Weapons of Mass Denial

A U.S. military botnet is a disturbing concept, but next to cluster bombs and cruise missiles it's War Lite.

I don't usually get my column ideas out of The Armed Forces Journal, but a recent article there has been getting attention in the computer security community.

In it, Col. Charles W. Williamson III proposes that "...America needs a network that can project power by building an af.mil robot network [botnet] that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack." Wow, them's fighting words.

After I recently wrote about apparent Chinese hacker-espionage against U.S. military targets on the Internet, I was surprised that any critical infrastructure would even be accessible via the Internet, no matter how well-protected. I guess the military needs to be connected, and it's never been clear exactly what was attacked. Perhaps nothing like command and control is accessible, but the home office of an important defense consultant may be.

The point is that there are targets accessible, the denial of which would disadvantage the enemy greatly. Williamson (Charlie, according to his bio) seems more interested in deterrence than actual attacks, and deterrence does have a history of success in the defense field. We want the enemy to know that we are capable of crippling whatever it is we can cripple. In fact, we want them to think we can do even more, but credibility is the key part.

And it's not just about military infrastructure in the strict sense. Let's face it, in a real war you take out civilian infrastructure that's beneficial to the war effort, and one would have to think of areas such as telecommunications and power generation in this regard. We've all heard of hacking attempts against such infrastructure before. If it's OK to bomb it with real bombs, is it somehow a crime to launch a massive DDoS (distributed denial of service) against it? With proper congressional authorization, of course.

Where will it end?

My cynicism is breaking through, but I really don't have a problem with this, as long as it's done right. For instance, as Bruce Schneier puts it, they had better own or have rights to use the computers on which this botnet is built.

Of course, if all the systems in the botnet have .mil addresses and are on Department of Defense-owned subnets, blocking the attacks will become child's play (at least for a Cisco-certified child). An effective military botnet has to be "forward-deployed," which in this case means throughout the civilian infrastructure, and not just in the United States. It could be possible for the military (or perhaps the CIA) to buy systems on domestic and foreign civilian ISP networks, as well as business networks throughout the world. They would need to look innocent until the trap was sprung.

Where will it end? I guess it will scare some institutions off the Internet and onto private lines, at least as an emergency response plan. The idea is not unlike the private phone network set up by Hezbollah in Lebanon. Private networks are expensive and cumbersome, but they're an effective defense.

This is just part of what I expect to be a cyber-warfare R&D boom. Consider that NATO recently announced the formation of a "Cooperative Cyber Defense (CCD) Centre of Excellence (COE) in Tallinn, Estonia." The choice of Estonia is somewhat symbolic, I guess, based on it being the target of the first large-scale cyber-attack against a whole country.

And the Estonian example underscores how it's not just about military infrastructure. Williamson calls for the ability to "carpet bomb" enemies' networks. That means their banks, their merchant sites, even their social networking sites.

In a real war this would all be devastating for the civilian infrastructure, but I doubt it would stop troops from moving or planes from flying or submarines from diving. Perhaps that's the best reason to follow Williamson's advice: Once deterrents are in place, launching an attack only ends up shooting you in the foot.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. For insights on security coverage around the Web, take a look at his blog, Cheap Hack.