ARGUMENT: Taking down botsWhen Should U.S. Cyber Command Take Down Criminal Botnets?

Trickbot is back. U.S. Cyber Command targeted this malware in autumn 2020 in an unprecedented use of military offensive cyber operations to disrupt a purely criminal operation.

Jason Healey writes in Lawfare that almost in parallel to the Cyber Command campaign, Microsoft targeted the Trickbot network through the use of courts and in collaboration with global partners, the latest in a decade-long string of such operations. The two takedowns were apparently not coordinated, leading to the obvious question of when the military should defend forward against mere criminals, not spies or militaries. 

“Such military operations are a good idea only in cases that meet a five-part test of imminence, severity, overseas focus, nation-state adversary, and military as a last-ish resort,” he writes..

Any U.S. military cyber operation against criminal malware must be circumscribed and overseen by the White House, especially by both the new national cyber director (as overall lead) and the newly created position of deputy national security adviser for cyber and emerging technologies (who has the lead on military and intelligence cyber matters). 

Healy writes that before combating a criminal threat, the White House should confirm these five conditions have been satisfied: 

1. Imminence: 

a. There is an upcoming national-security-relevant window of U.S. or allied vulnerability OR

b. Intelligence suggests the malware is about to be used in a far more dangerous manner AND

2. Severity: 

a. The targeted malware is particularly large or dangerous OR 

b. Likely to cause deaths AND significant destruction of the kind normally associated with military weapons AND

3. Overseas Focus:

a. The targeted malware is located largely overseas, not within the United States AND

4. Adversary: 

a. The targeted malware is tied to a major adversary: China, Russia, North Korea or Iran; AND

5. Military as a last-ish resort:

a. No one else taking effective action OR

b. Military disruption can uniquely complement actions by others.

“Every one of these elements is crucial, and all must be satisfied before the U.S. military should act against a criminal cyber threat,” he says, adding:

Even if it does not satisfy all five elements, U.S. Cyber Command’s unprecedented disruption against Trickbot should be welcomed, if only as a one-off. Adversaries have for too long had significant advantages over defenders, and attacks are worsening every year. But persistent engagement is not just a game for the military. Microsoft has been doing it for more than a decade.

For such military campaigns to be successful, U.S. cyber operations must become more effective and efficient, spending fewer resources for a longer disruption, and engage criminal botnets only in uncommon circumstances that meet the five-part test of imminence, severity, overseas-focus, nation-state adversary, and military as a last-ish resort.