NEWS FROM THE LAB - Tuesday, May 13, 2008

US Air Force Colonel Proposes Skynet Posted by Sean @ 12:27 GMT

This month's issue of Armed Forces Journal features an article by Col. Charles W. Williamson III titled:

Carpet bombing in cyberspaceWhy America needs a military botnet

It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.

Quoting the colonel:

"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources."

In that case the AF.MIL botnet might be missing a key element of success. Criminal botmasters don't use their own resources. Criminals steal resources from geographically diverse locations. Their crimes are international and they can be exceedingly difficult to trace back to their origins. They often avoid resources in their own countries so as to avoid local law enforcement action.

"The truly difficult problems come in defending against attack from devices adversaries have captured from U.S. or allies' civilians."

This isn't just difficult — this is likely to be the main problem that any credible cyber-threat would present. Using the criminal's model of success, an enemy nation-state will just infect resources belonging to others. And in that case an AF.MIL solution would be fuel for the fire by cannibalizing its own and/or other nation's networks without counterattacking the true source of the threat.

In his essay, Col. Williamson uses a fortress analogy. He suggests that the military age of the fortress is over because air power can travel over fortress walls. Military forces respond to such threats by attacking the enemy's airfields from which the attacks are launched. So to extrapolate, AF.MIL botnet would attack the locations from which DDoS attacks are being launched.

However, Col. Williamson seems to have overlooked something from his own essay:

"Homer's epic poems describe how fortified Troy held out against the united Greek armies for 10 years until Troy finally fell when it foolishly brought the threat inside its own walls by falling for the enemy's masquerade in the form of a giant wooden horse."

Trojans are precisely the point. Social engineering, exploits, and trojans are used to create the enemy within. The enemy's launch point will be from within the fortress walls.

It's quite possible that any threat big enough to warrant the use of an AF.MIL botnet would largely come from within the borders of the United States.

Let's take AKILL for example. Owen Thor Walker, an 18 year old bot herder from New Zealand was arrested as a result of last year's Bot Roast II. He controlled a network of one million computers. A failed botnet update resulted in a DDoS on the University of Pennsylvania. The failure led to the arrest of a partner and then Walker himself.

Now let's suppose that instead of Walker being some Kiwi kid interested in making lots of money, that he was an enemy of the state bent on attacking the USA. Do you think his arsenal was located in New Zealand? It wasn't. So what's the military target? UPenn?

"[A smart enemy] could even craft his packets to make it appear the attack was coming from inside U.S. military networks so that if we merely captured the apparent source IP address and used that to aim the attack we would fire our botnet at our own computers."

A smart enemy might not need to spoof US military networks. A herder known as SoBe, whose real name is unknown since he is a juvenile, pleaded guilty in February for helping to herd more than 400 thousand computers along with Resjames. He also admitted to damaging US military computers.

If SoBe can infect the military, a "smart enemy" will do so as well in an attempt to win the cyber-battle before it's even fought.

"The best defense is a good offense" may not apply very well to cyber-threats if you're really planning to play by the rule of law.

What do you think? Does America need a military botnet?

Comments are welcomed.

AF.MIL Botnet Poll Results