What to do about Botnets?
As mentioned on our blog last week (April 25) we cosponsored a Capitol Hill briefing with Microsoft about the growing threat of botnets. (See the post for more information on what botnets are.) Senators Pryor and Bennett made opening remarks about how the Internet is increasingly integrated into society and how computer security is an ever-increasing arms race with new exploits being found, followed by security upgrades, followed by more exploits, etc. It was clear that they understood both the important role technology is playing in society and the value of good computer security. Senator Bennett made the remark that computer security experts clearly had permanent job security.
The event featured three experts to talk about different perspectives of botnets. Ed Felten from Princeton University and USACM member described how botnets form, how they are used and a few ideas for dealing with them. He noted that reliable statistics on how many computers are infected by ‘bots are difficult to find, but computer security experts speculate 5-15% of all machines are infects. This equates to a whopping world-wide total of 30 million to 100 million machines. It is clear that botmasters have ample computing resources to carry out attacks, spread spam, and engage in other illegal activities.
Phil Reitinger, Director of Microsoft’s Trustworthy Computing Department, described how the industry must constantly deal with short-term patches to address the latest threats and consumer education about the while looking toward longer-term breakthroughs that might come from basic research into computer security. He also discussed how Microsoft assists law-enforcement and noted the importance of the International Cybercrime Treaty in fighting these networks on an international basis.
Scott O’Neal from the FBI’s Computer Intrusion unit described how the agency combats these networks. Much of their work is reactive in responding to someone that has been hit with a denial-of-service attack, fraud, etc., but he talked about their growing proactive measures including trying to infiltrate botmaster networks.
So the question on the minds of Capitol Hill staff in the audience was: What can we do about this threat with public policy?
The discussion centered on a few themes: consumer education, resources, and law enforcement. On the consumer education front, industry or perhaps a government agency, like the Federal Trade Commission, can start an awareness campaign to make computer owners understand the threat of malicious software and the need to have firewalls and install patches.
The discussion around resources had two sides. First, that the federal government is providing adquate funding for law enforcement to investigate and proscute this growing threat. Second, that the government is providing enough funding for long-term, basic computer security research. During his talk, Ed Felten mentioned some of the grand challenges researchers in this field face including how to make complex software that is bug free, while building a useful flexible system that strongly resists user error. USACM’s Chair, Eugene Spafford, has discussed this issue in recent years and noted that intense competition for scarse basic computer security research funding has driven researchers from this field.
Lastly, there were a couple of ideas floated to give law enforcement officials more tools to prosecute botmasters. First, more countries should adopt the International Cybercrime Treaty. Second, Congress could increase the threshold in the Computer Fraud and Abuse Act to deal with botnets. Current law has a $5000 damage threshold for prosecuting people that unleashed worms, viruses or otherwise cause damage. The idea would be to amend the law to go after the number of computers compromised, not the level of harm caused. Ed Felten mentions this issue in his blog post on the event:
The concern is that a badguy who breaks into a large number of computers and installs bots, but hasn’t yet used the bots to do harm, might be able to escape prosecution. He could still be prosecuted if certain types of bad intent can be proved, but where that is not possible he arguably might not meet the $5000 damage threshold. The law might be changed to allow prosecution when some designated number of computers are affected.
I’d like to see more data on how big a problem the current CFAA thresholds are. How many real badguys have escaped CFAA prosecution? Of those who did, how many could be prosecuted for other, equally serious violations? With data in hand, the cost-benefit tradeoffs in amending the CFAA will be easier.
While the policy implications might not be clear now, it was a good event with a good turn-out from Congressional staff. Thanks to the Senate Science and Technology Caucus for hosting the event, Microsoft for helping pull it together and Chan Lieu of the Senate Commerce Committee for the idea of the event and getting the speakers.