I was pointed to an article in the Armed Forces Journal where Col Charles W. Williamson III argues that the US Air Force needs to develop a BOTnet army as part of the US military capability for retaliatory strikes. The article brings up some interesting issues, the one that I believe carries the most weight is the argument that we (well, people living on the Internet) are seeing an arms race. It is true that more and more nations are looking into or developing various forms of offensive weapons systems for the use on the Internet. Col Williamson seems to argue that the greatest of these threats is that of DDoS attacks targeted at US systems (I presume any system in the US conducted by a foreign adversary. I will note that he seems to go to some length to not narrow the scope to nation states). Here I would first like to point out that I disagree. The largest threat will be from specially crafted hostile code that leaks secrets or that could be activated when needed to perform a task or incapacitate the infected system.

Col Williamson however, seems to believe that with a US AF DDoS strike capability that was great enough—that would be a deterrent for adversaries to attack US systems. Here he is starting to loose track of some fundamentals of DDoS attacks. He compares a DDoS attack to that of carpet bombing, but misses the point that a DDoS attack would be carpet bombing all the way from take-off at a inside the US located airbase all the way to the home of the adversary and back again. Yes, you might not cause any lasting destruction on the way—but it’s more likely you do and it’s more likely that the countries in the flight path that gets bombed for no reason might turn hostile. Even close their airspace or try and take out the bombers. This is all left unexplained in Col Williamsons article.

But for now, let’s leave the fact that there is no real way to transport the attack traffic to the destination without collateral damage and instead concentrate on why DDoS attacks are successful (if they are). They normally target a very specific target—mostly for blackmail. And the key is that this is successful only for as long as the indented target is down. Often enough infrastructure in the path is what falls over first, taking out the attack traffic and possibly giving the victim breathing space. Col Williamson gives three examples of DDoS attacks. On CNN.com and Yahoo in 2001, and on Estonia in 2007. The first two examples prove the point I made earlier. They where narrowly focused attacks, with (most likely) a commercial gain as goal. The attacks on Estonia are actually very different to what Col Williamson seems to believe. They where actually from a military point of view a failure. They targeted a vast number of destinations, and the reason they actually created any impact at all was due to lesser developed infrastructure in terms of available capacity. This would not be true for the US as a country, but perhaps for individual systems in the US. So which systems does Col Williamson believe are important enough to lead to a retaliatory strike? He doesn’t say.

Further, the article does not seem to take into account how you would handle the fact that if a nation state was the adversary you would need a very small target list for the attack to work, and finding websites that makes a difference and works is not easy. If the adversary was an organization like Al-Quida, the retaliatory strike would be down to taking out their web-page, probably located in a completely innocent country. The effects would be—none I assume.

However, the proposal has some merit—I guess. If the adversary would be a smaller country, where connectivity to the rest of the world could be saturated or the national infrastructure was poor—an attack would have an effect on the national infrastructure. But I guess that if that is the case, it is also fair to assume that their dependency on network infrastructure is less. So DDoS attacks are asymmetric, and asymmetrical treats are hard to carpet bomb out of existence. A lesson you would think the US military (or any military for that matter) had learnt by now.

I believe that there is a real future in cyber warfare and that Col Williamson is right in that there is an arms race. But DDoS attacks are just not part of it.