[Federal Register Volume 82, Number 112 (Tuesday, June 13, 2017)]
[Notices]
[Pages 27042-27044]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-12192]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration

[Docket No. 170602536-7536-01]
RIN 0660-XC035


Promoting Stakeholder Action Against Botnets and Other Automated 
Threats

AGENCY: National Telecommunications and Information Administration, 
U.S. Department of Commerce.

ACTION: Notice, request for public comment.

-----------------------------------------------------------------------

SUMMARY: The National Telecommunications and Information Administration 
(NTIA), on behalf of the Department of Commerce (Department), is 
requesting comment on actions that can be taken to address automated 
and distributed threats to the digital ecosystem as part of the 
activity directed by the President in Executive Order 13800, 
``Strengthening the Cybersecurity of Federal Networks and Critical 
Infrastructure.'' Through this Request for Comments (RFC), NTIA seeks 
broad input from all interested stakeholders--including private 
industry, academia, civil society, and other security experts--on ways 
to improve industry's ability to reduce threats perpetuated by 
automated distributed attacks, such as botnets, and what role, if any, 
the U.S. Government should play in this area.

DATES: Comments are due on or before 5 p.m. Eastern Time on July 13, 
2017.

ADDRESSES: Written comments may be submitted by email to 
[email protected]. Written comments also may be submitted 
by mail to the National Telecommunications and Information 
Administration, U.S. Department of Commerce, 1401 Constitution Avenue 
NW., Room 4725, Attn: Evelyn L. Remaley, Deputy Associate 
Administrator, Washington, DC 20230. For more detailed instructions 
about submitting comments, see the ``Instructions for Commenters'' 
section of SUPPLEMENTARY INFORMATION.

FOR FURTHER INFORMATION CONTACT: Megan Doscher, tel.: (202) 482-2503, 
email: [email protected], or Allan Friedman, tel.: (202) 482-4281, 
email: [email protected], National Telecommunications and 
Information Administration, U.S. Department of Commerce, 1401 
Constitution Avenue NW., Room 4725, Washington, DC 20230. Please direct 
media inquiries to NTIA's Office of Public Affairs, (202) 482-7002, or 
at [email protected].

SUPPLEMENTARY INFORMATION: 
    Background: The open and distributed nature of the digital 
ecosystem has led to unprecedented growth and innovation in the digital 
economy. However, it has been accompanied by risks that threaten to 
undermine that very ecosystem. These risks take many forms online, with 
different combinations of threats, vulnerabilities, and affected 
parties from those in the physical world. The President has directed 
the Departments of Commerce and Homeland Security to jointly lead an 
open and transparent process to identify and promote action by 
appropriate stakeholders to improve the resilience of the Internet and 
communications ecosystem and to encourage collaboration with the goal 
of dramatically reducing threats perpetrated by automated and 
distributed attacks.\1\ This RFC focuses on automated, distributed 
attacks that affect large sets of victims, and that put the broader 
network and its users at risk. These types of attacks have been a 
concern since the early days of the Internet,\2\ and were a regular 
occurrence by the early 2000s.\3\ Automated and distributed attacks, 
particularly botnets due to their ability to facilitate high-impact 
disruption, form a threat that is bigger than any one company or 
sector. Botnets are used for a variety of malicious activities, but 
distributed denial of service (DDoS) attacks, which can overwhelm other 
networked resources, are a critical threat and developing collaborative 
solutions to prevent and mitigate these attacks is a priority. As new 
scenarios emerge, including those exploiting a new generation of 
connected devices (so called ``Internet of Things'' (IoT) devices), 
there is an urgent need for coordination and collaboration across a 
diverse set of ecosystem stakeholders.
---------------------------------------------------------------------------

