The 38 page report is "facing the threat of botnets and other automated distributed attacks, improving the ability to fight against the Internet and communication ecosystem". The report was born with an administrative order signed by Trump last May. Previous attempts have been half done, and after the report is finalized, it will be submitted to Trump for approval with a number of other documents.
On the whole, the report is very good: it is simple and straightforward, and it clearly defines the network security problems faced by the US government, industry and consumers. As the topic reveals, it focuses on botnets. It has neither concealed the problem nor exaggerated some network security threats or despised other threats. In a word, it is the kind of policy document that has been drafted. In spite of some disturbing noise and ignorant remarks in the civil service, the government has drafted such a professional document. It was a blessing.
The report has only one prominent problem: it does not reflect the internal struggle of the US government, and the competition between government agencies is in competition for Internet Security and Internet of things affairs.
In addition, the report also documents that the common problem: many real suggestions are a bit like "talk ambiguously, determine a clear path for the development of an adaptive, persistent and safe technology market", or "innovation", "alliance", what should be the important "target".
The report on the relevant industry uphold not to interfere with the traditional style of the Internet and decision-making power in fact lies in the hands of the private sector, the U.S. Department of Commerce and the Department of homeland security can effectively show very little action. But the report really clarified the problem and clarified the best way to solve the problem.
The report acknowledges that even when consumers buy equipment at a merchant and connect them to a home wireless network , they cannot , and shouldn ' t be expected to be responsible for the network security of these devices . This may be the most useful report .
The report provides an accurate location for the Internet of things, which is called the "desktop computer in the 90s of last century", with a poor security.
The report reads:
"Internet of things equipment often lacks special features that focus on security. These systems are now the most attractive target for lawless attacks, and (Internet of things) equipment is larger and bigger in the ecosystem. "
The report also says:
In fact, consumers are not directly influenced by devices being attacked. They may never know that their devices become part of botnets. From the consumer's point of view, the webcam is still playing video, the refrigerator is still cooling (everything is normal).
"For this reason, once the device is used by the Botnet, it is unrealistic to be responsible for the real owner of the device. There is no obvious effect on infection (zombie procedure). Therefore, it is difficult to encourage consumers to take action to enhance security measures, such as upgrading equipment that can be upgraded. "
Lei Feng found that these views on networking professionals is not news, rare is a US government report clearly describes the problem, point to the point.
The report points out that for ensuring the safety of Internet of things, software and hardware security system upgrading and similar practices are very effective, but the problem is that few companies and individuals actually do so. Considering this, the report is similar to those of many people over the years. It also considers that it is necessary for equipment to bring safety precautions, such as automatic safety system upgrading.
The report holds that:
"The ideal way is to promote equipment that should be built in the security system to the consumer. Consumer products should be designed based on safety perspective as much as possible, and should be included in the mechanism of automatic update of security system. There should be little requirement for users to manage products.
Draw up a benchmark
The US government will not impose any rules on the industry. Therefore, the report thinks that the government may cooperate with enterprises to work out a set of "universally accepted baseline safety configuration" for household appliances and industrial application of IOT devices. The report also proposes that the US government should take the role of its important buyers to adopt the baseline safety configuration for the US government's environmental Internet of things, so as to speed up the popularization of the security configuration process. It sounds like a move above, expansion in the safety of the domain name system (DNSSEC) and IPv6 of this kind of technology can play a certain role.
Perhaps the most popular proposal for the public is to sponsor a promotional campaign for IOT security to raise consumer awareness of safety in this area. The report says:
"The federal government should carry out a campaign to raise public awareness, support public awareness and use household appliances networking security configuration, and use related brand products."
In subsequent contents, the report also recommends that the government increase investment in related research and development, and "support for scientific research progress, including basic technologies for prevention and mitigation of distributed denial of service attacks (DDoS) and prevention of botnets."
Speaking of IPv6, the report is a bit worried about the widespread adoption of new protocols that may have a negative impact on this network security.
IPv6 will give each device an IP address, so it may allow millions of new devices to be vulnerable to attack and hacker intrusion. From this point of view, using IPv4 and network address translation (NAT) may create a safer environment, because these two ways are based on single IP address arranging device.
The report does not advocate a boycott of the use of IPv6. In fact, the report also favours an incentive to Internet service providers in order to promote applications faster. But the report does recommend that we investigate the impact of IPv6's extensive application and see the extent to which it can change the economic significance of network attack and defense.
Fear and hope coexist
One advantage of applying IPv6 is that consumers will be more likely to find which devices are being attacked. But the report refers to the Mirai - based botnet of the Internet of things. It is particularly effective for the Internet of things that attack IPv6 support, because it attacks devices that have their own IP addresses (usually webcam). On the contrary, "NAT tool can act as an accidental (attack) firewall, to avoid direct contact with those devices that are transmitted by malicious devices, and then be infected by malware in a wide range.
The report even explored the extended domain name space:
"Theoretically, the address space of IPv6 is quite large, and the existing tools cannot be scanned, but experts have noticed some patterns, which can be found by new scanning technology.
So, what solution should be used? The report believes that the focus of research should be put on "deepening the innovation of the network frontier".
There are a lot of views, suggestions and ideas in the report. Most of the expressions use the word "should", which, to a certain extent, reduces the sense of urgency to take action, but there is a suggestion that does not use "should". It is proposed to ensure the next generation of engineers to receive network security training. Network security is no doubt a crucial skill at the moment.
The report says:
"Academic institutions cooperate with the national network security education program in the United States. They should establish the basic requirement of all engineering disciplines.
The report was released last weekend. There are many good proposals, and the above is just the tip of the iceberg. From now until February 12th of this year, a little more than a month is the public comment period of the report. Any views can be sent to the address: Counter_Botnet@list.commerce.gov). If you have a deep feeling about anything that is mentioned in the report, it's a good time to let the American government know it.