The U.S. government’s effort to persuade other countries to adopt norms of responsibility for cyberspace faces a significant obstacle: computers located in the United States host much of the malicious software used to carry out cyberattacks. Botnets—groups of compromised computers under the control of a malicious actor—are regularly used to distribute spam, spy, break passwords, harvest credentials, and engage in distributed denial-of-service (DDOS) attacks. When botnets located in the United States attack computers in other countries, the victims could view the United States as either being behind the attacks or an accomplice in violation of the norms the United States is pressuring other countries to uphold.
Other countries have nearly eliminated botnets operating under their jurisdiction, but the U.S. government has not aggressively pursued the issue, and U.S. Internet service providers (ISPs) have chosen mostly to ignore this type of malicious traffic when it emanates from their customers. Rob outlines why this is the case and what the U.S. government and U.S. private sector can do about it.
You can find the full brief here.