National Telecommunications and Information Administration, Report on Responses to NTIA's Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats , September 18, 2017. Unclassified.
National Security Archive
A 2017 NTIA report captures the clash of voluntary standards versus regulatory push in the U.S. response to botnets after Mirai’s wake‑up call.
Source: National Telecommunications and Information Administration, Report on Responses to NTIA's Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats , September 18, 2017. Unclassified. Date: Sep 18, 2017 Archive: National Telecommunications and Information Administration Collection: Cyber Vault: Costs of a NYC Blackout Oct 18, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Botnet‑Era Call‑to‑Action
The September 2017 NT Telecommunications and Information Administration (NTIA) report is less a policy paper than a snapshot of a pivotal moment in U.S. cyber‑security governance. It follows President Donald Trump’s Executive Order 13800, issued on May 11, 2017, which framed botnets and other automated attacks as a national‑security threat on par with traditional espionage. The order tasked the Department of Commerce and the Department of Homeland Security with shepherding an “open and transparent” process to marshal private‑sector expertise. NTIA’s Request for Comments (RFC) on June 13, 2017 was the first concrete step of that process, inviting anyone with a stake in the Internet ecosystem—ISPs, device manufacturers, security firms, civil‑society groups, and academics—to weigh in on how to curb the proliferation of bot‑controlled devices.
The report, dated September 18, 2017, aggregates the 47 submissions NTIA received. It does not decide policy; rather, it distills the converging and diverging views that would shape the inter‑agency draft due to the President in January 2018 and the final version due in May 2018. The timing is crucial: the year 2017 saw the Mirai botnet’s spectacular DDoS attacks on Dyn, which crippled major web services, and a cascade of IoT‑related compromises that exposed how vulnerable consumer devices had become. Those incidents turned the abstract risk of “automated, distributed threats” into a tangible, headline‑making crisis, prompting both industry and government to confront the problem head‑on.
Who Spoke, and What Their Voices Reveal
The comment list reads like a cross‑section of the modern Internet supply chain. Large trade associations—representing telecom carriers, equipment manufacturers, and software vendors—argued for voluntary, consensus‑based standards such as the NIST Cybersecurity Framework, warning that heavy‑handed regulation could stifle innovation and impose disproportionate costs on smaller players. Security firms, meanwhile, pushed for stronger market incentives, including certification schemes that would help consumers identify “secure‑by‑design” devices. Academic contributors highlighted the need for a “secure development life cycle” and called attention to the research gap in measuring IoT risk.
A striking pattern emerges: almost every commenter acknowledges that botnet mitigation cannot be solved by any single actor. The language of “shared responsibility” and “ecosystem‑wide solutions” recurs throughout, reflecting a consensus that the Internet’s layered architecture demands coordinated action across hardware, software, network, and user domains. Yet the report also records a palpable tension between two camps. One camp—predominantly industry groups—advocates minimal government intrusion, preferring self‑regulation and market‑driven certification. The other camp—including several consumer‑advocacy NGOs and a handful of smaller manufacturers—argues that the market alone lacks sufficient incentives to embed security, and that targeted policy interventions (e.g., procurement standards for federal agencies, liability rules) are necessary to shift the cost‑benefit calculus.
What the Report Tells Us Beyond the Words
Because the NTIA deliberately framed the RFC as “open and transparent,” the very act of publishing the aggregated themes is a political signal: the administration wanted to demonstrate that it was listening before imposing any top‑down mandates. The emphasis on “international standards” and “global cooperation” hints at an awareness that unilateral U.S. rules would be ineffective against a threat that traverses borders with ease. Moreover, the repeated call for “certifications and standards” suggests that the government was already envisioning a quasi‑regulatory scaffolding—perhaps a voluntary labeling program—rather than a strict regulatory regime.
The report’s silence on specific enforcement mechanisms is itself informative. By not endorsing mandatory security baselines, NTIA left the door open for future legislative action should voluntary measures prove insufficient. In other words, the document functions as a policy “soft‑launch,” gathering data, gauging industry reaction, and setting the stage for a possible escalation toward more prescriptive rules.
