A Noble Quest to Beat Back a Cyber Threat

Peter W. Singer
Peter W. Singer Former Brookings Expert, Strategist and Senior Fellow - New America

October 21, 2011

In his best-selling book “Black Hawk Down,” Mark Bowden documented the hunt for Somali warlord Mohamed Aidid, which culminated in an urban battle that left 18 American soldiers dead. In “Killing Pablo,” he did the same for the hunt for Colombian drug kingpin Pablo Escobar, perhaps the world’s most famous outlaw. In such books, Bowden not only captured the fascinating personalities involved, but also used the thrilling manhunts to shine a light on some of the toughest challenges of modern-day conflict. And now in “Worm,” he sets out to do the same for maybe the most elusive new foe of this century. Only in this case, the story is of the hunt for a few hundred lines of computer code that take up less disk space than this article.

The tale begins in late 2008 when a vulnerability was discovered in Microsoft Windows programs. The company rushed to release a patch to the public, but a large number of users (as many as 30 percent) did not apply the protection. Soon the experts who run and protect the digital networks that allow our modern society to functiondetected the first moves of what became known as Conficker, a computer worm. The worm wasn’t so much innovative as it was nasty, combining several types of malware to enter into unprotected computers, hide under a random file name in the Windows root directory, and then use the now compromised computer to connect out into what is known as a “botnet,” essentially a chain of thousands and in some cases even millions of computers that are externally controlled and often used for nefarious activities. Within a few months of Conficker’s appearance, some 7 million computers became linked into one of the largest botnets in the world, pulling in networks of organizations that ranged from the British Parliament and the French Navy to Southwest Airlines.

Worm tells this story by following the work of “The Cabal,” an ad hoc group of cybersecurity experts who assembled online first to figure out, then to track and finally to get one step ahead of the worm and prevent its further spread. The group was notable for being mostly volunteers, who rarely met in person. They ranged from employees of major software companies to D.C. computer consultants to a Georgia Tech graduate student, who at one point helped coordinate an effort to steer the messages from compromised computers in more than 160 countries into a safe “sinkhole.” Making frequent comparisons to the heroes of the X-Men comics, Bowden paints their story as a classic battle of good versus evil, where a team of misunderstood outsiders keeps the rest of the ignorant world safe.

The book is well-written and informative, capturing a key episode in a fast-moving field we all need to better understand. The characters are noble, but the battle isn’t as epic as the book so wants it to be. Cybersecurity is an increasingly important issue, but it is also a multi-billion-dollar business. And so, a bit like many of those D.C. Beltway Bandits who are increasingly hyping cyberthreats in an effort to grab one of the few parts of the national security budget that is still growing, Bowden hypes a bit. The stakes were high; millions of the compromised computers might be targeted for theft or even to carry out massive denial-of-service attacks; the botnet was a tool that could be coordinated to send so many messages at a website as to overwhelm it, effectively forcing it to go offline. But this was not “the first digital world war” and it was not a case in which the Internet might be set “on fire,” as Bowden puts it. The threat was not so much one of destruction as of large-scale disruption — but, importantly, on a recoverable scale. Yes, key sites of e-information or e-commerce like or could have been targeted and even forced down for a few hours or days, but the Internet and life beyond it would have gone on. And, so in the effort to amp up the excitement, “Worm” is occasionally a bit choppy, providing too much character filler, while leaving other analytic stones unturned.

The value of Bowden’s book, then, is less in the story of good versus evil and more in his documentation of what it takes to hunt an elusive foe in the digital realm. The hunters in The Cabal never knew the identities or even exact motives of those behind Conficker. All they could be certain of was that their foe didn’t match our common image of some teenaged hacker in his mom’s basement. Rather, the worm (as with most cyberthreats) was the work of a group of experts with complementary technical knowledge, who had clearly been assembled for the purpose of building a complex piece of malware. Some thought Conficker might be intended for the growing underground market of cybercrime; others thought it showed the hidden hand of a state’s espionage agency. It might even have been both, as several nations have mobilized cybercriminals to do their dirty work. Regardless, it meant that the effort to stop the threat required a similar assembly of varied experts on the white-hat side — no one individual or organization can do it alone.

This is where volunteers of The Cabal proved most effective. The members were heroes, though not the kind that Hollywood and our political world usually lauds. As the Conficker threat evolved and new variants were designed to overcome new defenses, The Cabal’s volunteerism, selflessness and, most important, information-sharing, rather than -hoarding, mattered most. “Worm” shows how, despite Americans’ fascination with the profit motive, competition is simply not the silver-bullet solution in cybersecurity (contrary to the many members of Congress who wish it were). The most troubling threats are too big to be solved by just buying some marketed “secret sauce” anti-viral software. The Cabal worked for the very reason that the individuals and companies within it didn’t compete against each other but rather cooperated (sometimes at great loss) to find solutions.

Unfortunately, this particular hunt also points to a disturbing failure in the public realm. Bowden masterfully shows how the team largely had to coordinate the hunt on its own, with the U.S. government having precious little to offer.

Finally, “Worm” illustrates how manhunts for terrorists, warlords or drug kingpins may make for more exhilarating reading than cyberhunts, but that’s because they are actually easier in a certain way. “Worm” is a story not so much of the thrill of the chase but rather of the painstaking work required to understand and then contain a cyber threat. This means the ending is also not as clearcut as with most manhunts. Through the work of The Cabal, the worm has been identified and largely constrained, but the botnet it created is still running, its potential still largely in place, just one of many out there today. This may make for less satisfying reading, but welcome to the real world of cybersecurity.