Collective Responsibility and Mutual Coercion in IoT Botnets

A Tragedy of the Commons Problem

Carolina Adaros Boye, Paul Kearney and Mark Josephs

Birmingham City University, B4 7XG, Birmingham, U.K.

Keywords:

Internet of Things, DDoS, Botnet, Mirai, The Tragedy of the Commons, Cyber Security.

Abstract:

In recent years, several cases of DDoS attacks using IoT botnets have been reported, including the largest

DDoS known, caused by the malware Mirai in 2016. The infection of the IoT devices could have been

prevented with basic security hygiene, but as the actors responsible to apply these preventative measures are

not the main target but just “enablers” of the attack their incentive is little. In most cases they will even be

unaware of the situation. Internet, as a common and shared space allows also some costs to be absorbed by

the community rather than being a direct consequence suffered by those that behave insecurely. This paper

analyses the long term effects of the prevalence of a system where individual decision-making systematically

causes net harm. An analogy with “the tragedy of the commons” problem is done under the understanding

that rational individuals seek the maximization of their own utility, even when this damages shared resources.

Four areas of solution are proposed based on the review of this problem in different contexts. It was found

necessary to include non-technical solutions and consider human behaviour. This opens a discussion about a

multidisciplinary focus in IoT cyber security.

1 INTRODUCTION

Botnets are considered to be a signiﬁcant cyber secu-

rity threat (Mansﬁeld-Devine, 2016). The typical me-

chanism consisted on taking control of a number of

computers which are known as bots or zombies used

for different purposes such as sending spam, perfor-

ming distributed denial-of-service attacks, harvesting

user credentials, committing ﬁnancial fraud, hosting

phishing sites, or performing click fraud on adverti-

sing networks (Asghari et al., 2015). In the past years

a new modality of botnet has become frequent which

uses insecure IoT devices to perform Distributed De-

nial of Service (DDoS) attacks to a third party. This

sort of attack takes advantage of the fact that IoT de-

vices are growing in number and many of them have

an insecure design or are conﬁgured insecurely. Also,

most of them are kept connected 24x7 and left unat-

tended.

In 2016 two consecutive DDoS attacks were re-

gistered that involved a malware called Mirai. This

malware consists on a set of exploits that search for

insecure devices in the internet taking control of them

to build a botnet. Mirai works sending TCP SYN pro-

bes to large numbers of IP addresses to scan for vul-

nerable devices and attempt to establish a connection

through dictionary attacks using a list of 62 typically

used default credentials. After each successful login

the IP address and corresponding credentials are sto-

red in a server and a separate program is used to do-

wnload and execute the malware in the device, ena-

bling communication with the command and cont-

rol platform (Antonakakis et al., 2017). Once this

is done, the attacker can send commands to the de-

vices making them send connection requests to the

target victim. The ﬁrst attack was in September 2016

and the victim was the web-page of Krebs on secu-

rity. The second attack was in October and it has been

one of the biggest botnets ever registered. The victim

was the DNS service provider Dyn and the attack af-

fected several of its clients in Europe and USA inclu-

ding Twitter, Amazon, Tumblr, Reddit, Spotify and

Netﬂix.

The code of Mirai has been made publicly availa-

ble and a number of variations have been developed,

targeting IoT devices from different brands which

have a Linux-based OS. This makes it a latent threat

at the present. Furthermore, Mirai attacks have been

launched the past couple of years to several targets

including Deutsche Telekom, game servers and other

sites (Antonakakis et al., 2017). It has to be noted that

this is not the ﬁrst malware designed to perform this

sort of attack. Another example is Bashlite which also

infects a variety of systems that use Linux.

470

Boye, C., Kearney, P. and Josephs, M.

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem.

DOI: 10.5220/0006944704700480

In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 1: DCNET, ICE-B, OPTICS, SIGMAP and WINSYS, pages 470-480

ISBN: 978-989-758-319-3

According to the report released on March 2018

by F5 Labs, there is evidence pointing towards IoT

devices becoming the attack infrastructure of the fu-

ture (Boddy and Shattuck, 2018). This is not surpri-

sing since it is expected that the amount of connected

devices will continue to grow (Gartner, 2017) and new

threat actors and attack mechanisms are continuously

arising (Boddy and Shattuck, 2018). Figure 1 shows

that there was an important increase of telnet attacks

since the development of Mirai with a peak at the be-

ginning of 2017.

The analysis done on this paper will be mostly ba-

sed on Mirai botnets, but this does not mean that the

approach cannot be useful to study other threats to IoT

or to be applied to other cyber-security problems.

One remarkable thing about the infection of IoT

devices with Mirai is that, in theory, they are fairly

simple to avoid. It is only required to change the

default password. Also, if the device is already in-

fected, it can be cleaned by rebooting the system to

erase the malicious code. Then, the password needs

to be changed to avoid it getting infected again. This

is very likely since the rate of infection of Mirai has

proven to be in the order of the hundreds of thousands

of devices per hour (Antonakakis et al., 2017). Ho-

wever, in practice, changing the password, might not

be easy or even possible, even though it should be

considered a basic hygiene measure. For example, it

was detected that, many of the devices involved in the

Dyn attack were from a speciﬁc electronics manufac-

turer who had the credentials hard-coded in the ﬁrm-

ware, making them unfeasible to be changed (Krebs,

2016a). Also, even in the case of devices that allow

changing the password, there is currently no practical

way to ensure that the device owners do it.

