The Departments of Commerce and Homeland Security on Jan. 5 released a draft of a report directed by President Donald Trump that outlines the challenges and opportunities in securing the Internet from cyber attacks.
The report, which is due to be finalized by May 11, highlights six themes related to the threats and security of the internet. These include automated threats are global in nature and that most of the successful attacks by recent botnets have occurred outside the U.S.
The report, which was called for by Trump's cyber security executive order 13800 last May, says that that tools and processes exist to "enhance the resilience of the Internet and communications ecosystem" but are only "routinely applied in selected market sectors."
The report also calls for baseline security for Internet of Things (IoT) devices, both for home and industrial uses, pointing out that the federal government and industry have responsibilities.
"The federal government should augment the existing suite of standards and practices for traditional computing with baseline security profiles for IoT devices in U.S. government environments," says the 38-page report, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. And in one action item, the report says "Software development tools and processes to significantly reduce the incidence of security vulnerabilities in commercial off-the-shelf software must be more widely adopted by industry."
The report included inputs from the Departments of Defense, Justice and State, the FBI, and the Federal Trade Commission. Comments from the public were also received. The draft report invites additional comments.
Shortcomings in some existing systems and devices include security either not built-in up front, an inability to patch vulnerabilities once they've been discovered, and obsolescence leading to vulnerabilities once vendor support ends, the report says.
The report provides five goals for stakeholders and a number of suggested action items. The goals include promoting innovation to adapt to evolving threats, in part by the expansion of information sharing about threats, and updating the federal government's Cybersecurity Framework to create a profile for preventing and mitigating enterprise distributed denial of service attacks.
It also calls for market incentives for early adopters of innovative cyber security technologies and suggest the government "lead by example" by creating guideline for federal agencies to use in acquiring these technologies.