To Get to Zero Botnets, Don’t Wait for Governments to Lead

Last week, Jason Healey and I published a report calling for a global initiative to drive botnet infections to zero. Many of our recommendations call for cooperative action by government, non-profit organizations and the private sector. But, contrary to what many assume, a public-private partnership to combat botnets doesn’t have to be initiated or led by government agencies. In fact, private companies that are the victims of botnets are likely better suited to place pressure on the actors that enable botnets to persist.

Although government holds the monopoly on placing botmasters in handcuffs, most actions necessary to both takedown botnets and clean up the ecosystem that supports them can be carried out by private actors alone. In fact, many if not most botnet takedowns have been led by private companies. Microsoft alone has pursued more than a dozen. Crowdstrike, FireEye, Lastline, Symantec, and TrendMicro have also successfully worked to disrupt botnet infrastructure.

Yet, as the data we analyzed in our report shows, sustaining efforts at botnet takedowns has proven difficult. None of the companies above are properly incentivized to make botnet takedowns a priority. Third party organizations that have coordinated takedowns have also had difficulty sustaining their efforts. Over the last decade, Europol’s European Cybercrime Center, the Internet Systems Consortium, Malware Anti-Abuse Working Group, Mariposa Working Group, National Cyber Forensics Training Alliance, and Spamhaus have all coordinated takedowns. These efforts draw on a limited pool of technical talent and strain the resources of the organizations that contribute to the effort. In short, botnet takedowns are no one’s day job. They should be.

Financial services firms, which got a wakeup call on the botnet problem when the Iranians hit them from2011 to 2013, are now getting wacked on a daily basis with botnet-enabled fraud. Machines that are part of a botnet can be used to compromise accounts, harvesting the information necessary to answer security challenge questions directly from the victims’ computers, and intercepting text messages to bypass two factor authentication.

In our view, a relatively small effort sustained over multiple years could significantly reduce botnet infections by supporting takedown activities and pressuring companies that enable their creation and operation. The financial sector alone, given the losses it continues to sustain at the hands of botnet operators, should be incentivized to fund such an effort. It could form a new organization or support one of the existing organizations listed above with experience coordinating takedown activities. Law enforcement could supplement the new organization’s efforts given its unique ability to lawfully conduct certain botnet suppression activities, and exert pressure on foreign jurisdictions where botnet operators are located.

Beyond organizing takedowns, a new anti-botnet organization can also be used to pressure device makers, website registrars, cloud computing providers, and internet service providers (ISPs) to improve cyber hygiene. In 2017, according to data from Spamhaus, Amazon hosted the second most botnet command and control infrastructure (second only to the French firm OVH). I can guarantee that it would only take the slightest amount of pressure from its largest customers to get Amazon to figure out a way to keep its on-demand computing platform from being botmasters’ preferred platform. The same would likely hold true for ISPs (though U.S. ISPs are pretty good at keeping botnets on their networks in check).

The anti-botnet organization could also pressure device makers to use best practices to prevent initial infections and make cleanup of infected devices much easier. Returning to the Amazon theme, if selling a device on Amazon required that it pass a five part test of the kind of measures advocated by iamthecavalry and other organizations, finding a device to infect would be a lot harder.

Billions are spent by the victims of DDOS attacks to filter out the attacks and expand server capacity. Banks spend billions more to detect fraud and pay back consumers who are defrauded. And billions more are eaten up by botnets in advertising fraud. Yet, almost no funding goes to support efforts to reduce botnets. We believe a small group of dedicated private sector companies could jump start efforts to collectively combat botnets for a fraction of what they spend to mitigate their ill effects. No government intervention required.