Time to Clean Up U.S. CyberspaceWhitney Shepardson Senior Fellow at the Council on Foreign Relations
As the New Year begins, many of us will look back and take measure of the year that was. In the cybersecurity community, that process takes the form of annual reports that document incidents like malware infections and botnet attacks. If 2015 was anything like 2014, these reports won’t paint a pretty picture of the United States.
In its 2015 report, Symantec placed the U.S. second on its list of most bot-infected countries. The U.S. won McAfee Labs’ award for most botnet control servers, with 21 percent of the world’s total. And Akamai gave a bronze medal to the red, white, and blue for distributed denial-of-service (DDoS) attacks.
While the Obama Administration rightly continues to pound on the Chinese government for stealing U.S. intellectual property and trade secrets, its positioning at the negotiating table is harmed by the fact that the country is the origin for so many DDoS attacks and other types of low-level malicious cyber activity. Norms emerging on state responsibility for cyber attacks recognize that countries have a duty to stop attacks emanating from computers located in their territory. Right now, the U.S. is not living up to this commitment.
China, and other countries, in a disturbing trend, have built national systems to monitor and block internet traffic, such as the Great Firewall of China. While these systems are primarily being built to censor the Internet, they also can allow these countries to identify and filter out DDoS attacks. Such an approach is not in line with the American ideal of an open, interoperable, secure and reliable Internet, yet a future in which China presents a clean and orderly national network is likely.
Part of the reason that there are so many infected computers in the U.S. is the high number of computers in use throughout the country. With high bandwidth, powerful servers and big pipes to the rest of the world, it makes sense that cybercriminals look to the U.S. for the infrastructure to carry out cybercrime.
China, and other countries, in a disturbing trend, have built national systems to monitor or block internet traffic.
But other highly wired countries that respect freedom of expression on and off the Internet don’t have nearly as high infection rates. Finland, most notably, has been able to nearly eliminate botnets. The Finnish experience shows that solving this problem is possible without upending the free and open Internet we have all come to know and love.
In a recent Cyber Brief for the Council on Foreign Relations, I argue that the U.S. can and should clean up its chunk of cyberspace through a series of nudges to encourage businesses and consumers to clean up their systems.
In the day-to-day running of their companies and in the products they sell to consumers, Internet companies have embraced Pearson’s Law with a near religious fervor. Pearson’s law states, in so many words, that “that which is measured improves; that which is measured and reported improves exponentially.” From FitBit to Alexa, Internet companies have embraced metrics and reporting to create a continual loop of measurement and improvement. Simply notifying individuals that they are infected with a botnet may be a significant enough nudge to get them to act.
Where notification fails, the victims of DDoS attacks and other malicious online activity should have easier and stronger recourse. While suing a botmaster in Iran, Ukraine or China isn’t likely to be effective, the owners of the systems they commandeer in the U.S. are much more likely to be responsive to legal action. While the owner of a compromised system is, in one sense, simply the first victim in a multistage crime, once they have been notified that their system is compromised and that it is being used to harm a third party, they should bear some responsibility for making the attacks stop.
For consumers, Internet Service Providers (ISPs) should take responsibility for limiting harm from computers on their networks by quarantining these computers and limiting their access to the Internet until the device has been cleaned. In today’s business environment being knocked off the Internet is a death sentence, so quarantining should be a last resort. Instead, the victims of botnet attacks should have an easy path for legal action against companies that host machines used in the attack after they have been notified and failed to act. A similar “private right of action” helped end the scourge of fax spamming in the 1990s.
Both consumers and small businesses often need help removing malware from their computers and implementing the basic hygiene steps that can stop the vast majority of malicious software. In Japan, the Cyber Clean Center is a publicly available resource to get help cleaning up malware infections. Such a center should be established in the U.S. as a non-profit in partnership with ISPs, which know which of their customers are infected, and other industries, like the banks, which suffer the consequences of DDoS attacks. With the passage of CISA, any concerns that sharing the information necessary to make a center like this work could put participating companies in legal jeopardy should be put to bed.
Finally, the American version of the Cyber Clean Center should combine this modern, data-driven approach to problem-solving with a more time-tested approach: shaming.
With the data in hand, the center should publish reports on which ISPs and hosting providers have the most infections. By calling out which companies are the worst stewards of the Internet ecosystem, this center could create enough pressure for them to clean up their acts, and help rid the U.S. of the infamy it now shoulders as being chief among countries where bad things on the Internet come from.