President Trump wants to crack down on botnets, the networks of hacked zombie computers that criminals or adversaries can use to carry out large-scale cyberattacks. Achieving this would surely disrupt the cybercriminal infrastructure, but it will also require that the administration overcome monumental technical and political hurdles.
This month, Trump signed a long-awaited executive order addressing the cybersecurity threat, which many national security experts consider the top threat facing the United States. Though the order contains mostly broad language, it does single out botnets, calling for them to be “dramatically” reduced. Criminals can use botnets to execute a range of different kinds of cyberattacks, from malware and spam distribution to distributed denial of service (DDoS) attacks, which entail flooding a target’s server with artificial traffic. The threat is growing as we connect more cheap webcams, baby monitors, DVRs, and other Internet of things devices, which hackers can use to launch attacks (see “10 Breakthrough Technologies: Botnets of Things”).
The administration has some relatively new tools at its disposal to combat botnets. Recent changes to the federal rules of criminal procedure allow investigators to use a single search warrant to hack into multiple computers comprising a botnet. The Justice Department used this authority recently to dismantle a global botnet that had been stealing banking credentials and distributing e-mail spam and malware. The Trump team could also renew legislative proposals made by the Obama Justice Department that would broaden the instances in which the FBI could get a court order to compel an ISP to shut down botnet traffic, says Zachary Goldman, executive director of the Center on Law and Security at New York University School of Law.
Still, while these new avenues may help law enforcement officials dismantle botnets, they won’t do much to prevent botnet-powered DDoS attacks, which are growing larger and more frequent every year. After a botnet briefly took down much of the Internet for millions of users in the U.S. last October, prominent security researchers warned Congress that the proliferation of poorly secured connected devices represents a market failure, and urged the government to step in to address the growing risk.
Exactly how the government should intervene is a matter of debate. At question is which agencies have the proper authorities, which ones should be in charge, and what Internet service providers should be doing to help.
In the absence of government action to cut down on the risky devices connecting to the Internet, ISPs could try to collaborate to root out and stop DDoS attacks before they do much damage. Since these attacks are easiest to detect near the target, and easiest to stop near the source, an automated system that ISPs could use to detect attacks and then signal to other providers upstream to coördinate rapid responses could be particularly effective, says Jim McEachern, senior technology consultant at the Alliance for Telecommunications Industry Solutions (ATIS), a computing industry standards organization. ATIS’s members include ISPs, device makers, and Internet companies.
Components of such a system already exist. The Internet Engineering Task Force, an organization made up of volunteers from the industry that develops new Internet standards, is creating technical standards for a secure messaging system that businesses could use to signal for help that they are under attack. Called DDoS Open Threat Signaling, or DOTS, the system would appeal for assistance from an ISP or other entity with the capacity and necessary tools to filter out the bad traffic—a process called “scrubbing.” If ISPs agreed to coöperate on stopping DDoS attacks, they could also use DOTS to signal between each other, says Andrew Mortensen, an engineer at Arbor Networks who is helping lead the DOTS project.
ISPs haven’t yet agreed to join forces against botnets, and for obvious reasons. The idea raises complicated new business and policy questions, since asking an ISP to block traffic is essentially asking it to forgo revenue, and someone will have to foot the bill for the traffic scrubbing technology, says McEachern. The business-related issues “are going to be at least as challenging as the technical ones.”
Trump’s order gives the Secretaries of Commerce and Homeland Security a year to iron out a plan for beating back botnets and other distributed attacks. That could be too long, Senator Mark Warner of Virginia, cofounder of the Senate Cybersecurity Caucus, told MIT Technology Review in an e-mail statement. “I fear that the president’s lengthy time frame for identifying and promoting actions to address these risks … misapprehends the gravity of these threats.”