Weapons of Mass Denial

By Larry Seltzer  |  Posted 2008-05-21 Print this article Print

A U.S. military botnet is a disturbing concept, but next to cluster bombs and cruise missiles it's War Lite.

I don't usually get my column ideas out of The Armed Forces Journal, but a recent article there has been getting attention in the computer security community.

In it, Col. Charles W. Williamson III proposes that "...America needs a network that can project power by building an af.mil robot network [botnet] that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack." Wow, them's fighting words.

After I recently wrote about apparent Chinese hacker-espionage against U.S. military targets on the Internet, I was surprised that any critical infrastructure would even be accessible via the Internet, no matter how well-protected. I guess the military needs to be connected, and it's never been clear exactly what was attacked. Perhaps nothing like command and control is accessible, but the home office of an important defense consultant may be.

The point is that there are targets accessible, the denial of which would disadvantage the enemy greatly. Williamson (Charlie, according to his bio) seems more interested in deterrence than actual attacks, and deterrence does have a history of success in the defense field. We want the enemy to know that we are capable of crippling whatever it is we can cripple. In fact, we want them to think we can do even more, but credibility is the key part.

And it's not just about military infrastructure in the strict sense. Let's face it, in a real war you take out civilian infrastructure that's beneficial to the war effort, and one would have to think of areas such as telecommunications and power generation in this regard. We've all heard of hacking attempts against such infrastructure before. If it's OK to bomb it with real bombs, is it somehow a crime to launch a massive DDoS (distributed denial of service) against it? With proper congressional authorization, of course.

Where will it end?

My cynicism is breaking through, but I really don't have a problem with this, as long as it's done right. For instance, as Bruce Schneier puts it, they had better own or have rights to use the computers on which this botnet is built.

Of course, if all the systems in the botnet have .mil addresses and are on Department of Defense-owned subnets, blocking the attacks will become child's play (at least for a Cisco-certified child). An effective military botnet has to be "forward-deployed," which in this case means throughout the civilian infrastructure, and not just in the United States. It could be possible for the military (or perhaps the CIA) to buy systems on domestic and foreign civilian ISP networks, as well as business networks throughout the world. They would need to look innocent until the trap was sprung.

Where will it end? I guess it will scare some institutions off the Internet and onto private lines, at least as an emergency response plan. The idea is not unlike the private phone network set up by Hezbollah in Lebanon. Private networks are expensive and cumbersome, but they're an effective defense.

This is just part of what I expect to be a cyber-warfare R&D boom. Consider that NATO recently announced the formation of a "Cooperative Cyber Defense (CCD) Centre of Excellence (COE) in Tallinn, Estonia." The choice of Estonia is somewhat symbolic, I guess, based on it being the target of the first large-scale cyber-attack against a whole country.

And the Estonian example underscores how it's not just about military infrastructure. Williamson calls for the ability to "carpet bomb" enemies' networks. That means their banks, their merchant sites, even their social networking sites.

In a real war this would all be devastating for the civilian infrastructure, but I doubt it would stop troops from moving or planes from flying or submarines from diving. Perhaps that's the best reason to follow Williamson's advice: Once deterrents are in place, launching an attack only ends up shooting you in the foot.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at his blog, Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel