A U.S. military botnet is a disturbing concept, but next to cluster bombs and cruise missiles it's War Lite.
I don't usually get my column ideas out of The
Armed Forces Journal,
but a recent article there has been getting attention
in the computer security community.
In it, Col. Charles W.
Williamson III proposes
needs a network that can project power by building an af.mil robot network
[botnet] that can direct such massive amounts of traffic to target computers
that they can no longer communicate and become no more useful to our
adversaries than hunks of metal and plastic. America
needs the ability to carpet bomb in cyberspace to create the deterrent we
lack." Wow, them's fighting words.
After I recently wrote about apparent
Chinese hacker-espionage against U.S. military targets on the Internet,
was surprised that any critical infrastructure would even be accessible via the
Internet, no matter how well-protected. I guess the military needs to be
connected, and it's never been clear exactly what was attacked. Perhaps nothing
like command and control is accessible, but the home office of an important
defense consultant may be.
The point is that there are targets accessible, the denial of which would
disadvantage the enemy greatly. Williamson (Charlie, according to his bio)
seems more interested in deterrence than actual attacks, and deterrence does
have a history of success in the defense field. We want the enemy to know that
we are capable of crippling whatever it is we can cripple. In fact, we want
them to think we can do even more, but credibility is the key part.
And it's not just about military infrastructure in the strict sense. Let's
face it, in a real war you take out civilian infrastructure that's beneficial
to the war effort, and one would have to think of areas such as telecommunications
and power generation in this regard. We've all heard of hacking attempts
against such infrastructure before. If it's OK to bomb it with real bombs, is
it somehow a crime to launch a massive DDoS (distributed denial of service)
against it? With proper congressional authorization, of course.
Where will it end?
My cynicism is breaking through, but I really don't have a problem with
this, as long as it's done right. For instance, as
Bruce Schneier puts it,
they had better own or have rights to use the
computers on which this botnet is built.
Of course, if all the systems in the botnet have .mil addresses and are on Department
of Defense-owned subnets, blocking the attacks will become child's play (at
least for a Cisco-certified child). An effective military botnet has to be
"forward-deployed," which in this case means throughout the civilian
infrastructure, and not just in the United
States. It could be possible for the
military (or perhaps the CIA) to buy systems
on domestic and foreign civilian ISP networks, as well as business networks
throughout the world. They would need to look innocent until the trap was
Where will it end? I guess it will scare some institutions off the Internet and
onto private lines, at least as an emergency response plan. The idea is not
private phone network set up by Hezbollah in Lebanon.
Private networks are expensive
and cumbersome, but they're an effective defense.
This is just part of what I expect to be a cyber-warfare R&D boom.
Consider that NATO
the formation of a "Cooperative Cyber Defense (CCD)
Centre of Excellence (COE) in Tallinn,
Estonia." The choice
of Estonia is
somewhat symbolic, I guess, based on it being the
target of the first large-scale cyber-attack against a whole country.
And the Estonian example underscores how it's not just about military
infrastructure. Williamson calls for the ability to "carpet bomb" enemies'
networks. That means their banks, their merchant sites, even their social
In a real war this would all be devastating for the civilian infrastructure,
but I doubt it would stop troops from moving or planes from flying or
submarines from diving. Perhaps that's the best reason to follow Williamson's
advice: Once deterrents are in place, launching an attack only ends up shooting
you in the foot.
Security Center Editor Larry Seltzer has
worked in and written about the computer industry since 1983. For insights on
security coverage around the Web, take a look at his blog, Cheap Hack.