Looking for clear and concise—yet sophisticated—editing? Need to comply with plain language requirements?

Executive Summary

The Departments of Commerce and Homeland Security worked jointly on this effort through three approaches by hosting two workshops, publishing two requests for comment, and initiating initiating starting an inquiry through the President's National Security Telecommunications Advisory Committee (NSTAC) with the objective of gathering with the objective of gathering to gather a broad range of input from experts and stakeholders, including private industry, academia, and civil society. These activities all contributed to the information-gathering process for the agencies developing the recommendations in this report.

Automated, distributed attacks are a global problem. The majority of the The majority of the Most of the compromised devices in recent noteworthy botnets have been geographically located outside the United States. In order to In order to To increase the resilience of the Internet and communications ecosystem against these threats, many of which originate outside the United States, we must continue to work together together with international partners.

Effective tools exist but are not widely used. While there remains room for improvement, the tools, processes, and practices required to significantly enhance the resilience of the Internet and communications ecosystem are widely available and are routinely applied in selected market sectors. However, they are not part of common practices for product development and deployment in many other sectors for a variety of reasonsa variety of reasonsmany reasons, including (but not limited to) lack of awareness, cost avoidance, insufficient technical expertiseexpertiseknowledge, and lack of market incentives.

Products should be secured during all stages of the lifecycle. Devices that are that are vulnerable at time of deployment lack facilities to patch vulnerabilities after discovery or remain in service after vendor support ends, make assembling automated and making distributed threats far too easy.

Home users and some enterprise customers are often unaware of the role their devices could play in a botnet attack and may not fully understand the merits of available available technical controls. Product developers, manufacturers, and infrastructure operators often lack the knowledge and skills necessary to deploy tools, processes, and practices that would make the ecosystem more resilient.

Market incentives should be more effectively more effectively aligned. Market incentives do not currently appear to appear to seem to align with the goal of "dramatically reducing threats perpetrated by automated and distributed attacks." Product developers, manufacturers, and vendors are more highly motivated to minimize minimize reduce cost and time to market rather than to build in security or offer efficient security updates. Market incentives must be realigned to promote a better balance between security and convenience when developing products.

Automated, distributed attacks are an ecosystem-wide challenge. No single stakeholder community can address the problem alone.

The recommended actions include activities that should be continued or expanded, in addition to new initiatives. No single investment or activity can mitigate all threats, but organized discussions and stakeholder feedback will allow us to further evaluate allow us to further evaluate let us further evaluate and prioritize prioritize focus on these activities based on their expected return on investment and ability to measurably impact measurably impact measurably affect ecosystem resilience.

There is much work left to do. However, we do not expect all actions to occur simultaneously, due to considerations such as resource constraints in the relevant stakeholder communities. In addition, some actions are already in progress, while others are dependent on are dependent on depend on outside factors. While some actions directly related to the federal government are clearly clearly appropriate for the government to lead, this model provides a way for stakeholders to collaborate with government as they move forward on those actions that are best accomplished are best accomplished are best done through private-sector leadership.

On May 11, 2017, the President issued an executive order calling for "resilience against botnets and other automated, distributed threats." These types of types of attacks have been a concern since the early days of the Internet and were a regular occurrence by the early 2000s. Automated and distributed attacks form a threat that reaches beyond any single company or sector. These threats are used for a variety of malicious activitiesa variety of malicious activitiesmany malicious activities, including distributed denial of service (DDoS) attacks that overwhelm networked resources, sending massive quantities of spam, disseminating disseminating distributing keylogger and other malware; ransomware attacks distributed by botnets that hold systems and data hostage; and computational propaganda campaigns that manipulate and intimidate communities through social media. Traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, are designed to protect against botnets of an anticipated anticipated expected size. With new botnets that capitalize on the sheer number of "Internet of Things" (IoT) devices, DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery As a result, recovery Recovery time from these types of types of attacks may be too slow, particularly when mission-critical services are involved.

The DDoS attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component component part in many DDoS mitigation strategies.13 This attack also highlighted the growing insecurities in-and threats from- consumer-grade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place. While the original Mirai variant was relatively simple in that it exploited in that it exploited because it exploited weak device passwords, more sophisticated botnets have followed. For example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices, and one of the largest DDoS attacks seen to date recently exploited a newly discovered vulnerability in the relatively obscure MemCacheD software. These examples clearly clearly demonstrate demonstrate show the risks posed by botnets of this size and scope, as well as the expected innovation and increased scale and complexity of future attacks.

Approach

The Departments of Commerce and Homeland Security worked together on this effort through three approaches that had the that had the with the objective of gathering a broad range of input from experts and stakeholders, including private industry, academia, and civil society.

In July 2017, Commerce's National Institute of Standards and Technology (NIST) hosted a workshop on "Enhancing Resilience of the Internet and Communications Ecosystem." The workshop encouraged stakeholders to explore current and emerging solutions addressing automated, distributed threats in an open and transparent mannerin an open and transparent manneropenly and transparently. It attracted 150 participants from diverse stakeholder communities, who identified a broad range of coordinated actions by all stakeholders to address these threats.

As directed in Executive Order 13800, a draft report was published in January 2018, followed by a second RFC and workshop, at which time stakeholders discussed substantive public comments and next steps. These activities contributed to the information-gathering process for agencies developing the recommendations in this final report. The comments and workshop discussions will also inform many of the of the actions that will take place after this report is published.

