Some of you may have noticed the massive cyber attack last Friday. It was the largest ever DDOS attack. They work by flooding a server with more traffic than it can handle, causing it to shut down. Hackers typically use botnets to do it. Botnets are a web of personal computers that hackers secretly infect and then wait to exploit. At the right time, they will send the signal and all the infected machines will start sending traffic to the target server, without the person knowing their computer is being used in the attack.
What makes this attack unique is that the botnet was not primarily made up of computers, but of Internet of Things devices.
Mirai is a botnet code that takes control of devices used on what is called the Internet of Things—large numbers of electronic devices not directly connected to computers but all networked through the internet. The devices include webcams, security cameras, DVRs, smart TVs, routers, and similar devices. 1
Using these devices significantly increased the number of bots available, and therefore significantly increased the amount of data/traffic being sent. They reached a rate of over 1 Tbps – that’s Tera-bits per second – the largest ever.
The challenge is that securing these devices is not easy. Most people won’t have a clue how to update their devices and many of them can’t be updated. The solution? The government, of course.
There are a handful of ways that these hordes of hacked devices might be tackled: perhaps governments could regulate the security of devices, or internet service providers could cut off access for certain machines. However, there is another more controversial, but increasingly relevant, way: law enforcement, or specifically the FBI, could hack the devices making up Mirai botnets—many of which are cameras—in order to ultimately disable the malicious network writ large. 2
After all, “this episode illustrates a very serious market failure” says Susan Hennessey, a fellow in national security at the Brookings Institution think tank and former National Security Agency attorney (Note: “think tanks” are extensions of the state, specifically in the propaganda department. You are much more open to Hennessey’s opinion when she is an expert (“fellow”) at the Brookings Institution than when she is a lawyer for the NSA. See TRL Podcast#11). 451 Research elaborates
In a factory-oriented industry, for example, when a factory produces a product, the price of that product should cover the costs of its production and at least enough profit to make its production worthwhile. This price includes labor, components, equipment and all the associated inputs that go in. But what about the pollution the factory makes? This pollution has an economic impact – global warming, crop production and respiratory disease can be the result of such pollution, which affects other businesses and individuals, too. But the factory doesn’t really need to care about these – the factory could produce billions of tons of pollution, and it wouldn’t need to factor the impact of this pollution into its price.
In other words, the pollution is external to its profit and revenue – economically, pollution is called a negative externality. Externalities occur where the actions of one economic agent make another economic agent worse or better off, yet the first agent neither bears the costs nor receives the benefits of doing so. It is a form of market failure…
Here lies the economic challenge: Let’s say a typical consumer has purchased an internet-enabled toaster for $20. The producer could charge an extra $2 to make the toaster more secure, but that could lead to fewer purchases and impact profit. This is the crux: Would the producer get any benefit from making it more secure? No. The producer would almost certainly reduce its bottom line, as a result of price-sensitive users viewing the product as less attractive.
Would end users see value in paying $2 more for a secure toaster over an insecure one? What benefit does the end user gain by having a secure toaster? None… IoT botnets are an externality.
Of course, the reality is that these kind of market failures are not failures at all, but failures of the state that blocks the market from dealing with these issues on a property rights basis. See Walter Block on Pollution on Youtube as well as What Are You Calling a Failure?
Coincidentally, the timing of Mirai’s rise runs parallel with a looming change to how the FBI can legally hack computers across the US and in other countries.
In December, changes to Rule 41 of Federal Rules of Criminal Procedure, which regulates when judges can authorize warrants for searches and seizures, will come into effect, unless blocked by Congress. 2
Golly, that sure is good timing. Good thing officials have made it clear this attack was by unknown, but definitely non-state actors.
And if that’s not enough, Hennessey warns that if you continue to buy cheap devices that can be exploited by hackers, then you yourself will be considered part of the criminal network.
If society begins to perceive people as failing in that responsibility in a way that harms others—or outsourcing the cost by buying cheap and insecure products—then we may cease to think about botnet ‘victims’ as victims at all. And that will have a significant impact on what we perceive as appropriate law enforcement activity. 2
So if you buy a cheap product (like the TV sitting in your living room watching and listening to you), the FBI may have legal grounds to hack it and take control of it. No more shopping at Walmart, you criminal mastermind.