Legacy and Why It Still Matters
The NTIA’s 2017 botnet RFC and the ensuing comment synthesis foreshadowed the next wave of U.S. cyber‑policy, including the 2020 National Security Agency‑backed “IoT Cybersecurity Improvement Act” and the 2022 FCC “Internet of Things Security Order.” Those later measures echo the same themes: voluntary standards first, followed by mandatory security provisions when the market fails to self‑correct. The 2017 report also contributed to NIST’s ongoing revisions of the Cybersecurity Framework, embedding IoT‑specific guidance that remains a reference point for both private firms and federal agencies.
In today’s climate—where ransomware‑driven botnets now target critical infrastructure and where billions of cheap smart devices continue to flood the market—the questions raised in the 2017 comments are still unanswered. The report reminds policymakers that any effective solution must balance innovation with security, leverage international cooperation, and, crucially, align market incentives with the public good. Its legacy endures as a benchmark for how the U.S. government can engage a fragmented industry in a collective defense against automated cyber threats.
September 18, 2017
Report on Responses to NTIA’s Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats
This document reports on the themes found in the responses to NTIA’s “Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats.” It is not a comprehensive discussion of all comments, nor does it reflect a government decision. The full text of all comments is available at https://www.ntia.doc.gov/federal-register-notice/2017/comments-promoting-stakeholder-action-against-botnets-and-other.
Background
On May 11, 2017, the President issued Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” calling for “resilience against botnets and other automated, distributed threats.”¹ The Department of Commerce, along with the Department of Homeland Security (DHS), was directed to “lead an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
As part of that process, on June 13, 2017, the National Telecommunications and Information Administration (NTIA) issued a Request for Comments (RFC) on “Promoting Stakeholder Action Against Botnets and Other Automated Threats.” The RFC asked for feedback on “current, emerging, and potential approaches for dealing with botnets and other distributed, automated attacks.” NTIA expressed a particular interest in two broad approaches where substantial progress can be made: (1) mitigating ongoing attacks; and (2) securing vulnerable Internet of Things (IoT) devices that can be used in attacks.
The RFC is one part of an interagency effort to capture expert and stakeholder input. In parallel with the RFC, the National Institute of Standards and Technology (NIST) hosted a workshop on “Enhancing Resilience of the Internet and Communications Ecosystem” on July 11, 2017, to explore current and emerging solutions, which resulted in a workshop proceedings document. DHS’ participation in this effort has been focused through the President’s National Security Telecommunications Advisory Committee’s (NSTAC) Internet and Communications Resilience (ICR) subcommittee, which is developing a report based on expert testimony. In the meantime, NTIA and NIST continue to welcome additional comments related to the process. These activities will contribute to the draft of a report to the President, which is due to be released for public comment on January 5, 2018. A final report is due on May 11, 2018.
Overview
In response to the RFC, NTIA received 47 comments. The commenters ranged from large trade associations to individual technical experts associated with a diverse range of industries and sectors, including Internet service providers, security firms, infrastructure providers, software manufacturers,
¹ Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Exec. Order 13800, 82 FR 22391 (May 11, 2017).
September 18, 2017
civil society, and academia. Comments ranged from attempts to help NTIA better understand the ecosystem and threat landscape, to sharing how recent innovations can help address these issues. Many offered specific policy suggestions and proposals.
Several broad themes emerged across the comments. While the risks from distributed, automated attacks take many forms, there was a general appreciation that addressing these risks is a shared responsibility, calling for ecosystem-wide solutions. No solution can address the overall threat. Moreover, while attacks have evolved to threaten key aspects of the digital ecosystem, the distributed, automated threat is closely linked to other cybersecurity threats across the ecosystem. These attacks are global, by their nature, and require international cooperation to work toward solutions. International standards and best practices will be necessary to achieve an effective global approach, rather than country-specific standards and regulations that could impose unnecessary costs and slow innovation.
Stakeholders resoundingly endorsed voluntary, consensus-based industry- and community-led processes, including NIST’s Cybersecurity Framework and NTIA’s multistakeholder processes. There were many strong voices against government playing too large a regulatory role. However, a notable number of commenters viewed the lack of existing security and market incentives as requiring more active policy interventions.
Notable Issues Identified in the Comments
Commenters raised several technology policy issues. A topic repeatedly cited was the importance of securing devices across the Internet of Things. Some asked: How can we overcome the challenges of the complexity and diversity of the ecosystem, as well as the lack of incentives and an uncertain role for consumers, to increase the security of devices we connect to the network? Many commenters noted that work has been done on this issue in the past and it should not be overlooked; existing approaches and known best practices can play a key role, if we can identify and overcome barriers to enhance their impact. Other stakeholders emphasized the importance of certifications and standards making it easier to build, deploy, and acquire more secure technology.
