards and
Technology, Framework for Improving Critical
Infrastructure Cybersecurity (Feb. 12, 2014), https://
www.nist.gov/sites/default/files/documents/
cyberframework/cybersecurity-framework021214.pdf.
11 Internet Policy Task Force, U.S. Dep’t of
Commerce, Cybersecurity, Innovation and the
Internet Economy (June 2011), https://
www.nist.gov/sites/default/files/documents/itl/
Cybersecurity_Green-Paper_FinalVersion.pdf.
12 Internet Policy Task Force & Digital Economy
Leadership Team, U.S. Dep’t of Commerce,
Fostering the Advancement of the Internet of Things
(Jan. 2017), https://www.ntia.doc.gov/files/ntia/
publications/iot_green_paper_01122017.pdf.
13 NTIA, Multistakeholder Process: Cybersecurity
Vulnerabilities, https://www.ntia.doc.gov/otherpublication/2016/multistakeholder-processcybersecurity-vulnerabilities (last visited May 17,
2017).
14 NTIA, Multistakeholder Process: Internet of
Things (IoT) Security Upgradability and Patching,
https://www.ntia.doc.gov/other-publication/2016/
multistakeholder-process-iot-security (last visited
May 17, 2017).
15 See, e.g., P. Ferguson & D. Senie, Network
Ingress Filtering: Defeating Denial of Service
Attacks Which Employ IP Source Address Spoofing,
Internet Engineering Task Force (May 2010),
https://www.ietf.org/rfc/rfc2827.txt.
VerDate Sep<11>2014
14:58 Jun 12, 2017
Jkt 241001
targeted a Domain Name System (DNS)
service that was a commonly used
component in many DDoS mitigation
strategies.16 This attack also highlighted
the growing insecurities in—and threats
from—consumer-grade IoT devices. As a
new technology, IoT devices are often
built and deployed without important
security features and practices in
place.17 The issue is not the particular
botnet, or the particular target, but the
risks posed by botnets of this size and
scope, and the expected innovation and
increased scale and sophistication of
future attacks. Meanwhile, old threats
continue to evolve. The WannaCry
ransomware that threatened to destroy
the data of thousands of individuals and
organizations, including hospitals, did
not initially involve a botnet. It was
spread by a worm-like mechanism
similar to attacks of 15 years ago.
However, criminals were later observed
using the Mirai botnet to attack a key
defense against the WannaCry
ransomware.18
It is difficult to predict what the next
significant attack vector will be, but that
should not preclude taking steps to
mitigate the potential impact of those
that are known. Left unchecked, without
meaningful progress, these new classes
of automated and distributed attacks
could be a serious risk to the entire
ecosystem. Since poorly considered
action would likely create significant
unnecessary costs and unintended
consequences, substantial, carefully
considered action must be considered,
and it is most likely to be effective and
efficient if built on engagement from all
stakeholders across the ecosystem.
Request for Comments
The goal of this RFC is to solicit
informed suggestions and feedback on
current, emerging, and potential
approaches for dealing with botnets and
other automated, distributed threats and
their impact. The Department is
interested in comments that address all
aspects of this issue, but particularly
those that address two broad approaches
where substantial progress can be made:
16 U.S. Computer Emergency Readiness Team,
Alert (TA16–288A): Heightened DDoS Threat Posed
by Mirai and Other Botnets, https://www.uscert.gov/ncas/alerts/TA16-288A (last revised Nov.
30, 2016).
17 National Security Telecommunications
Advisory Committee, Report to the President on the
Internet of Things (Nov. 19, 2014), https://
www.dhs.gov/sites/default/files/publications/
NSTAC%20Report%20to%20the%20President
%20on%20the%20Internet%20of%20Things
%20Nov%202014%20%28updat%20%20%20.pdf.
18 See Andy Greenberg, Hackers are Trying to
Reignite Wannacry with Nonstop Botnet Attacks,
Wired (May 19, 2017), https://www.wired.com/
2017/05/wannacry-ransomware-ddos-attack/.
