& cplSiteName &

Market Incentives Stacked Against Network Security – US Government Report

Mitch Wagner

Businesses need better marketplace incentives to build secure networks, as the marketplace now rewards low cost and performance over security, according to a draft US government cybersecurity report.

"Market incentives motivate product developers, manufacturers and vendors to minimize cost and time to market, rather than to build in security or offer efficient security updates," according to the draft report from the US departments of Commerce and Homeland Security, released Friday. "There has to be a better balance between security and convenience when developing products.

The 38-page report, entitled "A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and other Automated, Distributed Threats," was released for public comment Friday by the US departments of Commerce and Homeland Security. It's a reaction to a May 11 executive order by President Donald Trump calling for increased "resilience against botnets and other automated, distributed threats."

The report is comprehensive, identifying problems, making a series of recommendations, and covering service providers, enterprises and consumers. It identifies the Internet of Things as a particularly troublesome vector for attacks, which can fortunately be secured using existing security tools and best practices. (See IoT Security Raises Concerns for US Senators.)

Commerce Department  (Photo by AgnosticPreachersKid (Own work) [CC BY-SA 3.0], via Wikimedia Commons)
Commerce Department
(Photo by AgnosticPreachersKid (Own work) [CC BY-SA 3.0], via Wikimedia Commons)

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

The report singles out the May 2016 Mirai botnet attacks as a particular example of the need for better industry-wide security practices: "The DDoS attacks launched from the Mirai botnet in the fall of 2016, for example, reached a level of sustained traffic that overwhelmed many common DDoS mitigation tools and services, and even disrupted a Domain Name System (DNS) service that was a commonly used component in many DDoS mitigation strategies. The attack also highlighted the growing insecurities in -- and threats from -- consumer-grade IoT devices. As a new technology, IoT devices are often built and deployed without important security features and practices in place."

The report identifies six "themes:"

  1. "Automated distributed attacks are a global problem."
  2. "Effective tools exist, but are not widely used."
  3. "Products should be secured during all stages of the lifecycle."
  4. "Education and awareness is needed."
  5. "Market incentives are misaligned."
  6. "Automated, distributed attacks are an ecosystem-wide challenge."

On the issue of market incentives: Enterprises are not taking advantage of "the full slate of anti-DDoS services, due to the expense and the complexity of integrating those services into the other components of the enterprise's network," the report states. Best practices "are at times expensive, difficult to manage, and require stilled staff; they are also typically built around past crises, making it difficult to argue for a large amount of excess capacity, for example, until under attack."

As for IoT: "Unfortunately, the state of IoT devices is much like that of desktop computing in the 1990s." Vendors frequently cut corners on security, making IoT devices appealing targets for attackers. The November 2016 Ericsson Mobility Report predicts IoT devices will surpass mobile hones as the largest category of connected devices this year, the federal report notes, adding, "Given the level of security on these device, that is a daunting proposition."

Legacy servers, desktops, laptops and mobile phones are no longer supported by manufacturers, increasing security vulnerabilities, the report says. And the prevalence of pirated software, which is not supported by the original manufacturer, exacerbates the problems.

What to do about it? The report recommends aligning market incentives with increased security, establishing baseline security best practices, having the federal government lead by example in its own procurement by mandating security standards, wider adoption of software development tools and practices to reduce the incidence of security vulnerabilities, and more.

What next? Following a comment period, the Department of Commerce will hold a two-day workshop to discuss future directions, on February 28 and March 1, according to a Commerce Department statement. The final report is due to the President May 11. People can comment by email through February 12 at CounterBotnet@list.commerce.gov.

The draft report comes as security researchers warn about vulnerabilities, dubbed "Spectre" and "Meltdown," that affect an estimated billions of processors, including chips from Intel, AMD and ARM, built into PCs and mobile devices since 1995. (See 'Spectre' & 'Meltdown' – What Cloud Users Need to Know.)

Related posts:

— Mitch Wagner Follow me on Twitter Visit my LinkedIn profile Visit my blog Follow me on Facebook Editor, Enterprise Cloud News

(4)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Educational Resources
sponsor supplied content
Educational Resources Archive
More Blogs from Wagner’s Ring
IBM and Cisco are working with Europe's largest port to reduce fuel consumption and other costs and improve safety.
In which we receive an alarming email from Oracle.
SD-WAN is about more than saving money – it also provides application delivery, insights and reliability. Find out more in this podcast sponsored by Citrix.
Platform is designed to enable enterprises to build big data analytics apps that move easily between public and private clouds.
Buying Evident.io extends Palo Alto's portfolio with API-based security capabilities and compliance automation.
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 6, 2018, London, United Kingdom
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
Adtran Will Be a 5G Winner, Says Analyst
Iain Morris, News Editor, 7/19/2018
Telecom Jargonosaurus Part 1: Repeat Offenders
Iain Morris, News Editor, 7/13/2018
Get Off My Wireline Lawn!
Carol Wilson, Editor-at-large, 7/17/2018
Trump Trashes EU's $5B Google Fine
Dan Jones, Mobile Editor, 7/19/2018
Eurobites: EU Socks Google With $5B Monster-Fine for Android Control-Freakery
Paul Rainford, Assistant Editor, Europe, 7/18/2018
Upcoming Webinars
Webinar Archive
Animals with Phones
Casual Tuesday Takes On New Meaning Click Here
When you forget your pants.
Latest Comment
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed