Staff Sgt. Timothy Moore/U.S. Air Force

Threats

Here Are Some New Ideas for Fighting Botnets

It's a tricky problem, so solutions have to be carefully thought out.

Joseph Marks

|
Joseph Marks
By Joseph Marks
Senior Correspondent

Federal agencies face a thorny path as they try to step up the government’s fight against armies of infected computers and connected devices known as botnets, responses to a government information request reveal.

Industry, academic and think tank commenters all agreed more should be done to combat the zombie computer armies that digital ne’er-do-wells frequently hire to force adversaries offline.

Just what that effort should comprise is a more complicated question.

The government shouldn’t impose any new regulations, industry responders warn, for fear of hindering commerce or damaging government’s ability to respond nimbly to new security challenges.

On the other hand, the government also should be extremely wary of pumping up the investigatory or botnet takedown powers of law enforcement, the Center for Democracy and Technology think tank warns, out of concern for invading computer and device owners’ privacy.

“Botnet bills introduced over the last several years would have made the Computer Fraud and Abuse Act broader and vaguer and would only discourage the types of independent research that could fight botnets in its own right,” the CDT comments note.

The Computer Fraud and Abuse Act is a 1986 law that, despite its vintage, governs many hacking crimes. Critics say the outdated law is interpreted too broadly and unfairly criminalizes the work of ethical hackers who try to find computer vulnerabilities and expose them before nefarious hackers find and exploit them.

Given that narrow path, many responses to the National Telecommunications and Information Administration’s request for comments on what government can do to combat botnets focused on work the government has already done, such as convening stakeholders in industry and promoting security best practices.

A handful of big ideas emerged in the comments published Sunday, though. Here are three of them:

CISA 2.0?

After numerous failed attempts to pass major cybersecurity legislation, Congress succeeded in passing a narrow bill in 2015 that offers liability protection to companies that share cyber threat information with each other and with the government.

If the government wants to enlist companies to combat botnet operations, it may have to go a step further and offer similar protections for certain cyber defense operations, some commenters said.  

“While enactment of the Cybersecurity Information Sharing Act (CISA) has helped to clear away some of the legal underbrush that inhibited cyber threat information sharing, the statute only authorizes—but does not offer liability protection for—operation of defensive measures, which leaves companies employing such measures open to potential liability on various legal grounds,” NCTA, the Internet and Television Association, wrote.

Such defensive measures might include probing the botnet for weak points so an internet service provider can shut down its command and control operations.  

The wireless industry association CTIA warned that “any uncertainty about defensive steps operators can take may have a chilling effect on rapid action to address attacks.”

Think Global

Numerous commenters warned that U.S. efforts to combat botnets will do little good if other nations aren’t similarly working to keep their computers and connected devices from being co-opted by botnets.

The software industry group BSA: The Software Alliance recommended surging the government’s global cyber capacity building efforts so there are less fertile grounds for botnet builders.

Much of the U.S. government’s cyber capacity building effort was operated out of the State Department Cyber Coordinator’s Office, which Secretary of State Rex Tillerson is considering shuttering.

The cybersecurity firm Crowdstrike urged surging counter botnet cooperation between technical agencies in different national governments and making it a proving ground for other cyber cooperation.

Numerous commenters urged the government to press counter botnet initiatives at international organizations such as the International Telecommunications Union, which helps manage global internet policy.

Be the Change You Wish to See

The government should also be a good counter botnet role model, numerous commenters said.

It would be a “game changer,” for example, if U.S. law enforcement committed to taking down one botnet every week, Crowdstrike suggested.

The government could also lead by example by only purchasing connected devices that meet strict security guidelines, the New America think tank’s Open Technology Institute suggested.

Unlike laptops and phones, many connected devices, such as cameras and baby monitors, can’t be patched in response to newfound security vulnerabilities and are secured with default passwords set by the company. As a result, they’re more likely to be conscripted by botnets such as the Mirai botnet that forced popular sites such as Netflix and The New York Times offline earlier this year.

Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., introduced legislation that would mandate better security protections for government-purchased connected devices earlier this week.

Honorable Mention…

…to the Secure Systems Lab at New York University, for prefacing its comment with a description of a hypothetical cyberattack that includes mass hallucinations, a masterminding rogue nation and a Washington, D.C. Independence Day party gone horribly wrong. The hypothetical didn’t really have anything to do with botnets, but it was nice break from dry industry prose. 

NEXT STORY: After Sanctioning Pyongyang, China Says the Ball’s in Everyone Else’s Court

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.