Presidential Commission Sounds Warning Over Botnet Threat


ENLARGE

President Barack Obama speaks with Commerce Secretary Penny Pritzker, former IBM CEO Sam Palmisano, former national security adviser Tom Donilon, and Homeland Security Secretary Jeh Johnson in the Oval Office on Feb. 17.


Photo:

Associated Press

The next U.S. administration should take immediate steps to prevent and, when possible, eliminate computer attacks like one that recently crippled some of the key systems that run the internet, a presidential commission recommended on Friday.

The report by the Commission on Enhancing National Cybersecurity, which included wide-ranging suggestions on a host of security problems, drew particular attention to the threat posed by the “Internet of Things.” That is the name for an array of internet-connected devices—including household appliances, toys, and the computers that regulate electrical grids—which hackers can commandeer into online armies known as botnets.

An attack in October by a still unknown group used a massive botnet composed of baby monitors, webcams, and other common devices to overwhelm internet infrastructure, leading to widespread outages and congestion.

The commissioners—a bipartisan group of 12 computer security experts, technology company executives, and former U.S. national security officials—recommended that the Commerce Department lead an effort with businesses to reduce the threat from botnets. Among their recommendations was ensuring that the devices cannot be hooked up to the internet without resetting their default passwords, which are often easy for hackers to guess.

But the commissioners also emphasized that there is little that the next administration can do on its own to dramatically make cyberspace more secure.

“We need to recognize that neither the government nor the private sector can capably protect systems and networks without extensive and close cooperation,” the report stated.

The commissioners also called on government agencies and technology companies to assume greater responsibility for internet security and lift the burden off individual computer users, who are told to routinely change their passwords and practice good “cyber hygiene” but are often the victims of attacks by sophisticated actors, including state intelligence agencies, that target companies that hold personal information or provide internet service.

“We should be taking the cybersecurity problem as far away from end users as possible and focus on the higher end,” said Steven Chabinsky, a commission member who previously served as a top official in the Federal Bureau of Investigation’s cyber division.

To that end, the commissioners embraced a concept of labeling products that meet strong cybersecurity standards, not unlike the decades-old practice of labeling electrical appliances and equipment that are safe to use in the home.

“We don’t have anything like that in the world of cybersecurity,” said Thomas Donilon, the commission chair and President Barack Obama’s former national security adviser.

Mr. Donilon said that some ideas, like a joint effort by government and businesses to dismantle botnets, could be acted upon immediately by the Trump administration. The commissioners are eager to brief members of the Trump transition team as soon as possible, he added.

Other suggestions, like moving away from the use of single passwords, will take longer to implement.

“Some of them are aspirational,” Mr. Donilon said of the commission’s recommendations. “But some of this can be done right away.”