Dealing with the DDoS botnet threat raises serious policy questions

Credit: Titima Ongkantong /

Five Russian banks have been battered by DDoS attacks, with a Mirai botnet being blamed for the incident. The state of IoT security (or collective lack thereof) seems on track to provoke national responses to the sorry state of affairs, but how will an emerging industry avoid having the margins legislated out of it by governments sick of rolling outages?

Allegations from the US typically point the finger at China and Russia, when it comes to state-sponsored cyber attacks. However, when it comes to private-sector cyber crime, there are occasions when the international community puts aside its differences and comes together to smash botnets.

However, we seem on the cusp of reaching a point where the number of insecure end-nodes on the network will grow at a pace that can’t be matched by government security agencies inside the current legal paradigm. Imagine a world where states gain control of Mirai-scale botnets and use them freely on each other.

Consequently, each state will have a global interest in ensuring that these botnets can’t grow to the point where they pose national or global threats. It’s one thing to have poor connections to Twitter for an afternoon, but quite another if a botnet is being used to take down national critical infrastructure with a DDoS attack – either as a beach-head before an invasion, or an erosion to inspire civil unrest.

In a sense, the IoT is a comparable to Mutually Assured Destruction (MAD), although certainly quite a few rungs down the potential-Armageddon ladder than thermonuclear warheads. But worryingly, on the current road that the IoT seems to be collectively heading down, it seems that bored script-kiddies are soon going to be able to enact pretty severe attacks on national infrastructure simply for the buzz – and if a state were to put any real effort into it, the potential for civil collapse is quite prevalent.

Allow me to adjust my tinfoil hat for a moment and point out that in the post-Snowden world, it’s abundantly clear that national defense and military bodies are developing powerful attack tools and methods that could be used to attack or retaliate.

So should states be reactive or proactive in their dealings with these rogue devices? We covered a nematode anti-worm last week, which could potentially fix the Mirai problem if it was unleashed. The main problem is that it would break all sorts of digital security laws – but do those laws need to be changed in order to let the white-hats deal with these problems?

If not, does that mean that there will be a shadow war for your connected smart home devices, with agencies looking to surreptitiously hijack them for later use in a potential attacks? How do private groups who offer DDoS-aaS for bitcoin fit into the equation? Do we end up with the IoT equivalent of the SALT treaties?

Ultimately, the IoT devices are so potentially lethal because they are insecure, but the global internet infrastructure should also take a considerable portion of the blame, given that DNS servers are so vital to operations but are apparently quite simple to kill remotely.

So would states begin to legislate, potentially on a global scale, to redesign the internet to make it more resilient to these inevitable attacks? That sounds like an enormous task, but those in the know can see the potential disruption that insecure connected devices pose to global citizens.

Many disapprove of China’s Great Firewall, citing human rights and government censorship concerns, but does such a closed network become a necessity in the post-Mirai world?

Perhaps the nations move to create legal standards and certification processes for devices sold within their borders – something like NIST’s early project? Again, that’s a monumental effort but is it something that the world will realize is required? Or are we sleep-walking into a world of internet chaos and rolling outages?

Written by Alex Davies | First published  at ReTHINK IoT

Be the first to comment

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.