Botnets: Whose Fault Are They?

5:30 PM -- Last Thursday, Kelly Jackson Higgins posted a story here on Dark Reading about the world's biggest botnets. The story was a real piece of investigative journalism, exposing not only the inner workings of known botnets such as Storm, but also some nascent botnets that could create real pain for all of us in the near future. (See The World's Biggest Botnets .)

The story received a ton of readership -- and a ton of feedback, much of it from people who wanted to lay blame for the whole problem.

One of the most popular scapegoats was "those dang users" who insist on operating their PCs without proper antivirus software, firewalls, or other protection. Certainly there is some validity to this point of view, because unprotected PCs are the most likely to become zombies. But as Jackson Higgins pointed out in a story last week, enterprises are also becoming a growing part of the botnet problem. (See Bots Rise in the Enterprise.)

Many techie types were quick to grind the axe against their favorite target, Microsoft Windows. Botnets exploit security flaws in Windows, they reason, so if everybody stopped using Windows, there wouldn't be any botnets. There is a certain logic to this argument, just as we could argue that if people didn't carry wallets, there wouldn't be any pickpockets. But it seems likely that if we didn't use Windows or wallets, we'd put our valuables into something else, and the thieves would be very likely to go after that something else instead.

Me? My favorite scapegoat is law enforcement. While botnet operators run amok in other countries, U.S. cyber police sit on their hands, unable to get jurisdiction to pursue them. Even in this country, law enforcement has only just made its first arrest of a botnet operator -- and it's not clear whether he'd have been nailed at all if he hadn't confessed. (See ID Thief Admits Using Botnets to Steal Data.)

Law enforcement officials, of course, blame legislators, who haven't given them strong enough laws or large enough budgets to really pursue the botnet problem. There's some truth to this: Congress only last month advanced a bill that would specifically outlaw the creation and use of botnets.

In the end, though, it would seem that there is little point to this blame game. There really is only one reason for botnets: to make money. Botnets have become big business for both the operators and those who rent them out, and that's not likely to change anytime in the near future. Blaming anyone but the criminals themselves is a bit like blaming theft victims for not protecting themselves, or blaming police or lawmakers for not "cracking down" hard enough.

If we want to stop botnets, we need to understand how they are created, how they are operated, and how they are rented out. Researchers such as Damballa and Secureworks's Joe Stewart are helping us to get there. Let's hope that in the future, we see more organizations doing research and taking action to stop botnets -- and fewer people rushing to dish out the blame.

— Tim Wilson, Site Editor, Dark Reading