What Are Practical Steps to Embrace the Messiness of Public-Private Collaboration in the Fight Against Botnets?


(The RAND Blog)

illustration of virus spreading out in a network, photo by http://www.fotogestoeber.de/Getty Images

Photo by http://www.fotogestoeber.de/Getty Images

by Daniel Cunningham

August 16, 2023

Since the start of the Russia-Ukraine War, Russia has sponsored several Distributed Denial of Service (DDoS) attacks against Ukrainian targets, including various attacks against government and financial entities. Botnets, which are networks of computers infected with malware that an attacker controls and uses to fulfill malicious cyber activities, can be used to launch these DDoS attacks. States and criminals have used botnets to disrupt public and private services and institutions globally—the Mirai botnet, for example, took down major internet services along the East Coast of the United States in 2016. Botnets have also been used to gather valuable intelligence, spread disinformation, and inflict substantial financial losses to businesses throughout the world.

Those who leverage botnets—so-called “botmasters”—possess many advantages over their adversaries that make botnets a constant global challenge. Attribution, or identifying perpetrators, is notoriously difficult, and both states and criminals can develop and deploy botnets with relative technical ease, and at low cost. Often, botnets are geographically distributed among many states that have lax security standards. The rapid deployment of internet of things (IoT) devices, such as cellphones and other smart devices, further contributes to creating an environment conductive to the ever-greater proliferation of botnets. The many advantages of botnets suggest we will likely see their increased use in the Russia-Ukraine War, as well as in future conflicts.

Artificial intelligence may make the risk of botnets even more acute. For example, AI can augment a botmaster's ability to infect vulnerable machines more efficiently and effectively. It can do this by creating better malware, as malware installation for botnets is often triggered by embedding or attaching infected code to spam email, compromised URLs, file sharing sites, and social media, to name a few. The development of more-sophisticated, AI-powered malware that is highly evasive and ever-more precise at targeting victims—much like IBM's “DeepLocker” class of malware—could put defenses farther behind. While it is unclear if such malware is “in the wild” at present, other automated approaches to botnet infection already exist, suggesting that the United States and its partners should not ignore such technologies, and ought to continue investing in technical defenses and responses (i.e., detection and mitigation).

Artificial intelligence may make the risk of botnets even more acute.

Share on Twitter

There is also a nontechnical element that stands out in the fight against botnets: collaborative organizational networks. As indicated by extant policy and assessments, the entities that comprise the “counter botnet ecosystem”—including governments and private entities within industry and academia—must collaborate efficiently and effectively to address botnet threats. While federal agencies maintain formal roles and responsibilities to counter botnets, as well as other cyber threats, they often rely on organizational networks that include local and state governments, private entities, and international partners to implement and coordinate prevention through education and awareness, engage in detection and mitigation issues such as sharing best practices and technology, and support law enforcement activities. The Conficker Working Group is a commonly referenced example of a public-private collaborative network combating botnets. Another more-recent example is the disruption of the Russian-sponsored “Cyclops Blink” botnet. The United States and its partners must continue to foster and manage such networks; however, little practical guidance exists about how organizations within this ecosystem can better work together to fight this persistent threat.

Both governmental agencies and private industry should invest more time and resources into developing a systematic understanding of their own networks. At a minimum, this approach should include establishing organizational policies and allocating resources toward regularly capturing data about botnet-related interactions with other organizations, such as the development of formal information-sharing agreements, and participation in conferences and working groups. Moreover, agencies and industry must embrace both the complexity, or messiness, and the dynamism of the counter botnet ecosystem.

Public and private entities should collect and analyze, using link and social network analysis (SNA), data about their own networks. One reason is that network data, especially when easily accessible and visualized effectively, can help decisionmakers obtain situational awareness of their networks. This approach can inform planning and coordinating both proactive and reactive activities against botnets. Specifically, such an approach can go beyond just supporting investigations and responses at national and field levels; it can help inform efforts to create new opportunities for collaboration, foster data and information sharing where limited, enhance feedback mechanisms through formalizing collaboration strategies, and empower public-private intermediaries and brokers.

Another reason to collect network data is to promote broader institutional knowledge related to botnets and efforts to counter them. This point is especially important for the federal government, which faces challenges with recruitment and retention of cyber professionals, and often relies heavily on private entities for relevant skill sets, both of which can obfuscate decisionmakers' situational awareness. Collecting and storing network data within ethical and legal boundaries can help preserve institutional knowledge, while also potentially preserving the social capital that would otherwise leave with departing employees.

But capturing and analyzing network data alone is not enough. In practice, network data often reflect systems at snapshots in time. One way to address this would be to maintain a broader, more-dynamic view of their ecosystem by drawing from the field of complex adaptive systems (CAS). While no single definition of CAS exists, they are often described as highly interconnected systems in which higher-level patterns or behaviors emerge from interactions among adaptive components (e.g., organizations) rather than from centralized control. In other words, CAS self-organize.

The counter botnet ecosystem consists of many interconnected public and private organizations that generally operate in their own interests.

Share on Twitter

The counter botnet ecosystem exhibits several of these same characteristics. It consists of many interconnected public and private organizations that generally operate in their own interests, without a system-wide centralized “controller”—though there might be a leading agency depending on the type of botnet attack, and its implications for national security. These entities within the counter botnet ecosystem act and react to one another, as well as to botnet threats and other contextual factors like new cyber threats, or changes in laws and norms.

Decisionmakers, especially within leading government agencies, could incorporate a CAS perspective into their planning meetings, workshops, and assessments of their own networks and the larger counter botnet ecosystem. Specifically, they can assess if their organization and immediate network, as well as the overall ecosystem, are adaptable and resilient enough to respond to botnet activities. For instance, is the federal government too reliant on a single entity or a few organizations that specialize in key skills and technologies such as employing AI/ML to detect botnets? Are they too dependent on entities that maintain key connections that enable global counter botnet activities? Are local governments and organizations within key tech sectors adaptable enough to support counter botnet activities? What are the implications of any such vulnerabilities for coordinating proactive and reactive responses if states like Russia, Iran, and China increasingly turn to botnets, including AI-enabled ones, in current and future conflicts? Armed with this perspective and network data, the counter botnet ecosystem will be better positioned to address the threats posed by state and nonstate actors that might leverage botnets during future conflicts.

Daniel Cunningham is an information scientist at the nonprofit, nonpartisan RAND Corporation, where his research focuses on data science and the application of social network research to irregular warfare, social media, and competitive contexts.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.