Launching a botnet attack from a foreign country is cheap and in many cases you can almost get away with it, according to cyberattack expert.
Take the April 26, 2007, attack that crippled Internet access in the entire Baltic state of Estonia as an example.
The hapless state found itself on the receiving end of a disgruntled Russian who, dismayed that Estonia had moved a former U.S.S.R. war memorial from its capital of Talinn to a remote cemetery, launched a cyberattack from multiple Moscow IP addresses.
The result, according to Rutgers professor and cyberrisk expert Michael Lesk, shut down Estonian government Web sites and other services for about two weeks. No one in the country could use their ATM cards for days.
The alleged criminal was eventually caught and fined 17,500 Kroons, or about $1,600, in what amounts to a slap on the wrist.
"The good news was that it was a cyber war," said Lesk, chairman of the School of Communication, Information and Library Studies at Rutgers University, who spoke at the 2008 Business Continuity & Corporate Security Conference in New York in March.
While the "good news" was that no one was physically harmed, the lack of physical injury means that the legal system tends to give light sentences to botnet attackers. "People don't take it seriously," said Lesk. "I understand why the government hasn't caught up to this."
Lesk voiced fears that a major botnet attack on a U.S. corporation or governmental entity will one day happen, with devastating consequences, at least economically. Such attacks can be ordered up for the cost of a three-bedroom house in Youngstown, Ohio. "The bad news about Estonia is that the attack was cheap," Lesk says.
For about $100,000, anyone with an ax to grind can launch a cyberattack similar to the one that shut down Estonia, and there exist Russian Web sites replete with "menus" for different levels of cyberattacks and what each attack would cost.
U.S. corporations are exposed to such attacks, and the issue is sometimes compounded by the fact that they tend to not want to talk about them publicly, Lesk added.
Secondly, the global legal system doesn't seem to know what to do with botnet cases when they come across the collective transom. As the Estonia case illustrates, an attack that shut down an entire country earned a fine that was not much less than the cost of a good wide-screen plasma television.
Thirdly, 'the crooks are getting more aggressive every day," according to Lesk. That includes extortion cases where criminals are collecting ransoms from companies on the mere threat of a botnet attack using a network of "zombie" computers, personal computers that are actually controlled via virus by a remote operator.
In terms of a cure, Lesk said one good defense is just to buy more data capacity. Botnet attacks work on the principle of swamping a company's computer infrastructure with data.
He also pointed to China, which has done a good job of shutting down Web traffic that it doesn't want. YouTube broadcasts on Tibetan issues, or footage of the Tiananmen Square uprising in 1989, for example, are banned there,
Lesk also said he'd like to see some of the same competency from the U.S. government when it comes to botnet attacks that could cripple U.S. companies and do serious damage to the economy. "Why can't we have a similar level of effort to stopping the people who are doing computerized extortion because I just don't see the same amount of effort being spent on that."
Depending on the company, a botnet attack can be fatal, commercially. "The more people who rely on an online business, the more serious it is," he says.
May 1, 2008
Copyright 2008© LRP Publications