Early cyberspace.

Photograph: Hulton Archive/Getty Images

The Pirates Who Stole Netflix

Elaine Ou is a blockchain engineer at Global Financial Access, a financial technology company in San Francisco. Previously she was a lecturer in the electrical and information engineering department at the University of Sydney.
Read More.
a | A

If you were at work last Friday, you might have noticed that you couldn’t get on Twitter, Spotify, or whatever it is you do to avoid work. The sites themselves were fine, but users across the country lost access due to a large-scale attack on Dyn, a company whose servers provide infrastructure and routing services for the internet’s top destinations .

The attack began on the East Coast, then moved westward and lasted throughout the day. As of this writing, it appeared to have subsided. Here’s a map from the website Downdetector, showing the areas most affected:

Friday’s attack was a Distributed Denial of Service, an attempt to make an online service unavailable by overwhelming it with junk traffic from multiple sources. Attackers amass their armies by scanning the internet for devices protected by default passwords and dropping malicious software into them. Infected machines become “bots” that can be controlled remotely, without their owners' knowledge, and used to go after any target. This most recent attack used a botnet estimated to be millions of devices strong.

Researchers suspect that the huge number of bots was recruited from the Internet of Things, “smart” devices like webcams and lightbulbs that connect to the internet. We pay attention to the security of our computers and phones, but rarely to our “things,” which makes them prime targets for hackers.

For many Americans, disabling Netflix on a Friday evening is about as close as it gets to an act of war . But what does a cyberwar look like? Will we reinstate the draft, except that this time we’ll be conscripting our internet-connected devices? I’m prepared to ration my data plan if we need to allocate more bandwidth to the American effort.

And who is the enemy? The botnet attacks came from all over the world, with 29 percent of the malicious devices originating from right here in the U.S. It takes only one bot herder to command a botnet, and the commander could be anywhere.

The Obama administration has formally accused the Russian government of directing hacks to interfere with the election, but it’s difficult to know if Friday’s attacks were related . Cyberspace is an infinite domain with no physical boundaries, which makes it nearly impossible to police. The situation is similar to the anarchic state that existed on the high seas in the 17th and 18th centuries.

During the rise of seaborne trade, the East India companies sailed merchant ships full of gold and jewels across the Indian Ocean while Spanish treasure galleons carried silver between Latin America and the coast of Spain. The inability of European powers to secure their shipping routes led hundreds of thousands of sailors to seek lucrative careers as pirates.

Some pirates were state-sanctioned privateers , but many were independent agents. Without a known enemy, it was hard for nations to commission a counterattack. The situation was made worse by unmotivated merchant crew members, who quickly turned over their cargo when faced with armed pirates. Ship owners resisted spending money to defend their ships because it would cut into their profit margins, and they usually carried insurance anyway.  

Eventually, overseas trade became a primary source of wealth for the British Empire and piracy was no longer tolerable. In 1721, Parliament passed the Piracy Act requiring merchant seamen to fight back against pirates or face six months’ imprisonment. The act also made it illegal for ship owners to pay crews more than half their wages before the ship’s safe return.

By forcing merchants to take responsibility for their ships, Britain drastically reduced the incentives for pirates. Merchants also hired naval forces to act as convoys, providing financing for the Royal Navy.

As it stands, manufacturers are motivated to mass-produce cheap devices and consumers have little reason to prevent their things from joining botnets. We worry about internet-connected devices getting hacked and turning against their owners -- for example, a connected car that disables its brakes, or a malicious thermostat that disrupts our comfort. But smart devices are dangerous in large part because of what they can do when harnessed en masse. Gartner estimates that there will be 6.4 billion connected things this year, and 20.8 billion by 2020. That’s a lot of potential bots.

Eventually, we may have the technology to protect critical internet infrastructure from such attacks. Until then, the people best equipped to stop the rise of the botnets are the ones who contribute insecure devices to the internet. We may never find the bot herders (especially if they are independent agents), but we can easily find the bots. Cyberspace doesn’t have to be a hopeless anarchy. It does require device owners to take responsibility for the externalities caused by negligent security.

  1. Dyn provides a server that translates domain names into internet protocol (IP) addresses for many popular websites. Without IP addresses, internet routers have no idea where to send data packets.

  2. In 2011, the Pentagon determined that computer sabotage from another country could constitute an act of war.

  3. In 2007, a series of similar DDOS attacks disabled much of Estonia’s internet, targeting the websites of government ministries, political parties, newspapers, banks, and telecoms. Estonian Foreign Minister Urmas Paet accused the Kremlin, but Russian authorities denied involvement and no definitive evidence was ever found.

  4. Many pirates acted as independent agents, but rulers also commissioned privateers to attack and bring back foreign vessels as prizes. Queen Elizabeth particularly encouraged the development of privateers to seize Spanish treasure. The use of privateers gave her plausible deniability of involvement if the Spanish were to take offense at the plundering of their ships.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Elaine Ou at elaine@globalfinancialaccess.com

To contact the editor responsible for this story:
Mark Whitehouse at mwhitehouse1@bloomberg.net