The Obama Administration today announced new initiatives to combat botnets -- a collection of computers whose security is compromised by attackers -- which are believed to pose one of the biggest risks to Internet security. The initiatives are the result of a voluntary public-private partnership between the White House Cybersecurity Office and the U.S. Departments of Commerce and Homeland Security (DHS), who coordinate with private industry to lead the Industry Botnet Group (IBG), a group of nine trade associations and nonprofit organizations representing thousands of companies across information, communications, and financial services industries.
"The issue of botnets is larger than any one industry or country. This is why partnership is so important," said White House Cybersecurity Coordinator Howard Schmidt. "The principles the IBG are announcing today draw on expertise from the widest range of players, with leadership coming from the across the private sector, and partnering with the government on items like education, consumer privacy and key safeguards in law enforcement."
Commerce and DHS, along with policy support from the White House, have led coordination of government efforts aimed to prevent and identify botnet infection and remediate its effects on personal computers. The IBG was formed in response to a September 2011 request for information issued from Commerce and DHS to learn more about existing efforts and new areas to explore combating botnets.
"Cybersecurity is a shared responsibility -- the responsibility of government, our private sector partners, and every computer user," said Secretary of Homeland Security Janet Napolitano. "DHS has set out on a path to build a cyber system that supports secure and resilient infrastructure, encourages innovation, and protects openness, privacy and civil liberties."
"Botnets continue to increase the price of doing business online and place our companies at a competitive disadvantage, while threatening our individual privacy," said Under Secretary of Commerce for Standards and Technology Patrick Gallagher. "Today's efforts are only the beginning of the actions we can take, but working together through this public-private partnership we can start to combat these challenges."
"No one entity can combat these security challenges alone," said Liesyl Franz, vice president for cybersecurity policy at TechAmerica, speaking on behalf of the IBG. "Individually we can take measures to defend ourselves, and together we can do even more to protect the ecosystem."
The Industry Botnet Group and government partners announced the following new or expanded initiatives to combat botnets:
The IBG launched today a list of principles for voluntary efforts to reduce the impact of botnets in cyberspace, including coordination across sectors, respect for privacy, and sharing lessons learned. IBG has also developed a framework for shared responsibility across the botnet mitigation lifecycle from prevention to recovery that reflects the need for ongoing education efforts, innovative technologies, and a feedback loop throughout all phases. Both are available at http://industrybotnetgroup.org.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), which cooperates closely with DHS and the Treasury Department, will announce today its work on a pilot to share information about botnet attacks this year. The effort will lead to standards that can be more widely used for information sharing on botnets outside of the financial services sector.
Several IBG members are launching "Keep a Clean Machine" campaign today -- an education campaign for consumers supported by DHS, the Federal Trade Commission (FTC), the National Cybersecurity Alliance and several companies.
The FBI and Secret Service have recently stepped up private sector information sharing, and their coordinated efforts have shut down massive criminal botnets such as Coreflood, which compromised millions of private computers and lead to the theft of millions of dollars.
White House Cybersecurity Coordinator Howard Schmidt hosted an event at the White House today to announce the initiatives, along with Federal Communications Commission Chairman Julius Genachowski, Department of Homeland Security Secretary Janet Napolitano, Under Secretary of Commerce for Standards and Technology Patrick Gallagher, and select industry CEOs.
Also today, Commerce's National Institute of Standards and Technology (NIST) is holding a workshop to highlight technical work in this area, including standards and metrics. The Internet Engineering Task Force and Messaging Anti-Abuse Working Group, independent standards organizations, have a growing number of standards related to fighting botnets. NIST has promoted related international standards and metrics in the Organization of Economic Cooperation and Development, and the Asia-Pacific Economic Cooperation. NIST will also highlight new research projects and technologies to combat botnets and speed remediation at today's workshop.
The initiatives announced today are intended to support voluntary, private sector-led efforts, allowing industry to respond nimbly to dynamic cyber threats. They do not prescribe any particular means or method and allow for flexibility in application by a wide range of participants and business models. The IBG is using a proven model that the Financial Services Information Sharing and Analysis Center (FS- ISAC) and Banking Infrastructure and Technology Services (BITS) are using. Additionally, the IBG's efforts are complementary to the Federal Communication Commission's "Code of Conduct' on collaborative recommendations for the ISPs.
Industry estimates suggest that one in 10 computers in the U.S. is currently infected by a botnet. Botnets are formed from groups of computers that have been compromised by malicious software and then used as bases to execute criminal or espionage action on behalf of remote operators. Such malware can make consumers' private and financial information available to hackers, slow down and harm consumers' computers, and turn consumers into unwitting disseminators of spam emails. Botnets also harm the economy because they can lead to increased cost of doing business and place affected companies at a competitive disadvantage.
To learn more about the Industry Botnet Group, visit http://industrybotnetgroup.org/. To learn more about the Obama Administration's efforts to combat botnets and enhance cybersecurity, visit http://www.whitehouse.gov/administration/eop/nsc/cybersecurity.