To Defend... and Attack?

Last year, a distributed denial of service (DDOS) attack was launched against government websites in Georgia, before and during the armed conflagration between that country and Russia. In 2007, a similar assault was launched against government and commercial computer networks in Estonia.

Rumors abounded in each instance that the Russian government was behind the attacks, in the case of Estonia because Russia was angered by some slight of the Estonian government. The Georgia attack defaced the presidential website and made other government websites unavailable. The Estonia attack, which primarily targeted commercial financial networks, shut down the heavily online Estonian banking system for several days.

DDOS attacks disable their targets by launching huge volumes of email or other messages, more than the target system can handle, from multiple locations. Perpetrators typically muster the capacity to direct this massive messaging activity by surreptitiously taking over hundreds or thousands of computers by embedding them with software components known as malware, transforming them into robots, or 'bots,' arraying these in decentralized networks, or 'botnets,' and then orchestrating an attack on the intended target.

Most experts doubt that either the Georgia or the Estonia examples originated with the Russian government. But the attacks underscored the need to protect systems from a military-style onslaught, perhaps also to develop the capability to counterattack.

The US military has in fact taken up the possibility of developing its own offensive and defensive botnet capabilities. US Air Force Colonel Charles Williamson external pageadvocatedcall_made last year for the deployment of an Air Force capability which could take out offending systems by launching their own DDOS attacks against them.

Williamson argued that the US military could use excess and obsolete computer capacity to generate this capability. As such, this capability would not be a true botnet since it would not involve the exploitation of third-party computers. (Williamson, a lawyer, was trying to obviate violations of the international law of warfare, which prohibit combatants form disguising their origins.)

The US Air Force Research Laboratory (AFRL) posted an announcement in May 2008 which cryptically indicated its desire to develop a "Proactive Botnet Defense Technology." According to the announcement, the AFRL is seeking the capability to infiltrate offending systems, to exfiltrate information undetected and, if necessary, to destroy the system.

To Use or not to Use?

Should the US military use botnets to counter botnets? Most available tools defend networks against DDOS attacks by identifying malicious network traffic and blocking the destination rather than tracing the source of an attack, which can be difficult and time consuming. Other techniques include blocking suspicious web pages and sources of email to protect systems from malware and, in the extreme case, to restrict access from all sources except those certified to be free of malware.

Defending against botnets is one thing. Using botnets or botnet-like arrays of computers for offensive activities is subject to debate.

“It would be foolish for a military to disregard the strategic or tactical possibility of launching an offensive cyber attack against an enemy during wartime,” argued Bruce Schneier, a cyber security expert based in California. But Schneier assumes that most such activity will involve espionage-like activity, and not open warfare.

“A military only wants to shut an enemy's network down if they aren't getting useful information from it,” said Schneier. “The best thing to do is to infiltrate the enemy's computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, the next best is to […] analyze who is talking to whom and [decipher] the characteristics of that communication. Only if a military can't do any of that do they consider shutting the thing down.”

These possibilities lead Alan Paller, director of research at the SANS Institute, a Washington-based computer security training organization, to conclude that research should proceed on all fronts, including the development of offensive botnet capabilities. “We need to do the research now, so that the next time we get into a war, we will have those kinds of weapons if we need them,” he said. “We don’t want to get caught short, as we did in 1937 and 1938, before the outbreak of World War II. We can’t get into a war and then realize we don’t have the weapons.”

“Having the ability to attack enemy systems is desirable,” said Pat Peterson, chief technology officer of Ironport, a division of US-based Cisco Systems. “Research into botnet-like activities has relevance for programs trying to infiltrate enemy computer environments and trying to implant code on hostile systems in order to monitor and understand them."

But Peterson is resistant to the development of offensive Air Force botnet capability. “Botnets are useful for criminal activity, but they are unreliable, uncontrollable, unethical and harmful.”

"Retaliation should not be the focus. Resilience should be," added Peter Sommer, a visiting professor at the London School of Economics and an expert in information systems security. "It is possible to defend against a low- to medium-level attack. It is important to concentrate on contingencies, which involves having in place alternate routes for getting information."

On the other hand, it may make sense to experiment with botnet-type capabilities for other purposes, according to Marcus Sachs, a retired US Army officer and a former member of the US Department of Defense Joint Task Force-Computer Network Operations (JTF-CNO). “It is smart to study how attackers attack,” he said. “I like the idea for war gaming."

The ultimate value of such experimentation, for Sachs, would be to explore ways the US military could use distributed computing capabilities. “The use of botnets may make no sense,” he said, “but the idea of using a distributed computing capability in some form may make sense for DoD [Department of Defense] at some point in the future.”