    \1\ Strengthening the Cybersecurity of Federal Networks and 
Critical Infrastructure, Exec. Order 13800, 82 FR 22391 (May 11, 
2017).
    \2\ See generally United States v. Morris, 928 F.2d 504 (2d Cir. 
1991) (discussing one of the first known computer worms to spread 
across the Internet).
    \3\ See Nicholas C. Weaver, Warhol Worms: The Potential for Very 
Fast Internet Plagues, Int'l Computer Science Inst. (Aug. 15, 2001), 
http://www1.icsi.berkeley.edu/~nweaver/papers/warhol/warhol.html.
---------------------------------------------------------------------------

    As part of this effort, the Department will also host a public 
workshop at the National Institute of Standards and Technology's 
National Cybersecurity Center of Excellence on July 11-12, 2017, 
entitled, ``Enhancing Resilience of the Communications Ecosystem.'' 
Outputs from this workshop will also help to guide implementation 
activities related to the President's Executive Order. More information 
about the workshop will be available on the NIST Web site at: 
www.nist.gov.
    The Federal government has worked with stakeholders in the past to 
address new threats as they arise. Previous efforts include the White 
House-led Industry Botnet Group \4\ (which led to an Anti-Botnet Code 
of Conduct \5\), the Communications Security, Reliability and 
Interoperability Council's (CSRIC) reports on ISP Network Protection 
Practices \6\ and Remediation of Server-Based DDoS Attacks,\7\ as well 
as the active and ongoing work by the Department of Justice and its 
many partners on attacking and ``sink-holing'' the infrastructure 
supporting these threats.\8\ These initiatives, and others like them, 
underscore the need for active collaboration between the public and 
private sectors.
---------------------------------------------------------------------------

    \4\ U.S. Dep't of Commerce, White House Announces Public-Private 
Partnership Initiatives to Combat Botnets (May 30, 2012), http://2010-2014.commerce.gov/news/press-releases/2012/05/30/white-house-announces-public-private-partnership-initiatives-combat-b.html.
    \5\ Working Group 7--Botnet Remediation, Communications 
Security, Reliability and Interoperability Council III, Final 
Report, U.S. Anti-Bot Code of Conduct (ABC) for Internet Services 
Providers (ISPs), Barrier and Metric Considerations (Mar. 2013), 
https://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG7_Report_March_%202013.pdf.
    \6\ Working Group 8, Communications Security, Reliability and 
Interoperability Council I, Final Report, Internet Service Provider 
(ISP) Network Protection Practices (Dec. 2010), http://transition.fcc.gov/pshs/docs/csric/CSRIC_WG8_FINAL_REPORT_ISP_NETWORK_PROTECTION_20101213.pdf.
    \7\ Working Group 5, Communications Security, Reliability and 
Interoperability Council IV Working Group 5, Final Report, 
Remediation of Server-Based DDoS Attacks (Sept. 2014), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf.
    \8\ See, e.g., U.S. Dep't of Justice, Avalanche Network 
Dismantled in International Cyber Operation (Dec. 5, 2016), https://www.justice.gov/opa/pr/avalanche-network-dismantled-international-cyber-operation.
---------------------------------------------------------------------------

    The Department has played an important role in facilitating 
engagement around cybersecurity between public policy interests and the 
innovative force of the private sector. The Department was tasked to 
work with industry to develop a framework

[[Page 27043]]

for use by U.S. critical infrastructure to improve cybersecurity 
practices,\9\ leading to NIST's Cybersecurity Framework.\10\ Other 
initiatives include Green Papers developed by the Department built on 
industry input on cybersecurity \11\ and IoT.\12\ NTIA has also 
convened multistakeholder processes to identify consensus-based 
voluntary solutions on security vulnerability disclosure \13\ and IoT 
security patching and upgradability.\14\
---------------------------------------------------------------------------

