NIST, Gaithersburg, MD
May 30, 2012
Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director
It has been an interesting day and a botnet day, and I know I am joined by a number of folks who were with me this morning as we kicked off this very special day with an industry-led announcement about some broad goals that have been set. It was actually a great event. It was in the beautiful Indian Treaty Room in the Eisenhower Executive Office Building, and we were joined by Howard Schmidt and FCC Chairman Julius Genachowski and Secretary of Homeland Security Janet Napolitano. A lot of industry representation, which was fitting, because it was really an industry-led effort.
So I have just a very brief role today. One is, I get to stand in front of a slide that will mislead you to thinking I'm going to say something technical, but as a physicist this always is kind of fun. My other job is to speak shortly enough that the brief sugar buzz you got from lunch doesn't dissipate before you get to the next two panels because that's actually the heart and soul of this. And finally, to give you a belated welcome and to thank you for joining us today for this workshop.
The topic is clearly important. The topic is clearly timely. It was pointed out several times this morning at the White House event, though, we're not talking about an emerging or new threat. Botnets, in fact, have been with us for a while. In some sense this is a maturing and growing threat. It's timely that we are gathered together to explore this from a technical side.
Why is that the case? Because they pose a special technical challenge—one, simply by their scale, another by their nature. Why are botnets being elevated to this level of discussion today, why is it a botnet day? And it really has to do with the nature of the consequences from this type of malware. Over the past several years, botnets have increasingly put consumers at risk. Infections on computers in a botnet can lead to the monitoring of private information by consumers, critical business information by companies, critical communications, and exploitation of the individual's computing power and Internet infrastructure.
But the threats of a botnet go beyond those that are directly affected, or infected. A network of bots can be used to disseminate spam, store and transfer illegal content, undermine business conditions, attack our information infrastructure with massive distributed denial-of-service attacks.
This reminds me a little bit of the situation in public health. What we're really dealing with is a situation where your hygiene may be great, and you may, in fact, even be vaccinated, but if the entire community around you gets sick, you're going to see tremendous impacts to your own life, your own businesses, your own well being. And that's very much the case here. We can be impacted by botnets even if we're not directly part of them.
These are not a new phenomenon. Their existence continues to increase in scale and complexity, and it continues to increase the price of doing business online. It places our companies at a competitive disadvantage, it threatens individual privacy, and it undermines the confidence of consumers in their online experience. It's for all of these reasons that analysts at Gartner call botnets the "heavy artillery" of cybercrime.
It's also a highly leveraged threat. Cybercriminals are basically using our own computing power and our own infrastructure against us in a collective, coordinated fashion. And it's the fact that this is a coordinated response that leads me to believe that the answer lies in a coordinated response.
We have to work together as a community to address the threat posed by botnets. And recognizing that this issue is larger than any one company, this is larger than any one country, in fact, stresses the importance of coming together like we are today to talk about a common understanding of the problem, to share our experiences and our expertise in this area, and to work together to a common purpose to combat the botnet threat.
Last September, NIST was joined by the National Telecommunications and Information Agency within the Commerce Department and by the Department of Homeland Security, and a Request for Information was issued. These are a technique for seeking public input to a problem—they're called an RFI. And the RFI was issued to focus on the growing concern around botnet security risks. It sought input on a wide variety of issues, including practices to help identify, prevent, notify, and mitigate botnet infections.
And from that RFI, we received many comments—well over two dozen—very thoughtful comments from a very wide range of stakeholders. Interestingly, there was a surprising consensus on how to combat this problem. We brought those stakeholders together, and in that engagement that followed, we have learned that many of the leading companies—companies like Comcast and CenturyLink and Google—have already begun efforts, in fact, not even very recent efforts in some cases, to detect and notify their customers that they are infected and give them the tools to support cleaning up their devices, and doing it in a way that protects the individual privacy of the affected customers.
Microsoft and others have begun to take action, civil action, against botnets in the courts. And around the world, other countries have begun creating codes to alert customers and to encourage appropriate response.
In spite of all these activities that we learned about, however, there was one other striking conclusion, and that was that there was no unified U.S. effort. We felt strongly that we needed to help define and create a U.S. vision if we're going to be successful in addressing the threat from botnets because of the very nature of needing to work across so many different types of organizations and participants. We made it clear that we felt that the effort should be voluntary, that it should be stakeholder-driven, and that it should take advantage of the deep expertise and experience of industry and civil society. If botnets can be made to cause less damage, we're not going to be solving every cybersecurity problem we have, but we can make it much more difficult for criminals to attack our key infrastructure.
And indeed, industry has taken us up on this call to action, with vigor, I might point out. In February, 11 leading trade, security, and safety groups formed the Industry Botnet Group, or IBG. And today, only four months after forming, the IBG is already reaping the fruits of their labors. The principles that they announced today represent the first-ever effort to create an overarching set of principles for companies from all different sectors to align to. It touches on botnet notification, education, remediation, and cyberhygiene. The codes of conduct for different sectors can be customized, based on these principles. And industry groups have also begun a campaign of education aimed at botnets around a tested slogan of "Keep a Clean Machine" that I think we will all be seeing and hearing about more over the next year. And you are going to hear more about the IBG's work in the next panel.
So, I think it's fantastic that this effort was launched today. This is one of the great examples of government and industry working closely and very effectively together. I have to say, though, this is the beginning of a process, not the end. And part of your work today is, of course, to map out some of the technical framework for action that we would need, whether it's in notification or in detection or metrics or measures, terms that are near and dear to the heart of anyone from NIST.
But I also want to tell you that the federal government also is working together and will continue to do so. That's true in the very broad context of all of the federal programs and how they touch the issue of botnet security, whether that's law enforcement, research, early adoption of technologies, or as we're doing today, looking at coordination of a technical agenda.
We will continue to be committed to doing our part and to working with you on addressing botnet security. We see this workshop today as a key part of this discussion, and what I hope we learn today will set the stage for collective action going forward. NIST is committed to working collaboratively with you to develop a common understanding of this difficult problem and to identify best practices on how we manage and mitigate this threat.
This event today will also help us to share information on how to safeguard our information systems today and how to build on the important relationships that serve as the foundation for our collective cybersecurity efforts. And again, I want to thank you for taking the time to join us today and to share your views and your expertise and your knowledge with us.
We are looking forward to the outcome of this report. I am delighted I was able to join you briefly today, and I wish you the best for the remainder of this workshop.
Thank you very much.