PO 00000
Frm 00008
Fmt 4703
Sfmt 4703
27043
• Attack Mitigation: Minimizing the
impact of botnet behavior by rapidly
identifying and disrupting malicious
behaviors, including the potential of
filtering or coordinated network
management, empowering market actors
to better protect potential targets, and
reducing known and emerging risks.
• Endpoint Prevention: Securing
endpoints, especially IoT devices, and
reducing vulnerabilities, including
fostering prompt adoption of secure
development practices, developing
practical plans to rapidly deal with
newly discovered vulnerabilities, and
supporting adoption of new technology
to better control and safeguard devices
at the local network level.
Respondents are invited to respond to
some or all of the questions below:
1. What works: What approaches (e.g.,
laws, policies, standards, practices,
technologies) work well for dealing with
automated and distributed threats
today? What mechanisms for
cooperation with other organizations,
either before or during an event, are
already occurring?
2. Gaps: What are the gaps in the
existing approaches to dealing with
automated and distributed threats?
What no longer works? What are the
impediments to closing those gaps?
What are the obstacles to collaboration
across the ecosystems?
3. Addressing the problem: What
laws, policies, standards, practices,
technologies, and other investments will
have a tangible impact on reducing risks
and harms of botnets? What tangible
steps to reduce risks and harms of
botnets can be taken in the near term?
What emerging or long term approaches
may be promising with more attention,
research, and investment? What are the
public policy implications of the
various approaches? How might these
be managed, balanced, or minimized?
4. Governance and collaboration:
What stakeholders should be involved
in developing and executing policies,
standards, practices, and technologies?
What roles should they play? How can
stakeholders collaborate across roles
and sectors, and what should this
collaboration look like, in practical
terms?
5. Policy and the role of government:
What specific roles should the Federal
government play? What incentives or
other public policies can drive change?
6. International: How does the
inherently global nature of the Internet
and the digital supply chain affect how
we should approach this problem? How
can solutions explicitly address the
international aspects of this issue?
7. Users: What can be done to educate
and empower users and decision-
E:\FR\FM\13JNN1.SGM
13JNN1
27044
Federal Register / Vol. 82, No. 112 / Tuesday, June 13, 2017 / Notices
makers, including enterprises and end
consumers?
Instructions for Commenters: NTIA
invites comment on the full range of
issues that may be presented by this
inquiry, including issues that are not
specifically raised in the above
questions. Commenters are encouraged
to address any or all of the above
questions. Comments that contain
references to studies, research, and
other empirical data that are not widely
published should include copies of the
referenced materials with the submitted
comments.
Comments submitted by email should
be machine-readable and should not be
copy-protected. Comments submitted by
mail may be in hard copy (paper) or
electronic (on CD–ROM or disk).
Responders should include the name of
the person or organization filing the
comment, as well as a page number on
each page of their submissions. All
comments received are a part of the
public record and will generally be
posted on the NTIA Web site, https://
www.ntia.doc.gov, without change. All
personal identifying information (for
example, name, address) voluntarily
submitted by the commenter may be
publicly accessible. Do not submit
confidential business information or
otherwise sensitive or protected
information. NTIA will accept
anonymous comments.
Dated: June 8, 2017.
Leonard Bechtel,
Chief Financial Officer and Director of
Administration, Performing the NonExclusive Duties of the Assistant Secretary
for Communications and Information,
National Telecommunications and
Information Administration.
[FR Doc. 2017–12192 Filed 6–12–17; 8:45 am]
BILLING CODE 3510–60–P
COMMODITY FUTURES TRADING
COMMISSION
Commission Statement Concerning a
Request for an Interpretation as to
Whether a Particular Agreement Is a
Swap, Security-Based Swap, or Mixed
Swap
Commodity Futures Trading
Commission.
ACTION: Commission statement.
nlaroche on DSK30NT082PROD with NOTICES
AGENCY:
The Commodity Futures
Trading Commission (the
‘‘Commission’’) is publishing this
statement concerning a request for an
interpretation as to whether a particular
agreement is a swap, security-based
swap, or mixed swap.
