On December 1, 2016, the Commission on Enhancing National Cybersecurity released its “Report on Securing and Growing the Digital Economy” which lays out recommendations to the President “for securing and growing the digital economy by strengthening cybersecurity in the public and private sectors”.

At CyberGreen, our nonprofit community of experts is committed to providing validated and aggregated risk condition data and metrics-based measurement to operators and policymakers, free of charge. Specifically, CyberGreen analyzes and evaluates the risks posed to the internet by open recursive servers that have the potential to become infrastructure to launch DDoS attacks.

In light of this, the CyberGreen community is pleased that the Commission’s report specifically highlights the danger of DDoS attacks, particularly the role of IoT devices, which came to the forefront of cybersecurity news following the largest recorded DDoS attack in September 2016. Citing the 2015 OPM data breach, the authors have addressed the need for more preparation, rather than reliance on reaction. The community at CyberGreen supports this stance, noting that proper planning and prevention ahead of time can minimize the need for incident response later.

The report goes on to state that “once organizations are enabled to better manage those [cybersecurity] risks, they can make informed decisions.” According to CyberGreen’s Executive Director Yurie Ito, “One of CyberGreen’s core principles is that the key to risk management and improvement is measurement, using data and trends to perform needs analyses and track global mitigation progress.” The Report stresses the importance of this point in Action Item 1.1.1, stipulating that there should be a multi-stakeholder process to “monitor, track and report on measurable progress” in an effort to mitigate and reduce DDoS risks.

CyberGreen strongly supports the Commission’s recommendation [Action Item 2.2.2] for cybersecurity-focused research that includes metrics, which emphasizes that the “lack of standards of measurement” has held back not only vendors and operators, but also government agencies, from “effectively evaluating, understanding and improving [their] cybersecurity posture.” According to CyberGreen’s Metrics Adviser and Author Dr. Dan Geer:

“The world is becoming a more dangerous place, at least for data. Even if you don’t want to measure, even if you don’t care whether you are overspending or underprotecting, make no mistake that it’s getting harder to transfer risk contractually, so you will pay for the risk whether you measure it or not.”

The Commission also rightly highlights the need to produce and disseminate best practice materials in order to “educate consumers and operators on the safety of devices” Part of CyberGreen’s mission is to provide best practice mitigation materials to reconfigure vulnerable devices that could be used as DDoS attack infrastructure.

The Commission’s emphasis on the importance of emerging IoT device vulnerabilities, monitoring progress, measuring through metrics, and disseminating best practices are all in line with CyberGreen’s mission statement and strategy. “Identifying the systemic level of DDoS risk conditions, and remediating those risks,” according to Yurie Ito, “transcends organizational and national borders and requires the support and cooperation of all stakeholders, including device vendors.” In order to create a healthier and more resilient global cyber ecosystem, the cybersecurity community should heed the recommendations put forth in this report by the Commission.