When Should U.S. Cyber Command Take Down Criminal Botnets?

Trickbot is back.

U.S. Cyber Command targeted this malware in autumn 2020 in an unprecedented use of military offensive cyber operations to disrupt a purely criminal operation.

Almost in parallel to the Cyber Command campaign, Microsoft targeted the Trickbot network through the use of courts and in collaboration with global partners, the latest in a decade-long string of such operations. The two takedowns were apparently not coordinated, leading to the obvious question of when the military should defend forward against mere criminals, not spies or militaries.

Such military operations are a good idea only in cases that meet a five-part test of imminence, severity, overseas focus, nation-state adversary, and military as a last-ish resort.

Eight Days in September (and a few in October)

As Bobby Chesney summarized previously, on Oct. 2, cybersecurity journalist Brian Krebs reported that “[o]ver the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot.” One week later, reporter Ellen Nakashima revealed that U.S. Cyber Command was behind the disruption of Trickbot, “the world’s largest botnet—one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.”

Nakashima reported this aggressive posture was part of U.S. Cyber Command’s new strategy of persistent engagement, or defending forward, or as Gen. Paul Nakasone, commander of U.S. Cyber Command, expressed—to “take this fight to the enemy, just as we do in other aspects of conflict.”

Although the Trickbot malware started to resurface in November and appears to have spread further, Cyber Command’s disruption seemed to have the sought-for effect, suppressing Trickbot long enough so that it couldn’t be repurposed to disrupt the 2020 U.S. elections.

But does the military need to be engaged in such operations? Cyber Command’s operation was not part of an ongoing conflict or war (where U.S. citizens expect their uniformed military services—the specialists in legitimate, large-scale violence—to take the lead) but was in response to criminal activity.

The internet now underpins every aspect of modern society, culture, and economy, from the electrical grid and Wall Street to peoples’ wallets and purses, holding their most intimate secrets (and search histories). It is simply not in the model of U.S. civil-military relations to allow the military to have such far-reaching powers, especially when there isn’t a raging military conflict.

An Unprecedented Military Operation

The disruption of Trickbot was an unprecedented operation, the U.S. military’s first-known effort to defend forward in cyberspace. That assessment is based on the history of cyber conflict but also on a framework created by JD Work, Neil Jenkins and me to analyze such operations. We defined such disruptive counter-cyber operations and included what is perhaps the only public dataset, of 103 such disruptions.

The essentials of the U.S. Cyber Command operation are not novel. As mentioned above, Microsoft has been conducting takedowns for a decade while the Department of Justice and FBI have been active in major public-private operations such as that against GameOver Zeus botnet. More recently, the FBI engaged in its own active defense through “a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States,” left behind by Chinese spies in versions of Microsoft Exchange.

In contrast, the Defense Department does not seem nearly as active with its operations, and even its well-known 2018 campaign to disrupt the Internet Research Agency’s troll farm was intended to counter disinformation rather than some cyber threat. Likewise, the U.S. operation Glowing Symphony targeted the Islamic State’s online recruitment and fundraising as an offensive attack, not as persistent engagement in support of U.S. cybersecurity.

Nor is the United States alone in using military cyber power against criminals. The Australian defense minister announced in April 2020 that Australia would be “hitting back” against coronavirus-related cyber scams: “Our offensive cyber campaign has only just begun and we will continue to strike back at these cyber criminals operating offshore as they attempt to steal money and data from Australians.”

So while active disruptions of criminal botnets are relatively common, this appears to be the first use of uniformed military forces to do so and the first public example of defending forward. It should not become common. The military should not do anything that law enforcement can do, and law enforcement shouldn’t do what the private sector can do on its own. For a decade, the United States has been militarizing cyber policy and response.

A Five-Part Test

Any U.S. military cyber operation against criminal malware must be circumscribed and overseen by the White House, especially by both the new national cyber director (as overall lead) and the newly created position of deputy national security adviser for cyber and emerging technologies (who has the lead on military and intelligence cyber matters).

Before combating a criminal threat, the White House should confirm these five conditions have been satisfied:

1. Imminence:
   1. There is an upcoming national-security-relevant window of U.S. or allied vulnerability OR
   2. Intelligence suggests the malware is about to be used in a far more dangerous manner AND
2. Severity:
   1. The targeted malware is particularly large or dangerous OR
   2. Likely to cause deaths AND significant destruction of the kind normally associated with military weapons AND
3. Overseas Focus:
   1. The targeted malware is located largely overseas, not within the United States AND
4. Adversary:
   1. The targeted malware is tied to a major adversary: China, Russia, North Korea or Iran; AND
5. Military as a last-ish resort:
   1. No one else taking effective action OR
   2. Military disruption can uniquely complement actions by others.

Every one of these elements is crucial, and all must be satisfied before the U.S. military should act against a criminal cyber threat. In practice, in an emergency, some operations could be approved that meet most but not all criteria. As discussed in this section, the adversary condition is most likely to be bent or ignored.

The imminence condition places the criminal threat in an immediate national security context. There must be a specific, identifiable, and fast-approaching window for military action such as if a criminal botnet were to be used to disrupt a U.S. or ally’s election or disrupt vaccine development or hospitals during a pandemic. As mentioned above, Australia vowed to use military cyber capabilities against pandemic-related scammers. Imminence can also be satisfied if the malware is a “ticking time bomb.” The government may have learned through intelligence or connections with the private sector that, say, a criminal gang is about repurpose a botnet from purely profit-driven scams to something destructive like wiping computers in critical infrastructure. The Conficker malware had hard-coded functionality suggesting a major state change on April 1, 2009, leading many observers to speculate that it might then turn destructive. To this day, defenders are not sure who created Conficker, for what purposes, or if that date had any major significance.

