Coordinating Voluntary Efforts to Fight Botnets

Over the past several years, a new threat has emerged on the Internet, increasingly putting consumers at risk. Some industry experts suggest that as many as 1 in 10 computers in the U.S. are part of what is called a botnet.

Botnets are groups of computers that have been secretly taken over by software that allows someone other than their authorized users to access and control them. The linked computers can be used as a platform to infect other computers, and more.

A botnet infection can let someone monitor your personal information and communications, and exploit your computing power and Internet access. However, these threats go beyond the infected computers. They can also store and transfer illegal content, and attack our information infrastructure with massive, distributed denial of service attacks. Symantec has estimated that 80 percent of all spam comes from botnets.

Botnets are not a new phenomenon, and their existence continues to increase the price of doing business online and place our companies at a competitive disadvantage, all while threatening our individual privacy. It’s for these reasons that analysts at Gartner call botnets “the heavy artillery of cybercrime.”

To address the problem, last September NIST and our colleagues within the Department of Commerce, in cooperation with the Department of Homeland Security, released a Request for Information, or RFI, to focus on the growing concern around this security risk. The RFI sought input on a wide range of areas, including practices to help identify, prevent, and mitigate botnet infections and to notify computer owners when they’ve been infected. We received more than two-dozen comments from a wide range of stakeholders with surprisingly similar views on combating this problem.

Through this process and the engagement that followed, we learned that many leading companies, including Comcast, CenturyLink and Google, had begun efforts to detect and notify their customers that they are infected without invading the individual’s privacy. Microsoft and others had begun to take action against botnets in the courts.  Around the world, other countries had begun creating codes to help alert consumers to encourage these efforts. Yet despite this progress, there was no unified U.S. effort.

It was clear we needed to define and create a comprehensive U.S. vision if we were going to succeed in reducing the threat from botnets. It was also clear to all those involved that the effort should be voluntary and stakeholder-driven, taking advantage of the expertise and experience of industry and civil society. Reducing the damage botnets cause will not solve all of our cybersecurity problems, but it will make it more difficult for criminals to attack key systems.

And indeed, the industry has taken up this call to action. In February, eleven leading trade, security and safety groups introduced the Industry Botnet Group (IBG). Today, four months later we are already seeing the fruits of these and related efforts.

Based on the voluntary efforts of these groups and companies, we have several new efforts that, as someone who has seen industry really take up the reins on this, we're particularly enthusiastic about, including:

  • Principles: This week the IBG released a set of principles for Internet companies to follow in fighting botnets. This is the first set of principles that cover the entire Internet ecosystem as opposed to only Internet Service Providers. We are already starting to see more companies notifying consumers that they have been infected as a result.
  • Education Campaign: Industry groups are organizing new education resources and a "keep a clean machine" campaign. The Department of Homeland Security and the Federal Trade Commission plan to incorporate these messages into their efforts in the coming months.
  • Information Sharing: The Financial Services Information Sharing and Analysis Center announced a new pilot to share info on botnets with other companies by year's end. This effort is expected to lead to standards other industries can use to share information about botnets.
  • Metrics, Standards and Technologies: This week the National Institute of Standards and Technology (NIST) held a day-long workshop to discuss and coordinate new metrics and new technologies in fighting bots. This work could lead to a better ability to monitor and prevent botnets.

These voluntary efforts obviously will not solve all problems related to botnets. However, tied to government law enforcement efforts, government information sharing efforts and international efforts, we have now built a great partnership for moving forward.

Comments

this site is very informitive and I will post it where I can.

I keep trying to get help my computers are being controlled by someone else. In dec I bought all new apple products even though my other stuff was not out of date. I moved in to a new home and was hacked several times had them fixed stared online business , they stopped me from sending emails out!! Then stopped me from using them at all when I found the remote desktop connection that said I would never see the Internet again. Also said a light would light up when I attempted to hook to Internet so far this is true and there right there. They have cost me thousands of dollars. Hacked me at libraries, homes of friends and families, broke into my home stole all personal I'd papers, also have finger prints from computer which gives them admin rights over me every time. They have blocked all communicating with IC3 and other organizations local police denie any help. This is 8 yrs

Sammy, it sound like you have a problem, your local FBI office, should be able to assist you with. Because computers, are often hacked from other states or even countries, assistance falls into federal, (and maybe even Interpol) jurisdiction. I'm sure you're frustrated. You also need an IT Pro, to inspect, your network, Macs, and PC's. Getting rid of Windows was useless, if you kept the same router, or didn't secure the new one with proper WPA2 encryption. Hang in there,& good luck.

I feel the frustration and am running into the same problems.

Leave a Comment

Commenting Policy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.