A May 2018 report issued by the U.S. Department of Commerce (DoC) and the U.S. Department of Homeland Security (DHS) offers guidance on how to dramatically reduce threats by automated and distributed attacks, commonly referred to as "botnets."
The report responds to the May 11, 2017, Executive Order, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." That order called for "resilience against botnets and other automated, distributed threats," directing the Secretary of Commerce, together with the Secretary of Homeland Security, to "lead an open and transparent process to identify and promote action by appropriate stakeholders."
The Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats outlines five goals for Internet resiliency as well as some suggested actions that public- and private-sector stakeholders can take, including standards developing organizations (SDOs).
Most significantly for the standardization community, the report is broadly supportive of globally relevant voluntary consensus standardization, and makes multiple references to private sector-led standards and conformity assessment solutions.
For example, in a section focused on the edge device technical domain, the report states, "advances must be global, since the majority of Internet devices are located outside the United States. This global action will require globally accepted security standards and practices to be robust, widely understood, and applied ubiquitously. Those standards should be flexible, appropriately timed, open, voluntary, and industry driven."
And later, the report states, "In the international realm, the U.S. government robustly advocates for industry-led approaches and voluntary, consensus-based standards. As the NSTAC report stated, solutions depend on both standards and innovation at the network and Internet infrastructure layer. While a variety of relevant standards, frameworks, and best practices exist, they are not fully leveraged worldwide."
"Governments can constructively influence the development of more secure products by steps such as supporting open, voluntary, industry-driven standards, and by conducting their own technology and device procurement decisions in a way that creates market incentives for more secure products."
The report also makes reference to conformance measures that would help battle botnets, including a recommendation for the private sector to establish "voluntary labeling schemes for industrial internet of things (IoT) applications, supported by a scalable and cost-effective assessment process, to offer sufficient assurance for critical infrastructure applications of IoT." The report goes on to suggest a similar private-sector-led labeling effort for consumer IoT devices so security-conscious buyers can make informed choices.