Botnet — a term derived from the words robot and network, a bot is a device infected by malware that becomes part of a network, or net, of infected devices controlled by a single attacker or attack group. The botnet malware typically looks for vulnerable devices across the internet, rather than targeting specific individuals, companies or industries. The objective of a botnet is to infect as many connected devices as possible, and to use the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices.29
Botnet takedown — successfully taking permanent control of the entirety of a botnet or otherwise rendering the botnet useless
Botnet disruption — partially impairing the operations of a botnet to diminish its impact. In recent years, given distributed communication and organization methods, it has become more difficult to fully disable a botnet (a takedown)
Botnets have been a persistent threat and problem confronting policy-makers as the internet’s ubiquity has increased. In recent years, the spectre of this threat has grown symmetrically to the exponential growth in connected devices, known as the internet of things (IoT), and the internet traffic they generate. And given the tremendous promise of IoT, policy-makers are scrambling to structure policy that promotes IoT adoption without compromising security and trust.
The key policy question related to botnets is: what degree and form of intervention is appropriate to prevent, research and disrupt botnets? In understanding how to manage the growing threat botnets pose, it is analytically helpful to divide policy into three questions across the life cycle of a botnet, from creation to disruption. At each stage of the policy discussion, the “safe harbours” provided for actors must be kept in mind. Close collaboration is necessary between the public and private sectors on this issue in particular, and good faith efforts may have unintended consequences:
- What can be done to prevent the proliferation of botnets? The question of prevention involves two components. First, policy-makers must clarify responsibilities around remediating known, existing botnet nodes. Is there any responsibility attached to using a connected device known to be part of a botnet, and is it the user’s responsibility, the vendor’s responsibility, or is the public sector responsible for ensuring that affected devices are patched? Second, the question also applies in terms of preventing the creation of new botnet nodes. Policy-makers may undertake to allow the private sector to police itself using market incentives or regulate minimum security standards (particularly for IoT).
- 2How can existing botnets be researched and studied? Who is allowed to research botnets and what techniques are they allowed to use? Methods to study botnets (to disrupt them) often require personally identifiable information and reshaping network traffic. For example, researchers may direct traffic from a known botnet node to a server for analysis. The traffic from that node, in addition to containing illegitimate or malicious traffic, may very well contain legitimate queries to websites containing sensitive information. As a consequence, it is important to clearly outline who is allowed to undertake these actions, especially as these methods may disrupt legitimate traffic.
- How should actors throughout the ecosystem undertake disrupting botnets? Similar to research into botnets, tools and techniques to disrupt botnets have the potential to negatively impact legitimate users and their day-to-day well-being. As such, it is important to outline who is allowed to disrupt a botnet and what methods they are empowered to use. Certain methods have greater potential consequences associated with them than others. Techniques that attempt to remediate individual botnet nodes (e.g. removing malware from individual nodes) rather than disrupt the traffic between nodes are inherently less likely to create further network traffic issues. On occasion, techniques to disrupt traffic between nodes result in the disruption of legitimate traffic, as well.30 Recent botnets have brigaded a number of IoT devices, including smart TVs and webcams. Attempts to disconnect these devices from the botnet may render them unusable. If the unusable IoT device is a smart refrigerator, disruption may simply be an inconvenience. In the future, if the botnet IoT device is an embedded sensor in an industrial control system, disruption may impact the power grid. As such, it will be increasingly important to undertake measures to mitigate collateral consequences from botnet disruption by understanding the nodes of a botnet more thoroughly while respecting the privacy concerns that may arise from the necessarily more complete perspective of node traffic.
The risks and benefits associated with policy positions on each of these questions are significant:
Attaching no liability for securing compromised devices or would-be bots is likely to result, at least in the short term, in a proliferation of new devices with less security. However, in the medium to long term, given limited market incentives, many vendors will choose to architect security as an afterthought. So far, little market evidence supports the proposition that consumers will attach monetary value to secure IoT devices.31 Put differently, there is limited evidence of a “best-of-both-worlds” scenario where market incentives promote sufficient security.
