January 1, 2009  

The case for military botnets stands

First, it is a joy to see discussion on military botnets. Hard thinking about cyberspace will improve our capabilities. I hoped that warriors in my sister services would say, “The heck with that. We can build a better botnet than the Air Force, and we will.” However, I am left with addressing Col. Stephen Korns’ five criticisms: shooting back, cybermaneuver, targeting information, defense in breadth and deterrence.

Shooting back. Korns avers a distributed denial-of-service (DDoS) attack was launched from a U.S. civilian ISP on the Georgian president’s Web site and that, according to my model, Georgia would have “legitimate reason for proportionate counterattack against the U.S. because hackers used a civilian computer in U.S. territory.” We need to clarify some facts.

First, it is unclear how Georgia could argue its national security was threatened — the White House Web site has suffered multiple attacks, and the U.S. has never conceived of going to war — or how Georgia’s need to pass propaganda rose to a level of national security. My model requires that if “the harm coming to … systems is low enough that a military response is not required, [the attacked country] must default to traditional responses that respect the sovereignty of other nations, just as we expect them to respect our sovereignty.”

Second, if attribution was as easy and fast as suggested, it should have been easy to have the ISP hosting the botnet controller freeze the account. Or maybe the facts are not as simple as that. If the facts justified a DDoS counterstrike because the harm was so grave, the time for effective response was so thin and other options were unavailing, then Georgia would have been entitled to strike. It is entirely possible that U.S. computers would suffer slowdowns or have to reboot because of a counterstrike. However, reciprocity is the touchstone of international relations. The rest of the world should not suffer because of a lack of individual responsibility by U.S. users or ISPs that allowed infected machines or improperly filtered traffic.

Korns asks, “How would Georgia explain to its best friends [the U.S.] that it had to shut down U.S. computers?” The better question is: How should we explain to Georgia that we allowed our territory to be used to harm them? There are “certain general and well-recognized principles, [including] … every state’s obligation not to allow its territory to be used for acts contrary to the rights of other states.” [The Corfu Channel case, International Court of Justice, 1949.]

Korns also claims “international law should encourage governments to launch proportional counterattack botnets against other countries.” While I did not claim encouragement, I did claim entitlement, and the Defense Department General Counsel’s 1999 Assessment of International Legal Issues in Information Operations, (www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-io-legal.pdf), at Page 19, agrees with the principle of self-help in proper cases.

Finally, I agree with Korns that the U.S. government considers various harms to computers and data to be criminal acts, but the amount of harm and availability of response options drive our decisions. We used law enforcement to respond to the bombing of our embassies in Africa. We went to war after Sept. 11. In both cases, murder was a crime. Law enforcement is the proper response to the limited harm suffered by Georgia. However, that harm may not be so slight in the future, which leads to a discussion of the practicability of cybermaneuver.

Cybermaneuver. Korns encourages the U.S. to use a form of cyber-jujitsu to maneuver its information to large servers and abandon the computers hosting the information. That sounds like a brilliant defense, and the U.S. should employ it when it can. However, will the U.S. government be able or willing to move its Web-based information quickly enough and have enough time to allow domain name servers to repopulate fast enough so the right information would be available when needed on tens of thousands of Web sites?

On the other hand, U.S. consolidation of its information to a few portals could make moving portal addresses simple, but reduces the “Whack-a-Mole” targeting problem for the attackers. Is Google willing to host the .mil domain under circumstances in which the U.S. has decided that the harm is so severe that we have to abandon .mil? If the attack originates from an important commercial partner country, is Google willing to risk its emerging business interests there? Would Estonia have been able to move banking information to TSHost on the fly? We need to solve the U.S.’ problem, not Georgia’s. The U.S. has an Internet user population of 220 million people, or 72.5 percent of its population. Georgia has an Internet user population of 360,000 people, or 7.8 percent of its population. They are fundamentally different. The botnet allows a flexible, retargetable solution. Korns seems to believe we would fire off the whole network as a fixed NIPRNET resource. Perhaps he missed my recommendation to start on .mil and expand to .gov after some maturity. If it is successful, there is no reason our allies could not build similar functions. Expecting something other than a need to grow is like rejecting the World War I Spad fighter because it could not carry precision-guided bombs.

Targeting information. Korns proved that Georgia was able to maneuver some of its information. Again, it is a brilliant defensive tactic, and we should use it. However, the U.S. should not abandon the need for additional offensive capabilities. Georgia’s success with defensive maneuver says nothing about the U.S.’s ability to use a botnet offensively to affect the capability of other nations with some reasonable degree of Internet dependence. In addition, moving small Web pages is a different problem from moving large Web-based e-mail services or moving the large content of e-mail servers or file servers, without costly hot backups. We ought not to ignore the military effect of delay when delay may be all either we or an adversary needs. [U.S.-China Economic and Security Review Commission, 2008 Report to Congress, November 2008, p. 166.]

Defense in breadth. Again, this is a superb idea that the entire Internet community should immediately adopt, although its promise of “integrated, multilayer, multidimensional protection” sounds eerily similar to the current defense-in-depth approach that “integrates the capabilities of personnel, operations, and technology.” [DODD 5105.19.] However, it does not negate the reality that Georgia used a strategy that moved its Internet assets from a small fort to a big fort. Korns explains that the goal of defense in breadth is to “cause attack points to move to more manageable locations,” and that the key term is “move.” Actually, the key term is “manageable.” This is merely shifting from a flat-walled fort to a star fort. Both were ultimately defeated. It is also not clear that information mobility approaches, such as service-oriented architectures, will be trouble-free. Finally, while not addressed in my original article, the Defense Department could use a .mil botnet to help protect more than just the military portion of the Global Information Grid, should circumstances warrant. The Pentagon’s adoption of defense in breadth cannot help there.

Deterrence. Korns relies on Richard Harknett’s construct for deterrence and assesses that a military botnet comes up short. However, Harknett seems to be seeking absolute deterrence. He notes, “Nuclear deterrent threats have a degree of ‘reliability of effect’ that makes the costs associated with a nuclear response seem incontestable. Traditional conventional weapons, however, are susceptible to technical, tactical, and operational manipulation to a significant degree. The costs associated with conventional deterrent threats are generally viewed by opponents as contestable.”

If the standard is absolute deterrence, then I admit intellectual defeat. On the other hand, if the standard is the more conventional meaning — to discourage somebody from taking action — then most of the world is deterred from symmetrical attack on the U.S. because of our conventional weapons dominance. It is ironic that Korns says botnets are not worth any worry, while citing the four major organizations that are so zealously working to defeat them. We should also keep in mind delays in technical advances; the move to the next-generation Internet Protocol —from IPv4 to IPv6 — a capability most everyone wants, ought to be instructive.

Finally, saying a capability should be abandoned because it is symmetrical is like arguing that infantry should give up rifles because the other side has them, too.

In summary, the case for a military botnet stands. Instead of “either-or,” we should be looking at “and.”

Col. Charles W. Williamson III is deputy staff judge advocate at U.S. Air Forces in Europe’s military justice division. The opinions expressed here are the author’s own and do not necessarily reflect those of the Air Force or Defense Department.