We need a game changer, now


While making the rounds at various speaking engagements this year, I have floated the idea that we should allow somebody the authority to exterminate botnets as soon as the research community discovers them. You might not be surprised to learn that many people in the audience do not respond well to this idea. The security community is so afraid of this concept.

I was in London earlier this year when the story broke about the BBC purchasing a botnet  for a demonstration on one of its TV shows. Many at my conference were outraged at the reporter's unethical behavior. They especially did not like the idea that a respectable business would pay money to a criminal just to make a demonstration. However, nobody seemed at all disturbed that criminals have made botnets so prevalent and cheap that an average beat reporter could have the wherewithal to purchase and use a botnet. Should we not be outraged at this circumstance too?

One reason our community is afraid is the assumed violation of privacy. Many consider their computers to be sacrosanct – that any violation of the computer's integrity from the outside is equivalent to an illegal search. As a community, we should not allow it under any circumstances. They assume that if somebody would begin to exterminate botnets, let's call them law enforcement botnet terminators, that the terminators would most likely have to reach into the nether regions of private citizens' computers to do it. That is likely true in most cases, but there is precedent for this kind of thing.

Consider a botnet extermination the same way you would consider a police officer in hot pursuit of a criminal in the physical world. As the thief runs away, he might run through a random citizen's apartment in an effort to escape. The police officer gives chase with the authority to follow the thief through the apartment – through the nether regions of someone's personal and private living space. The pursuit does not require a search warrant. The police officer just keeps running, pursuing the thief until he makes the collar.

That situation is similar to what our new botnet terminators will have to do to exterminate a botnet – follow the thief through the cyber buildings, our computers, that make up the botnet. What I am suggesting is that we, the internet community, designate some international law enforcement organization, the botnet  terminators, the freedom to follow electronic bad guys in hot pursuit.

But even if you concede that point, there is a larger problem. Getting nations to agree to allow foreign law enforcement to touch its citizens' computers seems like a Herculean task. However, just because the problem is hard does not mean that we should not chip away at it. And we do have leverage at our disposal if we choose to use it.

The best leverage we have is access to the internet. Assume that some well-respected international law enforcement body declares that it will not tolerate nefarious botnet use. It establishes our botnet terminator squad and authorizes the hot pursuit option. For nations that do not want to play in this sandbox, it is not mandatory. But the consequence is that their upstream internet service providers, the countries that do play in the sandbox, will not allow their country to connect. That sounds draconian, I agree, but there are consequences to playing in the global marketplace.

Numerous political reasons prevent implementing the botnet terminator option anytime soon. But, as the general public better understands the impact these botnets have – including massive denial-of-service attacks between nations and nation supporters, obscene profits garnered for the criminal botnet herders and the general invasion of personal space – this option will start to look a lot less onerous. Clearly, the status quo will not have an effect on the current botnet situation. What we need is a game changer. Authorizing botnet terminations could be it.


Rick Howard

Rick is the Chief Analyst, Chief Security Officer, and Senior Fellow at The CyberWire, a cybersecurity podcasting network. His prior jobs include the Palo Alto Networks CSO, the TASC CISO, the iDefense GM (A commercial cyber threat intelligence service at Verisign,) the Counterpane Global SOC Director (one of the original MSSPs), and the Commander of the U.S. Army’s Computer Emergency Response Team where he coordinated network defense, network intelligence and network attack operations for the Army’s global network. He was one of the founding players that created the Cyber Threat Alliance (an ISAC for security vendors) and he also created and still runs the Cybersecurity Canon; a Rock & Roll Hall of Fame for cybersecurity books. Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the US Military Academy. He also taught computer science at the Academy from 1993 to 1999. He has published many academic papers on technology, security, and risk and has contributed as an executive editor to two books: “Cyber Fraud: Tactics, Techniques and Procedures” and “Cyber Security Essentials.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.