Remarks of Diane Rinaldo
Acting Assistant Secretary of Commerce for Communications and Information
Council to Secure the Digital Economy (CSDE) Forum
November 21, 2019
-- As Prepared for Delivery --
Thank you, Jonathan. It’s a pleasure to be here. I also want to thank Robert Mayer, USTelecom staff, and all of the members of CSDE for making today possible.
It’s been about two and a half years since the President issued his Executive Order on strengthening cybersecurity for federal networks and critical infrastructure. In response, the Department of Commerce and DHS partnered on a report that described how we could better strengthen our resilience against botnets and similar threats.
Our report listed a number of actions we could take to reduce the threat of botnets. Some of these were already underway, and others we knew would take some time to implement.
Beyond specific actions, however, we concluded that botnets were a global problem, and a challenge for the entire Internet ecosystem.
Industry alone – government alone – can’t solve these continually evolving security challenges, working separately. But working together, we can make progress. The model we proposed allows for private-sector stakeholders to lead the way. Where appropriate, government would play a coordinating and collaborative role.
As we know now, it didn’t take long for the private sector to step up and demonstrate that leadership. Shortly after the draft Botnet Report was released, you launched the CSDE.
This group has been a true partner in the fight against botnets. You saw a need, and came together to meet the challenge. It’s exactly the kind of voluntary action and cooperation that we work toward in our efforts at NTIA.
Parallel Efforts: Fighting Botnets
Since the launch of CSDE, we have been operating on very similar tracks. A year ago, Commerce released the Botnet Road Map, which set out tasks and timelines that would lead us toward a more secure Internet. We appreciated your input on this effort.
On the same day, CSDE released its International Anti-Botnet Guide, and we were pleased to participate in your development of this effort. These voluntary practices to mitigate botnets offered a path to increased collaboration by all stakeholders. I was especially encouraged by the core principles of security advanced by the Guide: that security is a shared responsibility that relies on teamwork and demands flexible solutions.
We are setting a strong example of what we can accomplish through a strong partnership between the government and the private sector. All of our security goals, from promoting innovation to increasing education and adoption of best practices, work best within a strong public-private cybersecurity partnership.
Today, we are celebrating the release of the 2020 Anti-Botnet Guide. This important update includes new analysis about how the botnet threat is evolving. You report that botnets are becoming more effective, more damaging, and harder to detect. You also observe that botnets are increasingly targeting cryptocurrencies, and enabling retail fraud and piracy via social media. While bad actors are still out there, the efforts we’re discussing today show a united front in doubling down on efforts to combat these threats.
The guide’s update also brings in work from the C2 Consensus Baseline that was released in September. We were very excited to see the results of this project, which brought together dozens of experts to develop best-practice security capabilities for IoT devices and was an important input into NIST’s Core Cybersecurity Feature Baseline for Securable IoT Devices.
This initiative will make it easier for IoT manufacturers to understand the security needed by the marketplace. By identifying what worked for security – not just what was easy – you showed that industry leadership can forge a path for making the ecosystem more sustainable in the long term.
Update on Cyber Initiatives
In the coming weeks, we expect to issue our own update to the Botnet Road Map. We are pleased to have a lot of progress to share, with more than half of the tasks either in progress or completed, and many others poised to begin in the near future.
I want to highlight a few areas where we’ve seen progress and an evolving landscape.
First, I want to congratulate everyone who is participating in NTIA’s multistakeholder process on software transparency. NTIA’s Allan Friedman has been leading an effort to create guidance around the use of a “Software Bill of Materials,” which is like a list of ingredients for software components.
For those of you aren’t familiar, a Software Bill of Materials is built around the basic idea that we should know as much about the components that make up the software in our critical infrastructure as we do about food in a grocery store. That sounds easy. In practice, it has involved bringing together experts in software from every corner of the supply chain, from open source to commercial software vendors, to the enterprise customers in any industry you can imagine.
Stakeholders have recently approved a series of documents related to SBOM, as it’s known. These documents are helping to define concepts, summarize the benefits of SBOM, and identify existing standards to make this process more automated.
We’re particularly impressed with the proof-of-concept in the health care industry, bringing together medical device manufacturers and their hospital customers to demonstrate that SBOM production and use is possible and beneficial to all involved.
The stakeholders just met on Monday to discuss plans for their next phase of work, transitioning from the potential of SBOM to making it a reality. Stakeholders agreed to focus on increasing awareness and adoption, developing tools for SBOM production and consumption, and tackling technical obstacles to SBOM use.
As you can appreciate, adoption is particularly important, because the benefits of a Software Bill of Materials increase as more organizations produce and use that data. We also anticipate helping other organizations and sectors experiment and try their own proof-of-concept experiments, and share those lessons back with the community.
When it comes to securing infrastructure, our strategies need to evolve as our networks evolve. With 5G rolling out across the country, many devices will soon be connected solely via this next generation of connectivity.
As you know, the President released an executive order on securing the information and communications technology supply chain in May of this year. This Executive Order charges the Secretary of Commerce with developing rules to prohibit transactions that present undue risk to our ICT supply chain. You will be hearing from the Secretary soon on those rules.
In the meantime, we acknowledge the important step the Federal Communications Commission has taken in its draft report and order to prevent federal universal service funds from being used to place untrusted components into our national telecommunications infrastructure. We’ve seen a strong commitment from many stakeholders to put security first as we build out 5G.
We are also working closely with our global partners on promoting the Prague Principles for national approaches for securing 5G networks for the future, looking at ways to increase resiliency while promoting innovation in the 5G marketplace.
The common thread in all of the efforts we’re discussing today is that we need each other.
We’re stronger when we work together. We’re stronger when everyone brings their expertise to the table and says, “How can I help?” We’re stronger when we harness innovation instead of hinder it.
As long as we continue to take risks and create new technologies, problems like botnets will always exist. That’s the nature of progress. But we can take action to increase our resilience, mitigate any damage, and dramatically reduce the threat that these attacks pose.
I’m energized by how far we’ve come, and enthusiastic about how much more we can get done. Let’s keep working together.