More generally, stakeholders recognized that the IoT marketplace is not yet fully mature, especially with respect to security. More tools and better, more widely adopted practices are needed. Numerous companies and consortia are innovating and collaborating to develop new technologies and foster their deployment across the ecosystem, but some are less knowledgeable regarding cybersecurity best practices, and others struggle with slim profit margins that may not easily accommodate security features. While some called for more active government intervention, one popular theme was the role of transparent security practices through independent testing and evaluation. Having a trusted third party to certify goods as being secure or compliant to standards could drive the marketplace by helping consumers make good decisions. Other commenters noted, however, that these types of programs are often difficult to implement successfully due to the constant evolution of the threat environment. Following a “secure development life cycle” can lead to more secure and higher quality systems, but this practice must also be something that can be communicated to the broader ecosystem. Finally, a software “bill of materials” process, similar to an inventory list of ingredients for third-party software components, if implemented from the ground up in a voluntary fashion, could help developers better understand the software code that goes into their products, and help purchasers understand exactly what is in the products they are buying.
September 18, 2017
Networks and information and communication infrastructure can play a key role in promoting a positive outcome. Existing solutions, ranging from network management tools to consumer notification practices, have been deployed in various forms, but these can be studied for effectiveness as new ones are developed. Some stakeholders urged an expansion of these existing practices, reminding NTIA that infrastructure covers a wide range of interested parties including, for example, the anti-abuse community, a community that has worked together against botnets, malware, spam, viruses, denial-of-service attacks and other online exploitation. Indeed, many industry players already work together to understand the threat and identify new solutions in industry organizations and consortia. A few examples include the Internet Engineering Task Force (IETF), North American Network Operators Group (NANOG), and Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), in addition to many other ongoing efforts. Stakeholders cited existing programs around botnets, including consumer notice, but very few were overly optimistic about the existing model scaling for the IoT threat.
Stakeholders emphasized the importance of information sharing and collaboration between infrastructure providers, defensive security services that protect against DDoS attacks, and the victims of these attacks. Information sharing can play a key role, stakeholders commented, as long as we are careful not to “punish” victims of attacks, and focus on how to align resources for defense and mitigation. Government can make it easier to share information, although there was no clear consensus on whether the government should act as a centralized hub to collect and share information.
Stakeholders were also optimistic about the opportunities to address botnets at the layer between an Internet service provider’s (ISP’s) network and a device, at the gateway or local area network. At this level, a network management service has a clear view of what is on the local network, and can help detect and prevent anomalous or malicious behavior. This solution can offer greater flexibility and granularity. Stakeholders discussed existing and emerging solutions, including the draft Manufacturer Usage Description (MUD) standard created at the IETF,² and other products on the market.
One clear area where stakeholders called for an active government role was the disruption of the networks that helped drive many of these distributed automated attacks. Law enforcement plays a critical role in the “take downs” of these networks, using its powers to disrupt, through legal and other means, the key resources on which these networks depend. Some emphasized more recent successes and effective collaboration with the private sector, while others expressed a need for the process to be faster and more efficient. Such attacks typically are global in nature, adding legal complexity and requiring cooperation across jurisdictions to identify and prosecute malicious actors.
Next Steps
As discussed above, the RFC comments, the NIST workshop proceedings, and the NSTAC report will contribute to the development of the report to the President required by Executive Order 13800. A draft of the report is scheduled to be released for public comment on January 5, 2018. After the conclusion of a 30-day comment period, a workshop will be held to discuss the plan of action and the final report. The comments and workshop will inform the final report, which is due to the White House on May 11, 2018.
² The Manufacturer Usage Description Specification draft dated August 9, 2017, is available on the IETF’s website at https://tools.ietf.org/html/draft-ietf-opsawg-mud-08.
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu
Keywords
Sources & References
- [1]National Telecommunications and Information Administration, Report on Responses to NTIA's Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats , September 18, 2017. Unclassified.
- [2]https://www.ntia.doc.gov/federal-register-notice/2017/comments-promoting-stakeholder-action-against-botnets-and-other
- [3]https://tools.ietf.org/html/draft-ietf-opsawg-mud-08