Highlights
– US Air Force discusses plans to construct US military controlled botnet
– Military botnet faces a number of hurdles
– Air Force will continue to develop offensive cyber warfare capability
In the May 2008 edition of the Armed Forces Journal Colonel Charles W. Williamson III advocates the construction of a United States (US) military botnet “that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.”
Building a Deterrent
Wiliamson’s chief rationale for the construction of a military botnet is that “America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.” The need for this deterrent capability in cyberspace has been heightened by last year’s distributed denial of service (DDoS) attacks against Estonia (Previous Report) as well as the general belief that the Chinese government can leverage a robust cyber militia capable of both DDoS attacks as well as stealthy cyber espionage campaigns.
While the US military certainly needs some type of strategy to protect its networks from DDoS and cyber espionage attacks, it is unclear whether Williamson’s proposed botnet will provide adequate security from these threats. In particular, there are at least two major hurdles that a US military botnet will need to overcome in order to achieve its stated goal of providing a deterrent capability in cyberspace.
The Problem of Attribution
The most significant hurdle to overcome is the problem of attribution. As Colonel Williamson points out, “a smart enemy will use ‘IP spoofing’ by crafting his own DDOS attack packets to appear to come from somewhere other than the Internet Protocol (IP) address of the real node launching the attack.” Although Colonel Williamson correctly points out that it is possible to overcome these technical obfuscations and identify the source of an attack with other sources of intelligence, the problem of attribution isn’t necessarily limited to identifying the correct source IP address.
The example of the 2007 DDoS attacks in Estonia illustrates the difficulty of attribution. While many analysts suspected that the Kremlin was at least partly responsible for organizing the attacks, it was later reported by the media that a 20-year old ethnic Russian resident of Tallinn, Estonia was in large part responsible for organizing the DDoS attacks. In this case should the 20-year-old Russian be the subject of a DDoS counterattack? If so, would a lone young adult be deterred by the threat of a DDoS counterattack?
Further, in the case of China it is suspected that the Chinese government exercises a very loose control over various hacking groups resident within the country. For example, if a future attack originates from China’s cyber militia, should the US military counterattack the Chinese government or the individual Chinese hacking groups responsible for carrying out the actual attacks?
The Problem of Collateral Damage
Additionally, an attack by a US military botnet will undoubtedly cause collateral damage across the public Internet and may well negatively impact other networks owned by US companies and used by US citizens. Assuming the US military is able to accurately attribute the source of a cyber attack and it decides to eliminate the source with a DDoS attack from its own botnet, the US military’s DDoS must traverse any number of other public networks in order to reach the target of its attack. As such, a military DDoS may also knock out other networks including networks in the US.
Finally, in order to effectively attack a target a US military botnet must be able to effectively obfuscate its point of origin. In other words, if the military controlled all its bots from with its own .mil network the targets of a US military DDoS could simply filter out all packets from this network and continue operating without disruption. As a result, in order to build an effective botnet the military would likely need to embed its bots within the public Internet further increasing the likelihood that US military DDoS attacks would damage the public Internet.
Outlook
Whether or not the US Air Force commissions the construction of a military botnet, it appears likely the US military, via the newly created Cyber Command, will continue to develop an offensive cyber warfare capability in an effort to dominate the cyber domain.