November 10, 2008

Make research (not so) fast!

Carbon neutralOn practical ethics I blog about Hacking the spammers - was it OK for researchers to hack the Storm botnet? Overall, I think they did the ethical thing and should be lauded for a clever design and much hard work at a major annoyance.

In fact, botnets are more than annoyances. They are tools for aggregating resources in the hands of organized Internet crime and can be used for plenty of serious things such as extortion, DDOS on a national level, rapid dissemination of disinformation or cryptographic attacks. If I were the cyberwarfare department of a major nation (or mafia, NGO, rebel group, cult, etc) I would be quite interested in having a bunch of exploits that could allow me to set up a botnet in case of a conflict. Having good tools to curb the spread of botnets is essential for preventing destructive cyberwarfare and "antisocial software".

I think cyberwarfare is an underestimated GCR. The real threat is not a straight DDOS or hacking attacks on key institutions (but such attacks could cost the US on the order of $50 billion or more), but either a general communications breakdown or information corruption. Consider a worm propagating through or exploiting a router flaw that causes the routing of Internet to largely go down: it would be very hard to ship out patches and install them, and in the meantime overall societal communications would be impaired. In a "just in time" economy dependent on reliable communications between and inside organisations this could be disastrous. More subtle is the possibility of hard-to-trace data corruption, for example changing individual numbers in office documents randomly on infected computers. If the infiltration is widespread and hard to notice data integrity might be impaired across society. While each individual loss would be relatively minor, there could be network effects where the loss of integrity on many systems simultaneously has a superadditive effect.

We need to figure out how to construct more resilient systems, not only in the sense that the systems in themselves are resilient to outside attacks but also that they form an ESS so that people are motivated to keep their systems resilient. Otherwise there is a risk that they trade resiliency for short-term efficiency increases.

Posted by Anders3 at November 10, 2008 07:46 PM