While developing its report, the President's National Security Telecommunications Advisory Committee's (NSTAC) studied botnets, as well as forms of attacks that may be facilitated by botnets, such as DDoS attacks and vectors that could be used to create botnets (i.e., end user devices and IoT). Through its study, the NSTAC concluded that automated and distributed attacks performed using botnets threaten the security and resilience of the Internet and communications ecosystem, and in turn, in turn, the nation's critical infrastructure.

Technical Domains

Infrastructure: Current State

In the face of In the face of Faced with automated, distributed attacks, the current infrastructure underlying the digital ecosystem has demonstrated has demonstrated has shown remarkable resilience, but the increasing size and scope of attacks appear to be testing appear to be testing appear to test the limits of that resilience.

Filtering traffic as it enters and exits a network-the technique known as ingress and egress filtering-is one such tool. IP-spoofing is a common technique employed in employed in used in DDoS attacks, where the attacker fabricates the source IP address to prevent the victim from filtering bad traffic by the traffic's origin. Network providers can limit spoofing by restricting incoming traffic to that which is actually from its stated network, filtering out traffic that claims to come from outside its expected network space. Ingress filtering is acknowledged to be a longstanding best practice by the Internet Engineering Task Force (IETF) and other infrastructure-focused organizations. It can be complemented by egress filtering, in which an organization or network operator deploys filters at the edge of its network to prevent traffic that does not appear to appear to seem to originate from inside the network from exiting onto the global Internet.

Major domestic carriers implement the ingress filtering standards in at least some portion portion of their networks. However, these standards are not universally supported worldwide, or by smaller domestic infrastructure providers. Many technical and business experts have objected to proposals to apply ingress filtering higher at the level of international backbones because it would be more likely to block legitimate traffic. Egress filtering is advocated as a common security practice for enterprises but is still uncommon uncommon rare for small and medium-sized enterprises. Although not universally implemented, network ingress/egress filtering, where implemented, is effective at mitigating the class of DDoS attacks that leverage IP-source address spoofing.

Infrastructure providers and other companies offer commercial anti-DDoS services, which can play a key role in limiting the impacts of attacks against specific targets. However, not all enterprise customers purchase purchase buy the full slate of anti-DDoS services due to the expense and the complexity of integrating those services into the other components components parts of the enterprise's network. Meanwhile, attackers quickly learn to exploit holes in existing services. When confronted by attacks that rely on the sheer volume of traffic, off-premise DDoS mitigation solutions either proffer more proffer more offer more network capacity or use the shape of the network itself to limit the volume of traffic that reaches the target.

The current best practices involve employing a employing a using a hybrid approach that uses both local filtering and DDoS defense tools that increase off-premise capacity. However, implementing best practices can be expensive and difficult to manage; they also require skilled staff. These best practices are also typically built around past crises, making it difficult, for example, to argue for a large amount of a large amount of a lot of excess capacity until under attack.

Responding in a timely fashion in a timely fashion promptly requires preparation and knowledge. Given the large set of security controls needed in the modern Internet, not all staff at smaller infrastructure providers or key enterprises are aware of the benefits of filtering and other tools. Many infrastructure providers offer warnings about compromises and ongoing attacks, but if enterprises ignore those warnings, then the infrastructure provider is less likely to follow up with further warnings. Victims often struggle when encountering their first substantial attack without a response plan in place, because they depend on the very very network under attack to understand it and contact service providers for aid.

Vision for the Future of Infrastructure

Infrastructure providers of all types must develop a broad understanding of the benefits of shared defense approaches, and communities should work together to drive best-practice adoption. This work includes ubiquitous adoption of filtering at the interface with customer networks, including multi-tenant infrastructures such as cloud providers. Ideally, infrastructure providers should understand the current levels of attacks, maintain sufficient maintain sufficient maintain enough capacity to absorb realistically expected levels of malicious traffic, and communicate those capabilities to their customers. Infrastructure-provider services for DDoS mitigation should integrate with customers' existing network solutions irrespective of irrespective of despite the level of service a customer has chosen.

As new products and tools become available, players across the ecosystem should understand how their behavior can help (or hinder) their efficacy. An increasingly smart network can segment different types of traffic automatically in order in order to isolate or mitigate applications or devices that are sources and targets of attacks. Enterprises are increasingly able to are increasingly able to can increasingly address application-level attacks with appropriate appropriate tools, and the vendors of these tools should work with both customers and the relevant application vendors to make security decisions easier and more efficient.

Increased implementation of a number of a number of several existing technologies will help mitigate these attacks. At the core of the infrastructure, key players already share information about the evolving nature of threats. Many of these organizations employ experts employ experts use experts who coordinate with their peers around the globe; , in the future, , in the future, however, information sharing must expand to include smaller, less well-funded, or niche players through new automated tools and practices. Incentives could promote investment in better, more efficient detection of malicious traffic, as well as more public commitments to avoid carrying malicious traffic.

Promote global participation through enhanced stakeholder and U.S. government engagement on international policy and standards development.

The global nature of distributed threats was frequently frequently often highlighted during the process executed by Commerce and Homeland Security. Stakeholders highlighted the importance of international standards, policies, and best practices in promoting international participation and collaboration. By continuing to advocate for industry-led approaches and by actively actively participating in development of voluntary, consensus-based international standards, the federal government can contribute to pragmatic and effective outcome-based standards that meet the needs of all stakeholders. The federal government is also uniquely positioned to lead the international engagement required to establish broadly accepted policies and best practices and will enhance coordination with stakeholders on these efforts.