SUMMARY:
VerDate Sep<11>2014
14:58 Jun 12, 2017
Jkt 241001
FOR FURTHER INFORMATION CONTACT:
Eileen T. Flaherty, Director, (202) 418–
5326, eflaherty@cftc.gov; Frank
Fisanich, Chief Counsel, (202) 418–
5949, ffisanich@cftc.gov; or Jacob
Chachkin, Special Counsel, (202) 418–
5496, jchachkin@cftc.gov, Division of
Swap Dealer and Intermediary
Oversight, Commodity Futures Trading
Commission, 1155 21st Street NW.,
Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
Statement
On February 7, 2017, Commission
staff received a letter from Breakaway
Courier Corporation (‘‘Breakaway’’),
through its counsel, requesting a joint
interpretation from the Commission and
the Securities and Exchange
Commission (‘‘SEC’’, and, together with
the Commission, the ‘‘Commissions’’)
pursuant to Commission regulation 1.8
as to whether a particular agreement is
a swap, security-based swap, or mixed
swap.1 Breakaway’s request relates to a
contract labeled as a Reinsurance
Participation Agreement (‘‘RPA’’),
which it has previously executed with
Applied Underwriters Captive Risk
Assurance Company, Inc. (‘‘AUCRA’’).2
According to Breakaway’s submission, it
entered into two RPAs with AUCRA,
one of which has a stated effective date
of July 1, 2009, and the other of July 1,
2012.
The Commission and the SEC jointly
adopted Commission regulation 1.8 and
Securities Exchange Act of 1934
(‘‘Exchange Act’’) 3 Rule 3a68–2 in
2012 4 pursuant to Section 712(d)(4) of
the Dodd-Frank Wall Street Reform and
Consumer Protection Act (‘‘Dodd-Frank
Act’’).5 The rules established a process
for parties to request a joint
interpretation as to whether a particular
agreement, contract, or transaction (or
class thereof) is a swap, security-based
swap, or mixed swap. Among other
things, the rules set forth the
information required to be included in
a request and a process for withdrawing
a request. Commission regulation 1.8
1 See
17 CFR 1.8.
copy of Breakaway’s submission may be
found at: https://www.cftc.gov/LawRegulation/
DoddFrankAct/Dodd-FrankFinalRules/index.htm.
3 15 U.S.C. 78 et seq.
4 See Further Definition of ‘‘Swap,’’ ‘‘SecurityBased Swap,’’ and ‘‘Security-Based Swap
Agreement’’; Mixed Swaps; Security-Based Swap
Agreement Recordkeeping, 77 FR 48207 (Aug. 13,
2012) (‘‘Product Definitions Adopting Release’’).
5 See Dodd-Frank Act, Public Law 111–203, 124
Stat. 1376 (2010). All references to ‘‘Title VII’’ in
this statement shall refer to Title VII of the DoddFrank Act, which established a comprehensive new
regulatory framework for swaps and security-based
swaps.
2A
PO 00000
Frm 00009
Fmt 4703
Sfmt 4703
also includes requirements governing
the manner and timing by which the
two agencies must act after the receipt
of a complete submission under the
rule, if they determine to issue such
joint interpretation. In addition,
paragraph (e)(5) of Commission
regulation 1.8 provides that ‘‘[i]f the
Commission and the [SEC] do not issue
a joint interpretation within the time
period described in paragraph (e)(1) or
(e)(3) [of the rule], each of the
Commission and the [SEC] shall
publicly provide the reasons for not
issuing such a joint interpretation
within the applicable timeframes.’’ 6
Pursuant to paragraph (e)(5) of
Commission regulation 1.8, the
Commission is declining to issue a joint
interpretation with the SEC in
connection with Breakaway’s request.7
The Commission understands that the
status of the RPAs is already subject to
ongoing private litigation and that the
petitioners’ request may bear directly on
that litigation. We believe that the
Commission regulation 1.8 process is
not an appropriate vehicle for litigants
such as Breakaway to obtain the views
of the Commission in connection with
issues in ongoing litigation, and we
therefore decline Breakaway’s request
that we state an interpretive position as
to the proper characterization of the
RPAs.8
Issued in Washington, DC, on June 7, 2017,
by the Commission.
