Botnets represent a major security threat to e-commerce. The effectiveness of this malicious software has gone far beyond the realm of simple annoyance and inconvenience to a major global, technical and economic challenge.
The botnet security issue has become so difficult that federal agencies and the private sector have initiated a special effort to deal with the problem. The initiative, launched May 30 by the Obama Administration, is the result of a voluntary public-private partnership between the White House Cybersecurity Office and the U.S. Departments of Commerce and Homeland Security (DHS). These federal agencies will coordinate with private industry to lead the Industry Botnet Group (IBG), a consortium of nine trade associations and nonprofit organizations.
What Are Botnets?
Botnets are formed from computers that have been compromised by malicious software and then networked as bases to from which to execute criminal activities and even espionage on behalf of remote operators. Such malware can make consumers’ private and financial information available to hackers, slow down and harm consumers’ computers, and turn consumers into unwitting disseminators of spam emails. Industry estimates suggest that one in 10 computers in the U.S. is currently infected by a botnet.
Botnet incidents increased in the first quarter of 2012, reaching nearly 5 million infections at its highest point, according to a report from McAfee. Columbia, Japan, Poland, Spain and the United States were areas with the largest botnet increase, while Indonesia, Portugal and South Korea were regions that continued to decline. The most prevalent botnet in the first quarter was Cutwail, with more than 2 million new infections.
Botnets are by no means an issue involving only amateur hackers. McAfee’s report depicts the price breakdown for botnets sold on the black market. Citadel, a Zeus variant and financial Botnet, will cost a cybercriminal US$2,399 plus $125 for “rent” of a botnet builder and administration panel, with an extra $395 for automatic updates for antivirus evasion. For Darkness, by SVAS/Noncenz, a distributed denial of service botnet, options range from $450 for a minimal package to approximately $1,000 for more advanced offerings.
“The issue of Botnets is larger than any one industry or country. This is why partnership is so important,” said White House Cybersecurity Coordinator Howard Schmidt.
“The principles the Industry Botnet Group are announcing draw on expertise from the widest range of players, with leadership coming from the across the private sector, and partnering with the government on items like education, consumer privacy and key safeguards in law enforcement,” he added.
“The severity of the bots continues to escalate. They are more sophisticated, targeting all users and businesses. They are the tactic of choice and becoming the big stealth weapon of the cybercriminal, silent but deadly. Not unlike strains of viruses, they continue to morph,” Craig Spiezle, executive director and president of the Online Trust Alliance, told the E-Commerce Times.
Commerce and DHS, along with policy support from the White House, have led to the coordination of government efforts aimed to prevent and identify botnet infection and remediate its effects on personal computers. The IBG was formed in response to a September 2011 request for information issued from Commerce and DHS to learn more about existing efforts and new areas to explore combating botnets.
Building a Botnet Killer
Components of the government-industry program include:
- IBG adoption of voluntary principles to reduce the impact of botnets in cyberspace, including coordination across sectors, respect for privacy, and sharing lessons learned. IBG has also developed a framework for shared responsibility across the botnet mitigation lifecycle from prevention to recovery that reflects the need for ongoing education efforts, innovative technologies, and a feedback loop throughout all phases.
- The Financial Services Information Sharing and Analysis Center (FS-ISAC), which cooperates closely with DHS and the Treasury Department, will develop a pilot program to share information about botnet attacks. The effort will lead to standards that can be more widely used even outside of the financial services sector.
- Several IBG members are launching a “Keep a Clean Machine” campaign, an education campaign for consumers supported by DHS, the Federal Trade Commission (FTC), the National Cybersecurity Alliance and several companies.
- The FBI and Secret Service have recently stepped up private sector information sharing, and their coordinated efforts have shut down massive criminal Botnets such as Coreflood, which compromised millions of private computers and lead to the theft of millions of dollars.
“No one entity can combat these security challenges alone,” said Liesyl Franz, vice president for cybersecurity policy at TechAmerica, representing the IBG. “Individually we can take measures to defend ourselves, and together we can do even more to protect the ecosystem.”
Malware Has Many Sources
While efforts to combat Botnets have been ongoing, the administration noted that the government-business partnership approach was a new and critical element. Additionally, the voluntary nature of the initiative underscored that some cybersecurity issues could be addressed without burdensome legislation.
“The cooperative approach to the botnet challenge is further evidence of the power of collaboration, which has already worked, including the Enduring Security Framework that we and Intel take part in with our partners from the Defense Department and DHS,” Tom Gann, vice president for government relations at McAfee, told the E-Commerce Times. “Strong collaboration, particularly when it is incented through voluntary action, can be a powerful tool for change. The Botnets Working Group has a great opportunity to show that further voluntary action can address the real challenge of criminals using botnets to commit crimes that hurt our companies, our government and our citizens,” he said.
Nonetheless it will take a major commitment for the botnet program to succeed.
“The outline of the principles is a first step and will only succeed if all stakeholders commit real resources and to make meaningful efforts. Voluntary efforts require action, not PR and public posturing,” Spiezle said. “It will fail if anyone thinks it is about education and user awareness. While these are important, alone it will not be effective. All business stakeholders have a responsibility, obligation and opportunity to protect user data, security and privacy. The fear is not legislation, but the lack of online trust and confidence,” he said.
“The multi-stakeholder process used in the Botnet approach can be applied successfully in other policy areas,” Mark MacCarthy, vice president of public policy for the Software and Information Industry Association, told the E-Commerce Times. “We expect, for example, that the administration will use it in the near future to address privacy issues. It is our view that this can be done without the need for further privacy legislation,” he said.