Malicious software used by cybercriminals or intelligence agencies to infect the internet represents an escalating threat that may be far beyond the ability of law enforcement agencies in the U.S. and other countries to handle on their own, according to a new paper published by the Council on Foreign Relations (CFR).
The paper, citing figures showing that cybercrime already costs the global economy an estimated $600 billion a year, called for the establishment of an international body that could “take down” clandestine networks if individual countries prove unable or unwilling to do so.
The increasing use of “botnets,” in particular, poses a security danger to both nation states and corporations, according to the paper, written by Jason Healey, a senior research scholar at Columbia University; and Robert K. Knake, the Whitney Shepardson Senior Fellow at CFR.
Botnets—groups of computers infected with malicious software that can distribute spam, send phishing emails, guess passwords, impersonate users, and break encryption—have already been used by China, Russia and Iran to conduct cyberwarfare, and are likely to increase in number, the authors said.
“About 16 billion devices are connected to the internet today, and both that number and the number of vulnerable and infected devices are expected to double in the next five years,” they wrote.
“Even if only the tiniest fraction of these devices is infected with botnets, malicious actors will have enormous disruptive potential at their disposal,” they wrote, adding that instead of trying to reinforce efforts to “manage” the problem, cyber authorities should set a goal of “zero botnets.”
Botnets are also used to carry out so-called “distributed denial of service (DDoS) attacks,” which can harness multiple computers to sabotage individual targets—ranging from individual companies to a national power grid—and cause a devastating collapse.
According to the authors, botnets are already responsible for as much as 30 percent of all open online traffic—most of it in the form of DDoS attacks.
Botnets are generally used by cybercriminals to generate huge profits that can be concealed through the use of cybercurrencies like bitcoin, but they have also been deployed by individual countries to serve political ends.
According to the authors, China has carried out DDoS attacks against the New York Times, the Falun Gong, and Chinese Christian churches in the U.S.
Iran was identified as responsible for a series of large-scale attacks against the U.S. financial sector between 2011 and 2013 in a response to alleged Washington efforts at cyber-disruption of its nuclear program.
Russia used the DDoS weapon against Estonia in 2007 to punish that state for removing a statue commemorating Russians soldiers. [The paper did not refer to Russian efforts to sabotage or hack election systems in the U.S. and Europe.]
Large-scale cybercrime is only likely to grow, as more sophisticated technology becomes available to Internet users, the authors warned.
“The Internet of Things (IoT) is leading to massive growth in the number of internet-connected devices,” they wrote. “These devices are often not built with security in mind and are rarely updated once installed, resulting in known vulnerabilities that can be exploited by adversaries but are unlikely to be patched.”
According to the authors, U.S. networks are so far “among the cleanest in the world,” ranking eighth among Organization for Economic Cooperation and Development (OECD) countries for cyber-safety, but they said this should provide little assurance.
“In light of the past and potential harm that botnets cause, even infection rates that are well below one-tenth of 1 percent are too high, given the large and growing number of systems on the internet,” they wrote.
U.S. efforts to cope with the problem are flawed, the authors said.
The FBI’s “Operation Clean Slate” program, launched in April 2013, has successfully shut down some botnets, but “these efforts have not led to a measurable reduction in the number of botnets, the number of infected devices, or the harm that botnets cause.”
The face that the U.S. government has “appeared powerless” to take effective action should worry all internet users, the authors said.
“When the website of technology reporter Brian Krebs was taken offline by a DDoS attack, Krebs was only able to get his website back online once Google took over and absorbed the attack through its Project Shield program,” said the paper.
“Relying on a private company with profit motives to protect free speech in the United States, and globally, raises concerns.”
Earlier this year, President Donald Trump issued an executive order directing the Department of Commerce and the Department of Homeland Security to work with the private sector to identify ways of “dramatically reducing threats perpetrated by automated and distributed attacks.”
But the authors said the White Paper resulting from the report, released in May, lacked a clear set of goals.
The most effective way of eliminating botnets is through multinational action, they argued.
They quoted one editor from the TechTarget Network blog as saying, “If we determine that a botnet is sending millions of messages a day—the command servers are in Russia, part of the infrastructure is in Spain, and the bots are in North America—there has to be a way for all of these groups to cooperate in real time, or really quickly.
*“Because when you take down a botnet, if you don’t take down the whole structure at the same time, it is very easy for these guys to seize control and redirect all that traffic somewhere else.”
While some governments, including the U.S., are likely to be skeptical of multinational action that appeared to challenge national sovereignty, the authors said it was justified for global health and security.
“As 21st century challenges like terrorism, nuclear proliferation, and pollution have become national security challenges, notions of national sovereignty have…changed,” they wrote. “Rather than being an absolute right of states, sovereignty now comes with sovereign responsibility to the citizens of states and sovereign obligations to other states.
“Botnets cause harm to individuals, to companies, and to states, but only when the harm is cross-border in nature does it become an international policy concern, in which the state causing the harm has a sovereign obligation to other states to address it.
“….[States should] be held liable by the international system for any harm caused to other states if they are not proactively and cooperatively working to respond to it.”
One remedy suggested by the authors was what they described as a “relatively small organization” capable both of carrying out multiple takedowns and to measure botnets globally, as well as provide technical assistance to countries trying to reduce their infection rates.
Such an organization could be funded at $10 million per year over a five-year period, they said—a small fraction of the economic damage now caused by cybercrime.
A complete copy of the paper can be downloaded here.
This summary was prepared by TCR Editor Stephen Handelman. Readers’ comments are welcome.