Christopher J. Kirkpatrick,
Secretary of the Commission.
Note: The following appendix will not
appear in the Code of Federal Regulations.
6 Paragraph (e)(5) of SEC Rule 3a68–2 contains
identical language (other than reversing the
references to the two commissions). See 17 CFR
240.3a68–2.
7 Commission staff has consulted and coordinated
with SEC staff and understands that the SEC will
be issuing a separate statement on this matter.
8 As we and the SEC explained when we jointly
adopted Commission regulation 1.8 in 2012 (as well
as the corresponding rule under the Exchange Act),
the purpose of Commission regulation 1.8 is to
‘‘afford market participants with the opportunity to
obtain greater certainty from the Commissions
regarding the regulatory status of particular Title VII
instruments under the Dodd-Frank Act. This
provision should decrease the possibility that
market participants inadvertently might fail to meet
the regulatory requirements applicable to a
particular Title VII instrument.’’ See Product
Definitions Adopting Release, 77 FR at 48295. We
and the SEC also noted our belief that ‘‘it is
essential that the characterization of an instrument
be established prior to any party engaging in the
transactions so that the appropriate regulatory
schemes apply.’’ See Product Definitions Adopting
Release, 77 FR at 48297.
E:\FR\FM\13JNN1.SGM
13JNN1
]]>Agencies
[Federal Register Volume 82, Number 112 (Tuesday, June 13, 2017)]
[Notices]
[Pages 27042-27044]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-12192]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 170602536-7536-01]
RIN 0660-XC035
Promoting Stakeholder Action Against Botnets and Other Automated
Threats
AGENCY: National Telecommunications and Information Administration,
U.S. Department of Commerce.
ACTION: Notice, request for public comment.
-----------------------------------------------------------------------
SUMMARY: The National Telecommunications and Information Administration
(NTIA), on behalf of the Department of Commerce (Department), is
requesting comment on actions that can be taken to address automated
and distributed threats to the digital ecosystem as part of the
activity directed by the President in Executive Order 13800,
``Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure.'' Through this Request for Comments (RFC), NTIA seeks
broad input from all interested stakeholders--including private
industry, academia, civil society, and other security experts--on ways
to improve industry's ability to reduce threats perpetuated by
automated distributed attacks, such as botnets, and what role, if any,
the U.S. Government should play in this area.
DATES: Comments are due on or before 5 p.m. Eastern Time on July 13,
2017.
ADDRESSES: Written comments may be submitted by email to
counter_botnet_RFC@ntia.doc.gov. Written comments also may be submitted
by mail to the National Telecommunications and Information
Administration, U.S. Department of Commerce, 1401 Constitution Avenue
NW., Room 4725, Attn: Evelyn L. Remaley, Deputy Associate
Administrator, Washington, DC 20230. For more detailed instructions
about submitting comments, see the ``Instructions for Commenters''
section of SUPPLEMENTARY INFORMATION.
FOR FURTHER INFORMATION CONTACT: Megan Doscher, tel.: (202) 482-2503,
email: mdoscher@ntia.doc.gov, or Allan Friedman, tel.: (202) 482-4281,
email: afriedman@ntia.doc.gov, National Telecommunications and
Information Administration, U.S. Department of Commerce, 1401
Constitution Avenue NW., Room 4725, Washington, DC 20230. Please direct
media inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or
at press@ntia.doc.gov.
