In war against botnets, manufacturers need to step up, report says

Zombie computer armies are also too easy for attackers to assemble, the tools to mitigate them are too seldom employed, and the market hasn't given companies much reason to try harder, the federal government says.

The problem of botnets — the legions of computers used to carry out distributed denial-of-service attacks — is exacerbated by the fact that developers do not have the cost incentives to build more security into their products, according to a new report from the departments of Commerce and Homeland Security.

“Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates,” states the report mandated by a White House executive order last year. “Market incentives must be realigned to promote a better balance between security and convenience when developing products.”

The report says the government should give companies some help by prioritizing research and development funding for botnet-thwarting products, and it suggests the private sector should expedite its own work on those technologies. The R&D — in techniques like data analytics, machine learning, and artificial intelligence is — “urgently needed to get ahead of malicious actors,” the report states.

The zombie computer armies are too easy for attackers to assemble and tools to mitigate them aren’t widely deployed, the report states, adding that IT products like routers that might be hijacked in a botnet attack need to be secured throughout their life cycle.


Botnets have long been a cheap way for hackers and spammers to cause havoc on the internet, and nation-state-backed groups also have shown a willingness to employ them. The proliferation of Internet of Things (IoT) devices has only made the tactic easier. The FBI last week seized a domain used to communicate with 500,000 infected routers, blaming the botnet on a Russian-government-linked hacking group known as Fancy Bear.

The new report does not touch on the differences between botnets originating from nation-states and other sources, but stresses that the distinction is important for “determining how to best apply a broad range of threat-specific U.S. government authorities.”

Another challenge facing U.S. efforts to crack down on botnets is the fact that many big attacks have targeted devices outside the country, the report notes. International cybersecurity standards could help disrupt botnet attacks and “expand the market for products that contribute to the resilience of the ecosystem,” the document states, urging “U.S. representation and leadership” at relevant international forums.

Jeanette Manfra, a senior DHS official, last week called for Washington to show global leadership on cybersecurity issues, dismissing the notion that the elimination of the White House cyber coordinator position would undercut that effort.

The Cybersecurity Coalition, an industry group, praised the botnet report’s recommendations, with Executive Director Ari Schwartz saying the coalition looked forward to “partnering with DHS, Commerce and the White House on the needed public-private partnership for [the report’s] implementation.”


The botnet problem is also one of education and awareness: Home users are often oblivious to the fact that their devices are part of a malicious computer army. To rectify that, private companies should develop a common way of labeling IOT products with security information that users can understand, the report recommends.

Andy Ellis, chief security officer of Akamai, told CyberScoop that home and small-office users are key players in the botnet challenge, “but our ability to give them meaningful and actionable guidance has been limited to date.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts