Botnets are the bane of the internet. Criminals use these groups of computers infected with malicious software to propagate spam, send phishing emails, guess passwords, impersonate users, and break encryption. Their most pernicious use, however, is to carry out distributed denial of service (DDoS) attacks. DDoS attacks harness the power of the individual computers that make up the botnet to send internet traffic to a target, thereby blocking legitimate traffic. As much as 30 percent of all internet traffic may be attributable to botnets, and most of that traffic is from DDoS attacks.
Most DDoS attacks are criminal in nature, often used by companies to take down their competitors’ websites or servers; however, China, Russia, and Iran have all harnessed botnets for geopolitical purposes. A motivated nation-state actor could easily harness millions of systems to shut down countries’ domestic networks or target core internet infrastructure and shut the internet down globally. For foreign governments, there are certainly scenarios where they might judge such actions to be to their advantage.
Cybercrime today may cost the global economy $600 billion per year, with much of that loss tied to botnets, and those losses are only set to grow. About sixteen billion devices are connected to the internet today, and both that number and the number of vulnerable and infected devices are expected to double in the next five years. Even if only the tiniest fraction of these devices is infected with botnets, malicious actors will have enormous disruptive potential at their disposal. Thus an ambitious goal of zero botnets is necessary.
To achieve that goal, information security experts first need to do a better job of measuring current botnet activity and set incremental goals for reductions. Nations and international institutions should then work to establish the principle that states are responsible for the harm that botnets based within their borders cause to others. When governments are unable or unwilling to be responsible, other states may be justified in taking action, in or out of the cyber domain, to thwart cross-border effects. Similarly, at the internet service provider (ISP) level, good stewards of online spaces need to hold other ISPs accountable for the bad traffic leaving their networks. The makers of devices that are vulnerable to becoming parts of botnets need to be incentivized to secure their devices, and the resellers of those devices should use their leverage to hold them accountable. Hosting providers, name registrars, and other components of the internet ecosystem that are used by botnets should be pressured to police themselves and prevent their services from being used for criminal purposes. Finally, when these measures fail to suppress the growth of botnets, an ongoing international effort to take down botnets is necessary.