    \9\ Improving Critical Infrastructure Cybersecurity, Exec. Order 
13636, 78 FR 11737 (Feb. 12, 2013).
    \10\ National Institute of Standards and Technology, Framework 
for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), 
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.
    \11\ Internet Policy Task Force, U.S. Dep't of Commerce, 
Cybersecurity, Innovation and the Internet Economy (June 2011), 
https://www.nist.gov/sites/default/files/documents/itl/Cybersecurity_Green-Paper_FinalVersion.pdf.
    \12\ Internet Policy Task Force & Digital Economy Leadership 
Team, U.S. Dep't of Commerce, Fostering the Advancement of the 
Internet of Things (Jan. 2017), https://www.ntia.doc.gov/files/ntia/publications/iot_green_paper_01122017.pdf.
    \13\ NTIA, Multistakeholder Process: Cybersecurity 
Vulnerabilities, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-cybersecurity-vulnerabilities (last visited 
May 17, 2017).
    \14\ NTIA, Multistakeholder Process: Internet of Things (IoT) 
Security Upgradability and Patching, https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security (last visited 
May 17, 2017).
---------------------------------------------------------------------------

    The private sector is also playing a key role in tackling botnets. 
Internet service providers in the United States and around the world 
have been experimenting with how to notify customers that their devices 
may be involved in an attack. Standards bodies have offered guidance on 
how to mitigate some styles of attacks.\15\ Technology providers are 
innovating around tools to protect resources from DDoS attacks. 
Application and software manufacturers are working to eliminate 
exploitable vulnerabilities. This community has worked hard to address 
the threats over the last decade.
---------------------------------------------------------------------------

    \15\ See, e.g., P. Ferguson & D. Senie, Network Ingress 
Filtering: Defeating Denial of Service Attacks Which Employ IP 
Source Address Spoofing, Internet Engineering Task Force (May 2010), 
https://www.ietf.org/rfc/rfc2827.txt.
---------------------------------------------------------------------------

    The cybersecurity challenge is particularly vexing because it 
involves adaptive adversaries. Existing tools, institutions, and 
initiatives are critical, but we must acknowledge that the threat 
continues to evolve, and more progress is needed, at an accelerated 
rate, to address the current landscape. The DDoS attacks launched from 
the Mirai botnet in the fall of 2016, for example, reached a level of 
sustained traffic that overwhelmed many common DDoS mitigation tools 
and services, and even targeted a Domain Name System (DNS) service that 
was a commonly used component in many DDoS mitigation strategies.\16\ 
This attack also highlighted the growing insecurities in--and threats 
from--consumer-grade IoT devices. As a new technology, IoT devices are 
often built and deployed without important security features and 
practices in place.\17\ The issue is not the particular botnet, or the 
particular target, but the risks posed by botnets of this size and 
scope, and the expected innovation and increased scale and 
sophistication of future attacks. Meanwhile, old threats continue to 
evolve. The WannaCry ransomware that threatened to destroy the data of 
thousands of individuals and organizations, including hospitals, did 
not initially involve a botnet. It was spread by a worm-like mechanism 
similar to attacks of 15 years ago. However, criminals were later 
observed using the Mirai botnet to attack a key defense against the 
WannaCry ransomware.\18\
---------------------------------------------------------------------------

    \16\ U.S. Computer Emergency Readiness Team, Alert (TA16-288A): 
Heightened DDoS Threat Posed by Mirai and Other Botnets, https://www.us-cert.gov/ncas/alerts/TA16-288A (last revised Nov. 30, 2016).
    \17\ National Security Telecommunications Advisory Committee, 
Report to the President on the Internet of Things (Nov. 19, 2014), 
https://www.dhs.gov/sites/default/files/publications/NSTAC%20Report%20to%20the%20President%20on%20the%20Internet%20of%20Things%20Nov%202014%20%28updat%20%20%20.pdf.
    \18\ See Andy Greenberg, Hackers are Trying to Reignite Wannacry 
with Nonstop Botnet Attacks, Wired (May 19, 2017), https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/.
---------------------------------------------------------------------------

    It is difficult to predict what the next significant attack vector 
will be, but that should not preclude taking steps to mitigate the 
potential impact of those that are known. Left unchecked, without 
meaningful progress, these new classes of automated and distributed 
attacks could be a serious risk to the entire ecosystem. Since poorly 
considered action would likely create significant unnecessary costs and 
unintended consequences, substantial, carefully considered action must 
be considered, and it is most likely to be effective and efficient if 
built on engagement from all stakeholders across the ecosystem.

