Coordinating Voluntary Efforts to Fight Botnets
Over the past several years, a new threat has emerged on the Internet, increasingly putting consumers at risk. Some industry experts suggest that as many as 1 in 10 computers in the U.S. are part of what is called a botnet.
Botnets are groups of computers that have been secretly taken over by software that allows someone other than their authorized users to access and control them. The linked computers can be used as a platform to infect other computers, and more.
A botnet infection can let someone monitor your personal information and communications, and exploit your computing power and Internet access. However, these threats go beyond the infected computers. They can also store and transfer illegal content, and attack our information infrastructure with massive, distributed denial of service attacks. Symantec has estimated that 80 percent of all spam comes from botnets.
Botnets are not a new phenomenon, and their existence continues to increase the price of doing business online and place our companies at a competitive disadvantage, all while threatening our individual privacy. It’s for these reasons that analysts at Gartner call botnets “the heavy artillery of cybercrime.”
To address the problem, last September NIST and our colleagues within the Department of Commerce, in cooperation with the Department of Homeland Security, released a Request for Information, or RFI, to focus on the growing concern around this security risk. The RFI sought input on a wide range of areas, including practices to help identify, prevent, and mitigate botnet infections and to notify computer owners when they’ve been infected. We received more than two-dozen comments from a wide range of stakeholders with surprisingly similar views on combating this problem.
Through this process and the engagement that followed, we learned that many leading companies, including Comcast, CenturyLink and Google, had begun efforts to detect and notify their customers that they are infected without invading the individual’s privacy. Microsoft and others had begun to take action against botnets in the courts. Around the world, other countries had begun creating codes to help alert consumers to encourage these efforts. Yet despite this progress, there was no unified U.S. effort.
It was clear we needed to define and create a comprehensive U.S. vision if we were going to succeed in reducing the threat from botnets. It was also clear to all those involved that the effort should be voluntary and stakeholder-driven, taking advantage of the expertise and experience of industry and civil society. Reducing the damage botnets cause will not solve all of our cybersecurity problems, but it will make it more difficult for criminals to attack key systems.
And indeed, the industry has taken up this call to action. In February, eleven leading trade, security and safety groups introduced the Industry Botnet Group (IBG). Today, four months later we are already seeing the fruits of these and related efforts.
Based on the voluntary efforts of these groups and companies, we have several new efforts that, as someone who has seen industry really take up the reins on this, we're particularly enthusiastic about, including:
- Principles: This week the IBG released a set of principles for Internet companies to follow in fighting botnets. This is the first set of principles that cover the entire Internet ecosystem as opposed to only Internet Service Providers. We are already starting to see more companies notifying consumers that they have been infected as a result.
- Education Campaign: Industry groups are organizing new education resources and a "keep a clean machine" campaign. The Department of Homeland Security and the Federal Trade Commission plan to incorporate these messages into their efforts in the coming months.
- Information Sharing: The Financial Services Information Sharing and Analysis Center announced a new pilot to share info on botnets with other companies by year's end. This effort is expected to lead to standards other industries can use to share information about botnets.
- Metrics, Standards and Technologies: This week the National Institute of Standards and Technology (NIST) held a day-long workshop to discuss and coordinate new metrics and new technologies in fighting bots. This work could lead to a better ability to monitor and prevent botnets.
These voluntary efforts obviously will not solve all problems related to botnets. However, tied to government law enforcement efforts, government information sharing efforts and international efforts, we have now built a great partnership for moving forward.