SUPPLEMENTARY INFORMATION:
Background: The open and distributed nature of the digital
ecosystem has led to unprecedented growth and innovation in the digital
economy. However, it has been accompanied by risks that threaten to
undermine that very ecosystem. These risks take many forms online, with
different combinations of threats, vulnerabilities, and affected
parties from those in the physical world. The President has directed
the Departments of Commerce and Homeland Security to jointly lead an
open and transparent process to identify and promote action by
appropriate stakeholders to improve the resilience of the Internet and
communications ecosystem and to encourage collaboration with the goal
of dramatically reducing threats perpetrated by automated and
distributed attacks.\1\ This RFC focuses on automated, distributed
attacks that affect large sets of victims, and that put the broader
network and its users at risk. These types of attacks have been a
concern since the early days of the Internet,\2\ and were a regular
occurrence by the early 2000s.\3\ Automated and distributed attacks,
particularly botnets due to their ability to facilitate high-impact
disruption, form a threat that is bigger than any one company or
sector. Botnets are used for a variety of malicious activities, but
distributed denial of service (DDoS) attacks, which can overwhelm other
networked resources, are a critical threat and developing collaborative
solutions to prevent and mitigate these attacks is a priority. As new
scenarios emerge, including those exploiting a new generation of
connected devices (so called ``Internet of Things'' (IoT) devices),
there is an urgent need for coordination and collaboration across a
diverse set of ecosystem stakeholders.
---------------------------------------------------------------------------
\1\ Strengthening the Cybersecurity of Federal Networks and
Critical Infrastructure, Exec. Order 13800, 82 FR 22391 (May 11,
2017).
\2\ See generally United States v. Morris, 928 F.2d 504 (2d Cir.
1991) (discussing one of the first known computer worms to spread
across the Internet).
\3\ See Nicholas C. Weaver, Warhol Worms: The Potential for Very
Fast Internet Plagues, Int'l Computer Science Inst. (Aug. 15, 2001),
https://www1.icsi.berkeley.edu/~nweaver/papers/warhol/warhol.html.
---------------------------------------------------------------------------
As part of this effort, the Department will also host a public
workshop at the National Institute of Standards and Technology's
National Cybersecurity Center of Excellence on July 11-12, 2017,
entitled, ``Enhancing Resilience of the Communications Ecosystem.''
Outputs from this workshop will also help to guide implementation
activities related to the President's Executive Order. More information
about the workshop will be available on the NIST Web site at:
www.nist.gov.
The Federal government has worked with stakeholders in the past to
address new threats as they arise. Previous efforts include the White
House-led Industry Botnet Group \4\ (which led to an Anti-Botnet Code
of Conduct \5\), the Communications Security, Reliability and
Interoperability Council's (CSRIC) reports on ISP Network Protection
Practices \6\ and Remediation of Server-Based DDoS Attacks,\7\ as well
as the active and ongoing work by the Department of Justice and its
many partners on attacking and ``sink-holing'' the infrastructure
supporting these threats.\8\ These initiatives, and others like them,
underscore the need for active collaboration between the public and
private sectors.
---------------------------------------------------------------------------
\4\ U.S. Dep't of Commerce, White House Announces Public-Private
Partnership Initiatives to Combat Botnets (May 30, 2012), https://2010-2014.commerce.gov/news/press-releases/2012/05/30/white-house-announces-public-private-partnership-initiatives-combat-b.html.
\5\ Working Group 7--Botnet Remediation, Communications
Security, Reliability and Interoperability Council III, Final
Report, U.S. Anti-Bot Code of Conduct (ABC) for Internet Services
Providers (ISPs), Barrier and Metric Considerations (Mar. 2013),
https://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG7_Report_March_%202013.pdf.
\6\ Working Group 8, Communications Security, Reliability and
Interoperability Council I, Final Report, Internet Service Provider
(ISP) Network Protection Practices (Dec. 2010), https://transition.fcc.gov/pshs/docs/csric/CSRIC_WG8_FINAL_REPORT_ISP_NETWORK_PROTECTION_20101213.pdf.
\7\ Working Group 5, Communications Security, Reliability and
Interoperability Council IV Working Group 5, Final Report,
Remediation of Server-Based DDoS Attacks (Sept. 2014), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf.
\8\ See, e.g., U.S. Dep't of Justice, Avalanche Network
Dismantled in International Cyber Operation (Dec. 5, 2016), https://www.justice.gov/opa/pr/avalanche-network-dismantled-international-cyber-operation.