Request for Comments

    The goal of this RFC is to solicit informed suggestions and 
feedback on current, emerging, and potential approaches for dealing 
with botnets and other automated, distributed threats and their impact. 
The Department is interested in comments that address all aspects of 
this issue, but particularly those that address two broad approaches 
where substantial progress can be made:
     Attack Mitigation: Minimizing the impact of botnet 
behavior by rapidly identifying and disrupting malicious behaviors, 
including the potential of filtering or coordinated network management, 
empowering market actors to better protect potential targets, and 
reducing known and emerging risks.
      Endpoint Prevention: Securing endpoints, especially IoT 
devices, and reducing vulnerabilities, including fostering prompt 
adoption of secure development practices, developing practical plans to 
rapidly deal with newly discovered vulnerabilities, and supporting 
adoption of new technology to better control and safeguard devices at 
the local network level.
    Respondents are invited to respond to some or all of the questions 
below:
    1. What works: What approaches (e.g., laws, policies, standards, 
practices, technologies) work well for dealing with automated and 
distributed threats today? What mechanisms for cooperation with other 
organizations, either before or during an event, are already occurring?
    2. Gaps: What are the gaps in the existing approaches to dealing 
with automated and distributed threats? What no longer works? What are 
the impediments to closing those gaps? What are the obstacles to 
collaboration across the ecosystems?
    3. Addressing the problem: What laws, policies, standards, 
practices, technologies, and other investments will have a tangible 
impact on reducing risks and harms of botnets? What tangible steps to 
reduce risks and harms of botnets can be taken in the near term? What 
emerging or long term approaches may be promising with more attention, 
research, and investment? What are the public policy implications of 
the various approaches? How might these be managed, balanced, or 
minimized?
    4. Governance and collaboration: What stakeholders should be 
involved in developing and executing policies, standards, practices, 
and technologies? What roles should they play? How can stakeholders 
collaborate across roles and sectors, and what should this 
collaboration look like, in practical terms?
    5. Policy and the role of government: What specific roles should 
the Federal government play? What incentives or other public policies 
can drive change?
    6. International: How does the inherently global nature of the 
Internet and the digital supply chain affect how we should approach 
this problem? How can solutions explicitly address the international 
aspects of this issue?
    7. Users: What can be done to educate and empower users and 
decision-

[[Page 27044]]

makers, including enterprises and end consumers?
    Instructions for Commenters: NTIA invites comment on the full range 
of issues that may be presented by this inquiry, including issues that 
are not specifically raised in the above questions. Commenters are 
encouraged to address any or all of the above questions. Comments that 
contain references to studies, research, and other empirical data that 
are not widely published should include copies of the referenced 
materials with the submitted comments.
    Comments submitted by email should be machine-readable and should 
not be copy-protected. Comments submitted by mail may be in hard copy 
(paper) or electronic (on CD-ROM or disk). Responders should include 
the name of the person or organization filing the comment, as well as a 
page number on each page of their submissions. All comments received 
are a part of the public record and will generally be posted on the 
NTIA Web site, https://www.ntia.doc.gov, without change. All personal 
identifying information (for example, name, address) voluntarily 
submitted by the commenter may be publicly accessible. Do not submit 
confidential business information or otherwise sensitive or protected 
information. NTIA will accept anonymous comments.

    Dated: June 8, 2017.
Leonard Bechtel,
Chief Financial Officer and Director of Administration, Performing the 
Non-Exclusive Duties of the Assistant Secretary for Communications and 
Information, National Telecommunications and Information 
Administration.
[FR Doc. 2017-12192 Filed 6-12-17; 8:45 am]
 BILLING CODE 3510-60-P