Ari Schwartz was featured in an article in the July 11, 2017, issue of FCW on how the Trump administration's cyber executive order has tasked the departments of Commerce and Homeland Security with a year-long study of how to reduce botnets, but according to Schwartz, the immediate focus should be on standards and automation.
"The fact that you need a botnet report and we're not at the point of saying 'here is the whole of government approach to this issue' and that the Trump administration needed this report," demonstrates that more could have been done, he said.
Going forward, Schwartz told FCW the first priority is speeding up the development of standards, especially for device manufacturers.
"We're just starting to see the standards be put in place for what they are supposed to do, so I'm worried that it's a long process to get to that point," he said. Schwartz warned that standards need to be put in place before any regulation comes down to avoid ending up "with things locked into place in 2017."
He said NIST and National Telecommunications and Information Agency are playing important roles in developing standards and facilitating public-private partnership.
"There needs to be sustained follow up and sustained participation," he said.
"Government is part of that. Industry is part of that, and it's different parts of industry too."
Schwartz stressed that the government needs to hold off on regulations for now.
"You've got to get the standards in place," he said. "You've got to get people doing it voluntarily and see how that goes for some period of time and then start mandating it as people are not doing it or in the areas they're not doing it."
One of the key standards is automated device updating, Schwartz said.
"Education works to some extent, notification works to some extent, but the scale we're talking about, it's not going to be the answer," he said. "So it needs to be more of automated patching in this space."
"How do we make sure that we can update things and the user doesn't have to be involved in that discussion, but yet we're not invading their privacy, we're not breaking stuff on their side, right?" he said. "That's the key."
Schwartz acknowledged there will be an ongoing challenge posed by expired devices that are still connected but are no longer supported or being updated.