---------------------------------------------------------------------------
The Department has played an important role in facilitating
engagement around cybersecurity between public policy interests and the
innovative force of the private sector. The Department was tasked to
work with industry to develop a framework
[[Page 27043]]
for use by U.S. critical infrastructure to improve cybersecurity
practices,\9\ leading to NIST's Cybersecurity Framework.\10\ Other
initiatives include Green Papers developed by the Department built on
industry input on cybersecurity \11\ and IoT.\12\ NTIA has also
convened multistakeholder processes to identify consensus-based
voluntary solutions on security vulnerability disclosure \13\ and IoT
security patching and upgradability.\14\
---------------------------------------------------------------------------
\9\ Improving Critical Infrastructure Cybersecurity, Exec. Order
13636, 78 FR 11737 (Feb. 12, 2013).
\10\ National Institute of Standards and Technology, Framework
for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014),
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.
\11\ Internet Policy Task Force, U.S. Dep't of Commerce,
Cybersecurity, Innovation and the Internet Economy (June 2011),
https://www.nist.gov/sites/default/files/documents/itl/Cybersecurity_Green-Paper_FinalVersion.pdf.
\12\ Internet Policy Task Force & Digital Economy Leadership
Team, U.S. Dep't of Commerce, Fostering the Advancement of the
Internet of Things (Jan. 2017), https://www.ntia.doc.gov/files/ntia/publications/iot_green_paper_01122017.pdf.
\13\ NTIA, Multistakeholder Process: Cybersecurity
Vulnerabilities, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities (last visited
May 17, 2017).
\14\ NTIA, Multistakeholder Process: Internet of Things (IoT)
Security Upgradability and Patching, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security (last visited
May 17, 2017).
---------------------------------------------------------------------------
The private sector is also playing a key role in tackling botnets.
Internet service providers in the United States and around the world
have been experimenting with how to notify customers that their devices
may be involved in an attack. Standards bodies have offered guidance on
how to mitigate some styles of attacks.\15\ Technology providers are
innovating around tools to protect resources from DDoS attacks.
Application and software manufacturers are working to eliminate
exploitable vulnerabilities. This community has worked hard to address
the threats over the last decade.
---------------------------------------------------------------------------
\15\ See, e.g., P. Ferguson & D. Senie, Network Ingress
Filtering: Defeating Denial of Service Attacks Which Employ IP
Source Address Spoofing, Internet Engineering Task Force (May 2010),
https://www.ietf.org/rfc/rfc2827.txt.
---------------------------------------------------------------------------
The cybersecurity challenge is particularly vexing because it
involves adaptive adversaries. Existing tools, institutions, and
initiatives are critical, but we must acknowledge that the threat
continues to evolve, and more progress is needed, at an accelerated
rate, to address the current landscape. The DDoS attacks launched from
the Mirai botnet in the fall of 2016, for example, reached a level of
sustained traffic that overwhelmed many common DDoS mitigation tools
and services, and even targeted a Domain Name System (DNS) service that
was a commonly used component in many DDoS mitigation strategies.\16\
This attack also highlighted the growing insecurities in--and threats
from--consumer-grade IoT devices. As a new technology, IoT devices are
often built and deployed without important security features and
practices in place.\17\ The issue is not the particular botnet, or the
particular target, but the risks posed by botnets of this size and
scope, and the expected innovation and increased scale and
sophistication of future attacks. Meanwhile, old threats continue to
evolve. The WannaCry ransomware that threatened to destroy the data of
thousands of individuals and organizations, including hospitals, did
not initially involve a botnet. It was spread by a worm-like mechanism
similar to attacks of 15 years ago. However, criminals were later
observed using the Mirai botnet to attack a key defense against the
WannaCry ransomware.\18\
---------------------------------------------------------------------------
\16\ U.S. Computer Emergency Readiness Team, Alert (TA16-288A):
Heightened DDoS Threat Posed by Mirai and Other Botnets, https://www.us-cert.gov/ncas/alerts/TA16-288A (last revised Nov. 30, 2016).
\17\ National Security Telecommunications Advisory Committee,
Report to the President on the Internet of Things (Nov. 19, 2014),
https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20the%20Internet%20of%20Things%20Nov%202014%20%28updat%20%20%20.pdf.
