Yesterday I spoke at a Washington briefing on botnets. The event was hosted by the Senate Science and Technology Caucus, and sponsored by ACM and Microsoft. Along with opening remarks by Senators Pryor and Bennett, there were short briefings by me, Phil Reitinger of Microsoft, and Scott O’Neal of the FBI.
(Botnets are coordinated computer intrusions, where the attacker installs a long-lived software agent or “bot” on many end-user computers. After being installed, the bots receive commands from the attacker through a command-and-control mechanism. You can think of bots as a more advanced form of the viruses and worms we saw previously.)
Botnets are a serious threat, but as usual in cybersecurity there is no obvious silver bullet against them. I gave a laundry list of possible anti-bot tactics, including a mix of technical, law enforcement, and policy approaches.
Phil Reitinger talked about Microsoft’s anti-botnet activities. These range from general efforts to improve software security, to distribution of patches and malicious code removal tools, to investigation of specific bot attacks. I was glad to hear him call out the need for basic research on computer security.
Scott O’Neal talked about the FBI’s fight against botnets, which he said followed the Bureau’s historical pattern in dealing with new types of crime. At first, they responded to specific attacks by investigating and trying to identify the perpetrators. Over time they have adopted new tactics, such as infiltrating the markets and fora where botmasters meet. Though he didn’t explicitly prioritize the different types of botnet (mis)use, it was clear that commercially motivated denial-of-service attacks were prominent in his mind.
Much of the audience consisted of Senate and House staffers, who are naturally interested in possible legislative approaches to the botnet problem. Beyond seeing that law enforcement has adequate resources, there isn’t much that needs to be done. Current laws such as the Computer Fraud and Abuse Act, and anti-fraud and anti-spam laws, already cover botnet attacks. The hard part is catching the bad guys in the first place.
The one legislative suggestion we heard was to reduce the threshold for criminal violation in the Computer Fraud and Abuse Act. Using computers without authorization is a crime, but there are threshold requirements to make sure that trivial offenses can’t bring down the big hammer of felony prosecution.
The concern is that a badguy who breaks into a large number of computers and installs bots, but hasn’t yet used the bots to do harm, might be able to escape prosecution. He could still be prosecuted if certain types of bad intent can be proved, but where that is not possible he arguably might not meet the $5000 damage threshold. The law might be changed to allow prosecution when some designated number of computers are affected.
Paul Ohm has expressed skepticism about this kind of proposal. He points to a tendency to base cybersecurity policy on anecdote and worst-case predictions, even though a great deal of preventable harm is caused by simpler, more mundane attacks.
I’d like to see more data on how big a problem the current CFAA thresholds are. How many real badguys have escaped CFAA prosecution? Of those who did, how many could be prosecuted for other, equally serious violations? With data in hand, the cost-benefit tradeoffs in amending the CFAA will be easier.
Senator Bennett, in his remarks, characterized cybersecurity as a long-term fight. “You guys have permanent job security…. You’re working on a problem that will never be solved.”
What makes extremely bad botnets is the difficulty in tracing them back to their creators. Pls implement honeypots is to identify malicious botnets. A honeypot, which is a fake network, is designed to attract and analyze botnet activity.
There IS a botnet lobby. It’s called Ubuntu. Use a secure operating system and you won’t have to woeey about junk like this. The blame is on the company that produces and exploitable operating system.
I’d like to caution against the argument to make botnets illegal. Back when I first installed slackware there was a “botnet” program that you could install that would run in the background and try to crack the latest RSA number. I was happy to participate in this experiement (note to Dan Smith: there is a cash prize for cracking an RSA number and it was supposed to be distributed amongst the network if we were successful) and its intended use was completely legitamite. I realize that there are some important differences between a botnet that implemetns a DDoS protocol and the one that I was part of, but I don’t think our elected representatives will see the difference.
Think of it this way, criminals use guns all of the time but you don’t see politicians thinking about gun control (OK bad example. Is there a botnet loby yet?).
later,
Dixon
What’s with all the content-free “me too” posts lately? While it’s nice when someone shows interest in or appreciation for the site, it’s much nicer when they contribute something substantive and original in the way of ideas of their own in the process…
Dan Simon seems to underestimate the tendency of most folk to show some social responsibility. The main reason stealthy bots go unremoved is because they go undetected, not because they seem harmless — a user only has to read a bit and notice the spams in their inbox to realize that it ain’t so. Feelings of social responsibility would also inhibit many people from intentionally allowing “DDoS@home” to run on their computers. So would the law — users become complicit when they become willing participants, rather than being additional victims as now. Finally, nonstealthy distribution of “DDoS@home” will necessitate a more open and visible presence such as a download site for people to get the software, which becomes a target for law enforcement. In other words, we wouldn’t have much of a “DDoS@home” problem with good end-user security for the same reasons we don’t currently have a “MethLab@home” problem with large numbers of people expressing willingness to cook up questionable substances for money.
In practise, increased home-machine security would result in a botnet installation tactical shift from hole-exploiting to bundling, leading to desirable software such as games on “free download” sites with hidden botnet functionality as an extra bonus feature. Much as a lot of spyware is stealth-installed now. Existing antispyware tools, tactics, and laws then become applicable; for example, sites whose files are infested may develop a bad reputation, as with specific bot-bundled software. Market pressure alone forced some prominent p2p app distributors, such as Limewire, to clean up their acts, and would operate against botnets likewise.
I hypothesize that one reason why botnets are so rampant is that they usually do very little damage to their hosts–simply “borrowing” a bit of spare bandwidth and computation time to attack or annoy other computers or their users, and therefore creating little incentive for users to clean them off their machines. (They could, of course do a great deal of damage. But it appears that in most cases they don’t–perhaps recognizing their implicit interest in not aggravating their hosts.)
In fact, I argued in a recent paper that if the end host security problem were to be “solved”, in the sense that users could run arbitrary code on their systems with zero chance of being compromised, then botnet operators would simply “purchase” their botnets, by offering some slight incentive (use your imagination) to users to run their “DDoS@home” client. The user would be safe, the botnet operator would have his botnet, and everyone would be happy except for the botnet’s unfortunate victims. I therefore believe that poor end host security, while worrisome for many other reasons, shouldn’t be seen as the core of the botnet problem.
Finally, I would like to thank Sen. Bennett for endorsing my career strategy. From his mouth to God’s ears, as they say….
If you’re going to go for a lower threshold, or a more liberal interpretation of the existing one, botnets will not be the only unauthorized uses of computers that qualify as crimes (as indeed they’re not now, but nevertheless). Are we willing to see spyware authors, even commercial ones, behind bars? If not, then it’s going to take some very careful — and possibly counterproductive — tailoring to go after botnets in particular, especially if the people who infect the machines aren’t the people who actually use them to do harm.
I don’t think that there should be a problem with the $5000 damages limit even if the botmaster is caught before he employs the bot network. Each machine infected is damaged and there is a cost in time and possibly tools to fix the machine. If the cost to fix each machine is estimated at $50 then a creating a network of 100 machines meets the threshold. The only area that I think legislation might need to be considered would be to make the attempt to create a botnet illegal.