Placing liability in the hands of users is likely to result in similar outcomes as a situation of no liability. More savvy users (e.g. enterprises) and persistent consumers will resolve security issues but many will avoid or be unable to deploy security solutions.
Increasingly, regulators are exploring a combination of demands on internet service providers (ISPs) and minimum standards for IoT devices to promote security. In contrast to an environment of no liability, this arrangement is likely to slow down the development of IoT devices and impose greater costs on ISPs, but will promote greater security.
Another way to understand the risks associated with botnet policy, particularly as it pertains to IoT regulation, is from the standpoint of risk management of IoT device vendors. Vendors must balance the risks associated with business competition, regulatory overreach and reputational damage.
Policy model: Botnet disruption
Key values trade-offs created by botnet disruption policy
Case study: The internet of things, botnets and denial of service attacks
In recent years, the increasing proliferation of IoT devices has served to fuel ever-larger botnets whose network traffic can be redirected towards targets to overwhelm their ability to respond to network queries and denying legitimate users access to internet services. For example, the Mirai botnet in 2016 indirectly resulted in accessibility issues for major websites. To help craft policy to address this issue, it is helpful to understand why IoT devices are relatively vulnerable to being brigaded into botnets, and potential policy and technical solutions:32
- Why are IoT devices relatively vulnerable? IoT devices tend to have a few attributes that make them especially vulnerable to becoming part of a botnet:
- Diversity of devices — the software ecosystem supporting IoT devices is more heterogeneous than PCs or smartphones, providing a greater exploitable threat surface.
- Limited computing resources — IoT devices are often little more than sensors connected to the internet. As such, they lack the computing power to run conventional security protocols that often consume 30% of a typical laptop’s computing resources.
- Network persistence — IoT devices are purpose-built to be able to connect to the internet in almost all circumstances. Thus they are ideal for bad actors to take control over the internet, as well.
- Passive use case — Unlike traditional computing resources (where abnormal processes deleteriously impact a user’s experience), the mainly passive use of IoT devices means that, often, few outward signs or behaviours indicate malicious action is being taken with a given device’s network traffic.
2. What are the technical and policy solutions promoting greater IoT security? Regarding the policy options to address botnets, distinguishing between different architectural approaches is helpful. In each case, the stakeholders and technical challenges are different:
- Hardening individual nodes — new technologies are emerging to secure devices with a “thin” agent (an agent that does not consume as many resources on the endpoint).
- Securing the connection between nodes and the internet — several vendors have released what is known as a “proxy”, which acts as a barrier between the nodes and the internet, filtering and monitoring traffic for abnormalities.
- Monitoring internet traffic — ISPs are increasingly using technologies to “scrub” network traffic patterns to look for telltale signs of botnets (e.g. coordinated network behaviour).
Connecting policy to values
Policy choices around preventing, researching and disrupting botnets create important trade-offs between a number of values, including economic value, privacy, security and accountability:
- Greater enablement of public- and private-sector entities (including academic researchers) in researching and disrupting botnets will likely improve security and subsequently reduce security-related damages. At the same time, greater measures to prevent botnet creation through attaching liability are likely to create short-term costs, both in terms of more expensive devices and fewer devices being adopted by users. On net, more “aggressive” policy around botnets is likely to create short-terms costs that will be outweighed by the long-term benefits.
- Enabling more entities to use more invasive techniques to research and disrupt botnets will increase the private sector’s accountability. These techniques, used incorrectly, threaten the well-being of innocent bystanders and as such are associated with the greater private-sector obligation to act responsibly. Furthermore, as the private sector is more empowered to act, the continuing presence of botnet nodes will be less acceptable.
- However, the more entities are empowered to act and the more intrusive the techniques they are allowed to use, the more privacy will be diminished. The very techniques that allow researchers to determine whether nodes are acting as part of a botnet involve capturing data coming to and from those nodes that may be sensitive.