\18\ See Andy Greenberg, Hackers are Trying to Reignite Wannacry
with Nonstop Botnet Attacks, Wired (May 19, 2017), https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/.
---------------------------------------------------------------------------
It is difficult to predict what the next significant attack vector
will be, but that should not preclude taking steps to mitigate the
potential impact of those that are known. Left unchecked, without
meaningful progress, these new classes of automated and distributed
attacks could be a serious risk to the entire ecosystem. Since poorly
considered action would likely create significant unnecessary costs and
unintended consequences, substantial, carefully considered action must
be considered, and it is most likely to be effective and efficient if
built on engagement from all stakeholders across the ecosystem.
Request for Comments
The goal of this RFC is to solicit informed suggestions and
feedback on current, emerging, and potential approaches for dealing
with botnets and other automated, distributed threats and their impact.
The Department is interested in comments that address all aspects of
this issue, but particularly those that address two broad approaches
where substantial progress can be made:
Attack Mitigation: Minimizing the impact of botnet
behavior by rapidly identifying and disrupting malicious behaviors,
including the potential of filtering or coordinated network management,
empowering market actors to better protect potential targets, and
reducing known and emerging risks.
Endpoint Prevention: Securing endpoints, especially IoT
devices, and reducing vulnerabilities, including fostering prompt
adoption of secure development practices, developing practical plans to
rapidly deal with newly discovered vulnerabilities, and supporting
adoption of new technology to better control and safeguard devices at
the local network level.
Respondents are invited to respond to some or all of the questions
below:
1. What works: What approaches (e.g., laws, policies, standards,
practices, technologies) work well for dealing with automated and
distributed threats today? What mechanisms for cooperation with other
organizations, either before or during an event, are already occurring?
2. Gaps: What are the gaps in the existing approaches to dealing
with automated and distributed threats? What no longer works? What are
the impediments to closing those gaps? What are the obstacles to
collaboration across the ecosystems?
3. Addressing the problem: What laws, policies, standards,
practices, technologies, and other investments will have a tangible
impact on reducing risks and harms of botnets? What tangible steps to
reduce risks and harms of botnets can be taken in the near term? What
emerging or long term approaches may be promising with more attention,
research, and investment? What are the public policy implications of
the various approaches? How might these be managed, balanced, or
minimized?
4. Governance and collaboration: What stakeholders should be
involved in developing and executing policies, standards, practices,
and technologies? What roles should they play? How can stakeholders
collaborate across roles and sectors, and what should this
collaboration look like, in practical terms?
5. Policy and the role of government: What specific roles should
the Federal government play? What incentives or other public policies
can drive change?
6. International: How does the inherently global nature of the
Internet and the digital supply chain affect how we should approach
this problem? How can solutions explicitly address the international
aspects of this issue?
7. Users: What can be done to educate and empower users and
decision-
[[Page 27044]]
makers, including enterprises and end consumers?
Instructions for Commenters: NTIA invites comment on the full range
of issues that may be presented by this inquiry, including issues that
are not specifically raised in the above questions. Commenters are
encouraged to address any or all of the above questions. Comments that
contain references to studies, research, and other empirical data that
are not widely published should include copies of the referenced
materials with the submitted comments.
Comments submitted by email should be machine-readable and should
not be copy-protected. Comments submitted by mail may be in hard copy
(paper) or electronic (on CD-ROM or disk). Responders should include
the name of the person or organization filing the comment, as well as a
page number on each page of their submissions. All comments received
are a part of the public record and will generally be posted on the
NTIA Web site, https://www.ntia.doc.gov, without change. All personal
identifying information (for example, name, address) voluntarily
submitted by the commenter may be publicly accessible. Do not submit
confidential business information or otherwise sensitive or protected
information. NTIA will accept anonymous comments.
Dated: June 8, 2017.
Leonard Bechtel,
Chief Financial Officer and Director of Administration, Performing the
Non-Exclusive Duties of the Assistant Secretary for Communications and
Information, National Telecommunications and Information
Administration.
[FR Doc. 2017-12192 Filed 6-12-17; 8:45 am]
BILLING CODE 3510-60-P
