Security researchers earlier this month identified a botnet threat called Reaper that recalled last year’s internet-crippling Mirai infection. This type of security attack is pernicious because it scans the web for thousands of vulnerable devices on the “internet of things,” which can be commandeered like zombies to spread mischief online. In the extreme, these attacks can knock important internet functions offline and possibly even compromise connected critical infrastructure.
There is no question that botnet attacks are a menace that must be confronted. But there is real disagreement over the best policy course forward.
Some argue that traditional top-down regulation is the solution. Computer security expert Bruce Schneier, for example, argues that security problems in networked devices are the result of a market failure that only government can solve. According to this argument, device manufacturers simply lack the incentive to contribute to the commons of good security. Therefore, some kind of command-and-control federal agency should be given power to inspect devices, mandate security features, and even prohibit and punish errant manufacturers — like a Food and Drug Administration for the digital age.
Of course, this approach would bring real costs. Consumers may find themselves paying higher prices for devices, as manufacturers deal with the added burdens of bureaucratic compliance and uncertainty. Some new products and services may be stymied altogether, if a zealous regulator determines that they simply are not needed. Furthermore, this approach would be far from bulletproof. As a static mechanism, traditional regulation will only be as good as the knowledge of those doing the regulating. And regulators are far from omniscient. Top-down regulation imposes costs without encouraging active participation from market players, and many of the same security issues will persist.
In this way, the top-down approach to cybersecurity misses a great opportunity to foster resiliency in a bottom-up fashion. What we really need is a solution that accounts for the complexity and dynamism of the cyber-threat landscape. For a great example of this bottom-up approach, we can look to the federal government’s time-tested framework for managing unpredictable threats: natural disasters.
The National Research Council defines disaster resilience as “the ability to prepare and plan for, absorb, recover from or more successfully adapt to actual or potential adverse events.” Resilience is an approach that captures the complexity of the problem across the ecosystem. Thus it is distinct from top-down approaches used for disaster response in the past.
Before the creation of the Federal Emergency Management Agency in 1978, the federal approach to disaster response was ad hoc, informal, and largely coordinated by the military and the Pentagon. With authority centralized under one agency, FEMA emphasized post-disaster response and preparedness — making regions disaster-resistant though pre-disaster methods such as strengthening infrastructure. However, this required policymakers to make flawed predictions about what structures to reinforce and which areas to protect.
It was only around the turn of the 21st century that the focus on resilience emerged. The resilience approach moved beyond short-term response for specific incidents to longer-term engagement with a variety of public and private efforts. It recognized that the only sustainable way to confront large-scale disturbances is to empower stakeholders at multiple levels to remain persistent in the face of disaster. A bottom-up resilience approach is critical to repelling future threats from the Reaper botnet and other pervasive malware.
In practice, resilience continues to be a feature of both Presidential Policy Directive PPD-8, which addresses disaster preparedness, and of the Department of Homeland Security’s National Infrastructure Protection Plan. Resilience has also made its way into President Donald Trump’s executive order on cybersecurity, which is an effort to promote coordinated action from stakeholders against botnets and other automated, distributed threats in the internet-of-things ecosystem.
Achieving resiliency will require a flexible policy environment that allows the development of different solutions, ranging from certification programs and information-sharing efforts to cyber-insurance adoption and the promulgation of industry best practices. In order to address distributed threats, policymakers must foster distributed efforts from internet service providers, cybersecurity service providers, consumers, device manufacturers, law enforcement, and policymakers.
Rather than pursuing top-down, targeted legislation that focuses on remediation or resistance, policymakers would do well to heed the lessons from the history of disaster management.