Like so many things we encounter in life, bots—software code “robots” designed to perform certain tasks automatically—can be good or bad. Chatbots, like those that guide you through voice-activated payment or troubleshooting processes, are programmed to respond to a finite set of human questions. Nothing useful comes of insulting them or asking repeatedly for a real person to talk to unless you hit on the right combination of words. (I’ve tried.) Googlebots crawl websites in spider fashion to scan for content. (I’ve lost many hours to reading obscure tidbits these selfless research “assistants” uncover.)

Malicious bots, however, are not our friends. They may scrape content from legitimate websites so that phishing websites appear authentic enough to fool people looking for information, for example, updates on Covid-19. (The ratio of fraudulent or spoofed websites to legitimate websites is estimated to be 20 to 1.) Computers that have been “turned” (an old spy term for what occurs when a secret agent is compromised and becomes a double agent, thus working at cross-purposes to his or her original mission) can be gathered into botnets (shorthand for “robot networks”). The combined computing power of a botnet can then be used to launch distributed denial of service (DDoS) attacks, disrupt home and office network communications, or other criminal and malicious activity as a commodity service for as little as $5 per hour.

The increased threat from malicious botnets can be attributed to both economies of scale (if $5 per hour is too salty for one’s taste, more economical monthly subscriptions are available) and the exponential increase in the number of prospective “agents” that can be turned: all those interconnected devices that constitute the Internet of Things (also the Industrial Internet of Things—or even the Internet of Everything). An estimated 34 billion devices are connected to the Internet, almost triple the number estimated in 2015.[i] These devices are used in production facilities to control cyber-physical systems, in our homes (refrigerators, TVs, digital assistants, thermostats), in our cities (surveillance cameras, traffic control systems), and in our cars (self-driving features). Consider the potential consequences of Internet-enabled devices being herded together for compromise, command, and control by adversaries. Deeply disturbing.

Initiatives to take a bite out of bots are addressing the challenge along various dimensions. The Council to Secure the Digital Economy released its 2020 International Botnet and IoT Security Guide in late 2019.[ii] The National Institute of Standards and Technology (NIST) published its Foundational Cybersecurity Activities for IoT Device Manufacturers (NISTIR 8259) in May 2020 after a public comment period. The NIST recommendations define baseline cybersecurity capabilities recommended for manufacturer adoption. The National Telecommunications and Information Administration (NTIA) has worked with industry partners to draft guidance on adapting the familiar manufacturing practice of using a bill of materials (BOM) to software development. This latter initiative has resulted in development of a healthcare industry proof of concept[iii] and is proceeding to build in security byte by byte (sorry, I could not resist) by making more transparent the black box that software often appears to be. The NTIA’s progress report released 30 July 2020[iv] mentions 50 different initiatives that are underway through public-private partnerships aimed at taking a bite out of bots.

[i] https://www.businessinsider.com/bi-intelligence-34-billion-connected-devices-2020-2015-11

[ii] https://securingdigitaleconomy.org/wp-content/uploads/2019/11/CSDE_Botnet-Report_2020_FINAL.pdf

[iii] https://www.ntia.doc.gov/files/ntia/publications/healthcare_sbom_proof_of_concept_-_update_2020-04-15.pdf

[iv] https://www.ntia.doc.gov/blog/2020/progress-report-fight-against-botnet-attacks