For as many times as we have heard that e-commerce is at risk due to the actions of sophisticated cyber-criminals, it is astounding how little has been done to protect against wholesale attacks against users and, more importantly, against the major retailers who are more and more dependent upon commercial trade over the Internet. It is this very dependency that accounts for the high value of so-called asymmetric attacks, and today’s nemesis in this regard is the botnet, ad hoc confederations of unsuspecting users’ computers that have been coopted by cybercriminals through the use of malicious software.
The Hoover Institution recently published a call-to-arms about botnets, provocatively declaring that botnets should be called “electronic weapons of mass destruction”, given the fact that critical infrastructure can be easily put at risk by botnet operators. And this point is driven home in the fact that major power and telecommunications utilities are already highly interconnected with the public Internet, thus allowing for the asymmetric leveraging of tens or hundreds of thousands of mundane home computers — via the illicit introduction of malware — into attacks on such things as SCADA (supervisory control and data acquisition) elements that manage critical infrastructure.
As a case study, the article’s authors explore the case of the April 2007 cyberattack against Estonia, both in terms of what was put at risk as well as how the world should respond to such cases. Although we still find it a stretch to make the parallels with military conflicts too concrete, the point is well taken that such forms of asymmetric warfare put the advantage in the corner of the attacker, whether that attacker is a sophisticated nation-state or a ring of profiteering cyber-criminals. Both of these groups are abetted by the same lack of security on the Internet.
Although the article is long on observation and short on prescription (aside from advocating a very active form of defence), it is a very well-reasoned summary overview of the threats that exist today on the Internet. In short, it explains why we need a call-to-arms and what might happen if we don’t heed the warning.
The article entitled eWMDs: the botnet peril by John J. Kelly and Lauri Almann appears in Policy Review, No. 152, Dec. 2008/Jan. 2009 by The Hoover Institution.