Colonel suggests using hackers’ tool against them
By Jordan Robertson
SAN JOSE, Calif. — Hackers often harness the combined power of thousands of virus-infected personal computers to pump out spam e-mail or disable targeted servers by overwhelming them with Internet traffic.
Now an Air Force colonel is suggesting the U.S. military build its own "botnet," or network of remotely controlled computers, to be ready to attack the computer networks of foreign enemies.
The proposal Col. Charles Williamson III outlined in the May edition of the Armed Forces Journal highlights the creative cyberwarfare strategies being hashed out by the military as hackers abroad step up their attacks on U.S. government computer networks and others around the world.
"The days of the fortress are gone, even in cyberspace," wrote Williamson, staff judge advocate for Air Force Intelligence in the Surveillance and Reconnaissance Agency at Lackland Air Force Base in Texas. "While America must harden itself in cyberspace, we cannot afford to let adversaries maneuver in that domain uncontested."
The government wouldn’t build its botnet by infecting innocent people’s computers like criminal hackers, Williamson wrote. Instead, the military could use PCs it was going to throw away. And it could expand that botnet’s computing horsepower by implanting its code on other government computers.
Williamson’s commentary has ignited a debate in the computer security community about the wisdom of building a military botnet — and the government’s ability to control it. The tactic he suggests is called a distributed denial-of-service, or DDoS, attack.
It’s what was used last year by hackers in a three-week assault that crippled government and corporate computer networks in the small Baltic nation of Estonia, which is highly computer-savvy.
It’s frequently used by organized criminals to extort Web site owners, who end up paying up to keep their sites online, and by botnet operators to disrupt rivals.
Alan Paller, director of research for the SANS Institute, which operates the Internet Storm Center, an early warning system for computer attacks, said it would be easier for the military to lean on Internet providers to shut off traffic from hostile computers than to adopt the "carpet bombing" approach Williamson advocates.
"To me it’s a silly solution to a problem that has much simpler solutions," he said in an interview. "What’s wrong with it is that it’s not instantaneous, it’s not precise and it’s not entirely effective. There are defenses you can set up against it — whereas using a precision weapon, like working with the network guys, is pretty wonderful."
Some security experts, however, said a military botnet could help strengthen the United States’ cyber defenses, and that it seems like a reasonable idea, provided the government owns the computers it’s using.
Williamson concedes that one risk of a military botnet is that it could mistakenly return fire at the wrong computers — even those within a government network — if hackers successfully disguise their attacking computers through a process called Internet Protocol spoofing.
Hackers routinely launch attacks from computers in different countries from where they are physically so it’s often difficult to determine where the offensives are coming from.
Williamson said the U.S. needs to develop better tools to detect incoming threats on the Internet and determine the true origin of attacks.
One of the thorniest issues the military would face is how to respond if the source of an attack turned out to be compromised computers within the U.S. or a friendly nation.
The military wouldn’t be allowed to attack privately owned computers in the U.S. without an order from the president, so those incidents would have to be handled by law enforcement as a criminal matter, Williamson said. And the governments of countries friendly to the U.S. would have to cooperate to shut down marauding computers there.
"The biggest challenge will be political," he wrote. "How does the U.S. explain to its best friends that we had to shut down their computers? The best remedy for this is prevention."
Williamson, reached late Wednesday, said he couldn’t comment beyond the opinion piece, under a request from the Air Force’s public affairs office.