A report from the Council on Foreign Relations (CFR) released Monday argues that devices infected by botnets need to be eliminated. The report proposed increasing regulations and holding more organizations accountable for malicious botnet activity to achieve its goal.
The report’s authors, Jason Healey, Senior Research Scholar at Columbia University’s School for International and Public Affairs, and Robert K. Knake, Whitney Shepardson Senior Fellow at CFR, argued against the prevailing belief that botnets can only be managed. Instead they made a case for working toward total elimination.
“Zero is a powerful concept often used as a tool to galvanize policy action,” the authors said when explaining the reason behind their goal of botnet elimination. “Setting a target of zero for undesirable outcomes signals that any occurrence is unacceptable. As progress is made, occurrences become exceptions that trigger forceful responses to understand what went wrong and prevent the same patterns from being repeated.”
The authors called botnets the “bane of the internet.” They explained that “[c]riminals use these groups of computers infected with malicious software to propagate spam, send phishing emails, guess passwords, impersonate users, and break encryption. Their most pernicious use, however, is to carry out distributed denial of service (DDoS) attacks.”
The authors explained that as much as 30 percent of global internet traffic may be attributable to botnets–with most of that coming in the form of DDoS attacks. Increasingly foreign nations, including Russia, China, and Iran, are maliciously using botnets to achieve their geopolitical goals.
“A motivated nation-state actor could easily harness millions of systems to shut down countries’ domestic networks or target core internet infrastructure and shut the internet down globally,” the authors warned. “Foreign governments certainly might judge such actions to be to their advantage in some scenarios,” they said.
Coupling the geopolitical security risks with the financial reality that cybercrime costs the global economy roughly $600 billion a year–with much of that loss tied to botnets–the authors said, “an ambitious goal of zero botnets is necessary.”
In their report, the authors laid out what steps information security experts need to take to achieve zero botnets. First, global experts need to do a better job of measuring current botnet activity and they must set incremental goals for botnet activity reduction. Once there is an accurate understanding of botnet activity, the authors said that nations and international institutions should establish the principle that “states are responsible for the harm that botnets based within their borders cause to others.” The authors further explained that “[w]hen governments are unable or unwilling to be responsible, other states may be justified in taking action, in or out of the cyber domain, to thwart cross-border effects.”
In addition to nations holding other nations accountable, the authors stressed the importance of internet service providers (ISPs) holding each other accountable for “bad traffic” leaving their networks. The report also brought device makers into the chain of responsibility, saying the “makers of devices that are vulnerable to becoming parts of botnets need to be incentivized to secure their devices, and the resellers of those devices should use their leverage to hold them accountable.” The report also said that hosting providers, name registrars, and other components of the internet ecosystem used by botnets should be pressured to regulate themselves and prevent their services from being used for criminal purposes.
“Zero botnets is an effective rallying cry to motivate the disparate coalition of technology makers, ISPs, consumers, cybersecurity companies, nonprofits, and law enforcement organizations that are necessary to reduce botnet infections to levels at which they do not pose a threat to the continued operation of the internet or the organizations that operate on it,” the report concluded. “If properly motivated, such a coalition could, over time, drive down botnet infection rates, increase the costs to malicious actors to operate them, and deny them value for doing so.”