When White House officials were drafting the cybersecurity executive order that President Donald Trump signed last May, they faced a problem: Making the internet more secure against massive botnet attacks while taking coordinated action between a bewildering variety of stakeholders from a dozen different industries.
Action was essential: The threat from huge automated attacks — like the one that brought the stopped internet traffic it its tracks in October 2016 — was growing exponentially as the “Internet of Things” connected billions of insecure devices to the larger global network. But forcing industry to act through regulation was off the table in an administration committed to cutting red tape.
Instead, officials approached a small agency within the Commerce Department, the National Telecommunications and Information Administration, which was acquiring a reputation for addressing complex cybersecurity problems using a new model of policymaking.
NTIA’s multi-stakeholder process “was generating a lot of interest” early last year, said Evelyn Remaley from the agency’s Office of Policy Analysis and Development.
“As the White House was building the executive order, they talked to NTIA about ‘Is this open and transparent model that you’re using to bring industry and others together to do policymaking; is it also something that we can look at for other areas in the cybersecurity space?’” Remaley recalled.
In the end, the section dedicated to botnets called for something very-much like a multi-stakeholder process — and NTIA was assigned as the lead for the Commerce Department in convening it.
Earlier this month, the agency published the first draft report developed in that process, which called botnet resilience an “ecosystem-wide” issue and urged action on several fronts, including “globally accepted security standards and practices,” for personal computers, IoT equipment and other “edge devices.”
“These standards should be flexible, appropriately timed, open, voluntary, industry-driven and global in nature,” the report adds, mimicking the NTIA’s multi-stakeholder process it had produced in the past.
The White House’s interest in the new policy tool was sparked by NTIA’s work during the Obama administration on software vulnerability disclosure, Remaley explained. The process brings industry associations, advocacy groups and subject matter experts together “in a non-regulatory way,” she said.
“There’s no title of ‘chief glue maker,’ but in some cases that’s really the role that we did play,” Remaley said of the NTIA’s role as multi-stakeholder process convener. “It’s a very useful way to develop policy when you find that there are parties that need to come to a consensus where you have very divergent viewpoints.”
This process considered by many cyber-watchers to be a useful alternative to conventional regulations, which are too slow, static and compliance-based to be useful in computer network security — where hacker adversaries are constantly innovating and evolving.
Remaley said it wasn’t just the NTIA’s role in developing the policy model that positioned it to lead the botnet resilience process. She said that the relationships the agency had built in prior rounds of multi-stakeholder policy-making were also a factor.
“It was one of the reasons why … NTIA was also a main player [in the botnet policy development process set in motion by the EO] because of our relationships in building these processes with industry and civil society,” she said.
Those relationships will be tested in the coming months as the rubber meets the road in the public consultation process on anti-botnet resilience and the myriad of players involved — from device manufacturers, software publishers and consumer internet service providers to major communications backbone companies — maneuver to reconcile potentially conflicting interests.
One issue that’s likely to cause some friction, according to panelists at a recent U.S. Telecom event, is the issue of smaller businesses, which may lack the ability to implement best practices.
“We have a lot of smaller members,” said Robert Mayer, U.S. Telecom’s senior vice president for cybersecurity, “many of whom simply don’t have the resources” they would need to implement complex technical solutions.
“There need to be different expectations for smaller players versus the larger ones,” agreed Chris Boyer, assistant vice president of global public policy at AT&T and chairman of the National Security Telecommunications Advisory Committee.
Remaley said NTIA was committed to involving what she called “the small players” in the process. “It’s taken a little extra push but we’re committed to bringing them to the table,” she said.
But her response also raises questions about how much of an improvement in internet resilience might emerge from the process.
“Because we’re looking to build some consensus around best practices, sometimes they won’t be very deep,” she acknowledged. “We try to do it at that level where both big and small [organizations] can [implement] it right away.”
Boyer, who led the drafting of a National Security Telecommunications Advisory Committee report on the botnet issue that fed into the NTIA multi-stakeholder process, was similarly modest about the policy objectives.
“A lot of the steps that we put in that report I would say are more incremental things. They’re not game-changers,” he said. “A lot of them are things that we know should be done, they’re existing standards and we’re looking at ways we can raise the bar and get them more widely adopted and used.”