R Street comments to the NTIA on botnets
We thank NTIA for the opportunity to submit further comments concerning the best approaches to ensure resilience against botnets. The severity of device vulnerabilities within the ecosystem of internet-enabled devices is exacerbated by inconsistent cyber-hygiene practices and a lack of adoption of cybersecurity standards among internet-of-things devices. Malicious actors can take advantage of these widespread vulnerabilities by mobilizing networks of infected computers into botnets. These distributed networks of hijacked machines perform automated tasks – such as spreading spam or malware, generating fraudulent clicks or denial-of-service attacks that flood a website to render it inaccessible. While there are serious policy questions that arise from the threat of botnet-enabled cyberattacks, it is also important to recognize that distributed computing is an agnostic technological application that can have many positive use cases. Additionally, cybersecurity in the internet of things and beyond is a complex global problem. It is important to avoid heavy-handed regulatory solutions that may appear to be a panacea but would, in reality, undermine beneficial uses, take away incentives for innovation or offer prescriptive design mandates. Instead, policymakers should focus on a multifaceted approach that would better align market incentives to promote cyber hygiene and encourage both manufacturers and customers to adopt cybersecurity best practices.
The Department’s green paper sets the appropriate tone by framing NTIA’s role as one of support and encouragement for emerging technology in the internet ecosystem. What follows is an outline of the role of the federal government and Department of Commerce [“Department”] in particular, in advancing a light-touch regulatory approach to the internet of things and related issues, such as botnets. With this focus in mind, the sections that follow define the challenges posed by the botnets and automated threats, identify solutions to widespread device insecurity and outline the role of the federal government.