The severity condition ensures military action will not be used routinely, such as against criminal malware that does not pose a significant threat to U.S. national security. Despite its prevalence, cyber criminal activity is usually no more than a nuisance in national security terms. Oddly, the Australian military threatened not cyber criminals who hit hospitals with ransomware, but scams that were stealing data and money from the public. Australia’s threshold seems too low a barrier for the use of military force. After all, if heads of government call in the cavalry to stop scams during a pandemic, why not during wildfires, earthquakes or financial crises?

Cyber scams may be imminent but are rarely severe. Using the U.S. military against scams will usually be neither efficient nor intelligent.

U.S. military operations should also target criminal malware that is located mostly overseas. As the FBI demonstrated with its April court-authorized operation and past botnet takedowns, the U.S. already has the capabilities and authorities to operate domestically. Military operations in the U.S. homeland (even the virtual homeland) should not be the norm.

The adversary condition keeps the military focused on state-on-state activities, even when the malicious activities are undertaken by criminal groups. The U.S. Department of the Treasury recently noted the Russian Federal Security Service “cultivates and co-opts criminal hackers … enabling them to engage in disruptive ransomware attacks and phishing campaigns,” such as when botnets associated with Russian organized crime were used to complement Russia’s invasion of Georgia in 2008. Online bank robbers or scammers with no connection to states should be dealt with by law enforcement, regardless of the severity of their crimes.

This is the condition that will most likely be ignored or bent, should a criminal threat seem particularly imminent and severe. If criminal groups were behind a scourge of ransomware attacks on schools and hospitals, already reeling from the pandemic, the White House may see offensive military actions as a potent tool. This temptation should be resisted in all but the most dire emergencies, lest the military become an agency of law enforcement through military means. The malware must have a connection to a nation-state to ensure it is a proper target for military force.

The adversary condition is strictly tied to the states that pose the largest national security threats to the United States, both in and out of cyberspace: Iran, China, Russia and North Korea. Other states, perhaps Cuba or Venezuela, might also qualify. If the malware is run by a terrorist group, then it is not strictly criminal and the five-part test need not apply.

The final condition, military as a last-ish resort, extends the safeguards that U.S. military action will only complement, not replace, that of law enforcement or the private sector. There are many players on the cyber playing field, and more often than not, those who are most able to make the play are in the private sector, which has been active in organized botnet takedowns, as noted above, for more than a decade.

The private sector was also critical in the mitigation of Conficker, SQL Slammer, Blaster, and almost every piece of major disruptive malware since the very first, the Morris worm of 1988. The government often plays at best a supporting role. Even when the government is a critical member of the core team, it is law enforcement that has the most relevant experience and authorities, such as during the GameOver Zeus takedown. If other actors are better placed to disrupt the malware, they should do that before the U.S. conducts military attacks.

Without such a test, it is possible that frustrated U.S. politicians will see military force as an expedient option, as they have in so many other areas. Instead of funding the departments of Justice or Homeland Security to disrupt criminal malware, Congress might just continue to “plus-up” military cyber budgets, having been assured by the generals and admirals that only they have the “secret sauce” to save the nation.

Trickbot and the Five-Part Test

U.S. Cyber Command’s Trickbot disruption likely meets only four of the five elements of this test.

Imminence. General Nakasone said the top “objective at the National Security Agency and at U.S. Cyber Command is safe, secure and legitimate 2020 elections.” While Trickbot had not targeted election infrastructure, it might have, given the connection between the Russian government and organized crime. Microsoft’s operation confirmed this condition was satisfied, as its takedown of Trickbot was framed specifically as protection for the 2020 elections.

Severity. Trickbot was “the 4th most prevalent malware globally during 2020, impacting 8% of organizations,” according to CheckPoint, a cybersecurity provider. This is severe enough to give Cyber Command the benefit of the doubt, especially in combination with other elements.

Overseas Focus. Though Trickbot had a concentration in the United States, it was satisfactorily widespread worldwide.

Adversary. Trickbot is associated with Russian criminal groups that have often worked in collaboration with Russian intelligence services, including those responsible for the interference in the 2016 U.S. presidential election. The condition for a nation-state nexus is satisfied.

Military as a Last-ish Resort. Trickbot was already being targeted by a far more experienced Microsoft-led operation and there seems to be no evidence the two were coordinated, a fact I’ve had confirmed in off-the-record conversations. Microsoft did not mention any partnership with U.S. Cyber Command, though it did acknowledge many others, including with the Financial Services Information Sharing and Analysis Center, Nippon Telegraph and Telephone Corporation, Symantec, and others in their efforts to get a court to grant “approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the Trickbot operators to purchase or lease additional servers.” As a result, the U.S. military efforts may have been unnecessary or even harmful to that effort.

Even if it does not satisfy all five elements, U.S. Cyber Command’s unprecedented disruption against Trickbot should be welcomed, if only as a one-off. Adversaries have for too long had significant advantages over defenders, and attacks are worsening every year. But persistent engagement is not just a game for the military. Microsoft has been doing it for more than a decade.

For such military campaigns to be successful, U.S. cyber operations must become more effective and efficient, spending fewer resources for a longer disruption, and engage criminal botnets only in uncommon circumstances that meet the five-part test of imminence, severity, overseas-focus, nation-state adversary, and military as a last-ish resort.