Perhaps it’s time to rethink how the security industry tackles botnets.
Over the years, there have been several notable botnet takedowns where security and tech companies worked with law enforcement to identify and take over command-and-control servers used by the botnet operators, but they haven’t really made a dent in overall online malicious activity. There is a slight dip in spam volumes or malware downloads for a while, but other botnet groups typically expand their operations to fill the gap created by the takedown. The operators, if not caught, regroup and just start over again later with new infrastructure.
There is a bit of resignation that botnets will always exist in some shape or form—but it doesn’t have to be that way, according to a new paper from the Council on Foreign Relations. Industry and policymakers should aim to eradicate botnets entirely, wrote Jason Healey, a senior research scholar at Columbia University’s School for International and Public Affairs, and Robert K. Knake, a Whitney Shepardson Senior Fellow at the Council on Foreign Relations. They proposed increasing regulations and holding more organizations accountable for malicious botnet activity.
“Zero is a powerful concept often used as a tool to galvanize policy action,” Healey and Knake wrote in their Zero Botnets paper. “Setting a target of zero for undesirable outcomes signals that any occurrence is unacceptable.”
Aim High, Not Low
As much as 30 percent of global internet traffic may be attributed to botnets, the CFR paper said, although some security companies have higher estimates. Criminals use botnets to spread spam, harvest credentials and sensitive information gathered from phishing campaigns, impersonate users, and launch attacks guessing user passwords. and is used to send spam and other malicious email messages. It’s not just the criminals counting on botnets, either—as the authors believe nation-state attackers such as those from Russia, China, and Iran are increasingly using botnets to achieve their geopolitical goals. Governments can use botnets to stifle free speech or shut down domestic networks.
“Their most pernicious use, however, is to carry out distributed denial of service (DDoS) attacks,” the authors wrote.
Healey and Knake acknowledge “completely eliminating botnets is likely an impossible goal,” but their point is that aiming high will have better results than setting a low bar for success. There are many “zero” initiatives, such as “Vision Zero” programs to reduce traffic and pedestrian fatalities in Los Angeles, New York, Washington, D.C.; public health programs focusing on vaccinations to achieve zero infections worldwide for certain diseases; the Global Zero movement to get rid of nuclear weapons; and the aviation industry’s focus on zero safety incidents on U.S.-registered commercial airlines. Focusing on zero means that when something happen, there is an immediate response and a thorough investigation to ensure it never happens again. Instead of becoming just-another-attack, these occurrences should be treated as exceptions.
“Zero botnets is an effective rallying cry to motivate the disparate coalition of technology makers, ISPs, consumers, cybersecurity companies, nonprofits, and law enforcement organizations that are necessary to reduce botnet infections to levels at which they do not pose a threat to the continued operation of the internet or the organizations that operate on it,” Healey and Knake wrote.
What’s the Policy?
To achieve the zero-botnet goal, the security industry needs to do a better job of measuring current botnet activity and set incrementals goals on reducing activity levels.
States are responsible for the harm that botnets based within their borders cause to others. For example, Finland works with its ISPs to notify the owners of infected systems and quarantine them if needed. Finland consistently has one of the lowest infection rates among developed countries.
“When governments are unable or unwilling to be responsible, other states may be justified in taking action, in or out of the cyber domain, to thwart cross-border effects,” Healey and Knake said.
To extend this idea, Internet service providers also need to be “good stewards of online spaces” and hold each other accountable for the bad traffic leaving their networks. Hosting providers, name registrars, and other parts of the internet ecosystem should be pressured to police themselves and prevent their services from being used for criminal purposes.
For example, right now it is extremely difficult to report DDoS attacks or other malicious activity. Hosting providers and ISPs often ignore abuse reports or address them slowly. Reporting processes often rely on knowing the correct individual to reach out to at the company. ISPs don't really want more government regulation, but this is something that could be accomplished through self-regulation and community standards.
Incentives should be introduced so the makers of internet-connected devices take steps to secure their devices. Resellers should use their contracts and purchasing power to force manufacturers to make the devices more secure. The consumer is too far down the chain to be able to put any pressure on the manufacturer, but the large retailers are in the position to make demands.
“Finally, when these measures fail to suppress the growth of botnets, an ongoing international effort to take down botnets will be necessary,” the authors wrote.
Healey and Knake made an intriguing point that cyberincident collaboration organizations (CICOs) could make it possible for law enforcement across countries and companies to work together. Each CICO could focus on each type of incident, "such as counter-DDoS or counter–malware outbreaks," and help streamline response processes and collaboration. The authors estimated that a "relatively small organization funded at $10 million per year over a five-year period" would be capable of carrying out multiple takedowns per year and provide technical assistance to countries and companies reducing their infection rates.
The zero-botnet mindset could, "over time, drive down botnet infection rates, increase the costs to malicious actors to operate them, and deny them value for doing so,” the authors wrote.