Countries should seek to eliminate - not just manage - Botnets and Cybercrime, says new CFR report

Although there have been some high-profile, successful takedowns of botnets, efforts to date have been disjointed, focusing separately on internet service provider (ISP) notifications to owners of infected systems or law enforcement efforts to arrest those behind the attacks.
photo: We Live Security/ USGOV

(CFR) November 20, 2018 - “With billions of new devices set to join the internet in the next decade, now is the time to put in place an international regime that works to keep vulnerable devices off the internet,” write Jason Healey and Robert K. Knake in the Council Special Report, Zero Botnets: Building a Global Effort to Clean Up the Internet Environment. Healey and Knake propose a goal of zero botnets to galvanize global policy action.

 Botnets—groups of devices and computers infected with malware—provide criminal and state actors with the power to launch phishing attacks, break encryption, stifle free speech, and even bring down entire networks. As the number of unsecured devices grows, so too will the disruptive potential of these botnets and their operators.

While some hold that botnets are simply part of an open global internet and a problem to be managed, Healey, senior research scholar at Columbia University’s School of International and Public Affairs, and Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations, argue that just managing the problem is not enough—eliminating botnets altogether should be the aim.

Although there have been some high-profile, successful takedowns of botnets, efforts to date have been disjointed, focusing separately on internet service provider (ISP) notifications to owners of infected systems or law enforcement efforts to arrest those behind the attacks. In Zero Botnets, the authors examine what has allowed botnets to flourish and argue for a coordinated, international effort to “drive down botnet infection rates, increase the costs to malicious actors to operate them, and deny them value for doing so.”

The authors provide policy recommendations for countries, ISPs, and device manufacturers that include:

• Setting global goals for botnet elimination and measuring states against those goals, starting with an agreement “to target the achievement of zero botnets by major ISPs.”

• Establishing the principle of state responsibility for the harms caused by botnets. States “should be held liable by the international system” for any harm caused as a result of not proactively working to respond to botnets

• Creating an independent international organization to coordinate botnet takedowns, ensuring that multiple states can execute a rapid response to a botnet attack.

• Developing incentives for ISPs to clean up network. “ISPs as a community could self-police,” and impose penalties like fees until they are able to bring the number of botnets down below a set threshold. 

•  Setting standards to keep devices from being easily compromised, such as following best practices to make sure devices are secure and providing unique passwords for each device. 

 “The threat from botnets to the health of the internet and the modern, digital economy that relies on it only continues to grow,” contend Healey and Knake. “Absent sustained, organized efforts to combat [them], botnets and the malicious actors that control them will take an ever-increasing chunk of the value created by the internet and the systems connected to it.”