ISC2 Blog

An article in PC Pro by Asavin Wattanajantra quotes Dr Steve Marsh, who is deputy director at the Office of Cyber Security in the Cabinet Office, as saying (in respect of EU policy on protecting Europe from cyber attack, whatever you may understand by that term) that:

 "the main focus of botnets would be to target and extort money from private companies, rather than bring down public sector networks [and] .... in a sense [it is] not in their interest to bring down infrastructure which is earning them money."

This isn't a million miles away from something I was saying early in 2009, when there was a great deal of speculation in the media about what would happen when and if the Conficker worm went active on April 1st. Much of that speculation centred around the possibility that the Conficker botnet would launch a major attack on the Internet infrastructure. The point I made several times in blogs at ESETand elsewhere at that time was that it wouldn't make sense for the botmasters to switch straight into such an attack, since it would make it harder in the longer term to make use of the kind of concerted attack that botnets do so well (click fraud, DDoS and so on).

Nevertheless, Dr. Marsh's statement, if quoted correctly, is, at least in the context of that article, somewhat misleading. (As Gadi Evron pointed out at some length in a typically insightful article at Dark Reading.) Assaults on the infrastructure of the Internet are one thing. (They're by no means out of the question, by the way: my point about Conficker was that most known criminal botnets are about commercial gain, and it wouldn't be in the interests of the botmaster to compromise the effectiveness of his network. However, the same is by no means necessarily true of other groups.)

Attacks on government infrastructures are another matter. I certainly don't wish to raise the spectre of (sigh...) cyberwarfare and all that FUD (Fear, Uncertainty, Doubt) unnecessarily, but I can think of many hypothetical scenarios where a concerted attack on a national infrastructure might be made by another government or a terrorist organization, with dramatic consequences. (In the UK, it's common to see refer ences to the Critical National Infrastructure, which I believe includes not only the Corridors of Power, but more peripheral areas such as parts of the National Health Service, and sectors like banking which many people wouldn't necessarily think of in a governmental context). The "Government Secure Internet" (GSI) is indeed a pretty effective layer of protection, but it does not, I think,  cover all the sectors that might sustain serious impact from such an attack, and might in turn seriously damage the wellbeing of the nation as a whole.

I spend most of my working life saying "Don't panic!" in one context or another, and right now, we aren't seeing huge botnets used for (sigh...) cyberwarfare. Nevertheless, I don't believe that the UK government or the European Community (or anyone else) should be complacent about potential risks to national security from botnet-like activity, just because most of the bots we know of right now have a commercial agenda. Anyone with the resources and incentive can build, buy or rent a botnet (should I mention the BBC?), and it's not a good idea to make too many presumptions about what motivation might drive the individual or organization behind future botnet attacks.

David Harley FBCS CITP CISSP
Director of Malware Intelligence, ESET