This paper makes use of a well-studied econo-

mic predicament named as “the tragedy of the com-

mons” to make an analogy with the problem of the

IoT botnets from a non-technical perspective. The

fact that manufacturers and users are neither motiva-

ted nor compelled to improve their security was the

main driver for doing an analysis from a social beha-

viour prism. The idea is to develop a better understan-

ding of a scenario where the beneﬁts are distributed

individually and the costs are shared by a community

and to discuss potential solutions. The main points in

which the analogy is based are explained in section

2. Section 3 reviews previous work done where “the

tragedy of the commons” is referred in the context

of availability and cyber-security problems, including

botnets. Sections 4 and 5 suggest possible solutions,

and section 6 provides the conclusions and recom-

mendations for further study.

2 BOTNETS AS A “TRAGEDY OF

THE COMMONS” PROBLEM

The tragedy of the commons is an economic problem

which was for the ﬁrst time addressed in 1833 by Wil-

liam Foster Lloyd (Lloyd, 1833) who exposed what

has become a well-studied economic problem. The

“commons” where shared areas where herd belon-

ging to different owners could graze freely. Therefore

while each owner had a beneﬁt that was proportional

to the number of animals they owned, the costs of fee-

ding them would be shared by all the herdsmen in the

common. As long as the common is big enough to

feed all the animals (as well as having a buffer for re-

generation) there is no problem. However, each mem-

ber of this community, as a rational decision maker,

will try to maximise their utility by increasing their

number of animals. Eventually this will reach the

point that the common, having ﬁnite resources, will

not be sustainable to feed all the animals. In 1968,

Garrett Hardin published a paper under the name The

tragedy of the commons using an analogy of this pro-

blem to analyse overpopulation (Hardin, 1968). Har-

din also introduces an in-depth analysis of situations

where individual decisions, which are based on pur-

suing personal gain, can affect the common interest

and explains. In other words, how the beneﬁts of a

few can cause detriment to a community.

When the rules of the game are established in a

way that rational individual decisions harm the so-

ciety as a whole, the only possible solution is to

change the rules. Furthermore, Hardin introduces the

idea that certain problems have no optimal technical

solution, for which, in certain scenarios, to preserve

freedom there is a necessity to establish laws and re-

gulations. This is based in a basic economic principle

that establishes that the needs are unlimited but the re-

sources of the planet are not. Another example used

in this same publication is the damage to the envi-

ronment where companies and individuals, as a con-

sequence of activities that mostly beneﬁt themselves

harm the ecosystem through pollution. So this is also

a case where the beneﬁts are individual but the costs

are shared.

According to Hardin’s essay, the tragedy of the

commons has two, fairly equivalent, scenarios, the

ﬁrst scenario is when individuals extract something

from the common resource compromising its availa-

bility, and the second scenario is when the individuals

introduce something harmful to the environment. In

this paper, it will be explained how in the cyber space,

this problem can be seen from both sides, by using the

particular case of IoT botnets. On one hand, the cyber

space is based on a physical infrastructure that is limi-

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem

471

Figure 1: Telnet attack volume by month according to F5 Labs threat report (Boddy and Shattuck, 2018).

ted and therefore its availability depends on this limit

not been reached. On the contrary of what some could

intuitively think, the major constraint is not related to

the capacity of the channels but to the processing li-

mitations of network devices, such as routers. Anot-

her problem that affects availability is the not optimal

use of the routing resources and channels (Lutu and

Bagnulo, 2011). (den Hartog et al., 2017)(Cole et al.,

2006). On the other hand, users can either, malici-

ously or unknowingly, introduce pollution to the net-

work such as hurl trafﬁc, and malware (Cerf, 2013).

In general, availability issues are not frequently

applicable for the normal use of internet due to its abi-

lity to increase its capacity in respond to demand. Ne-

vertheless, in certain cases, trafﬁc congestion levels

can result in the unavailability of a service for certain

period of time(Cerf, 2013). This is the main princi-

ple of a DDoS attack. In an IoT botnet also malicious

trafﬁc is injected to the network making a clear paral-

lel with the pollution example since the misuse of the

internet leads to increase different risk factors in the

environment, making it insecure for all the users. This

last applies not only to botnet malware, but also to all

sorts of malicious activity. If all the security efforts

are focused in the malicious agents that launch the

attacks, and in the main victim, we are forgetting im-

portant actors who enable the attack. In the rest of this

paper, these actors will be called “enablers” or “botnet

enablers”. These actors are a key part of the success

of the attack, meaning that they could also be key in

preventing it, or stopping it. For this, it is important

understanding what drives their actions. The case is

that “botnet enablers” will not intentionally mean to

provoke harm. They just limit themselves to seek the

maximisation of their own utility, which usually is a

natural human behaviour.

There will be three types of actors considered as

“botnet enablers”: the IoT manufacturer, the IoT ow-

ner, and the Internet Service Provider (ISP). Each one

of these three actors would try to maximise their uti-

lity function by reducing their costs.

The IoT manufacturer would be allegedly the ac-

tor that has the main responsibility since is the one

producing an unsafe device in the ﬁrst place. The IoT

devices susceptible to attacks based on Mirai have the

characteristic of allowing software to be downloaded

and installed without requiring higher level privileges.

Also not only they do not enforce changing default

passwords, but a particular brand that was involved in

the two big cases of 2016 did not even allow the user

to change it because credentials were hard-coded.

The second actor, the IoT owner, represents the

roles of administrator and user. The IoT owner also

enables the attack by performing selﬁsh actions which

are in the ﬁrst place, purchasing an insecure device,

by connecting it directly to the internet without any

network protection, and by not changing the default

credentials (in the cases that this is possible). In the

ideal situation, the user should have as little freedom

as possible to behave insecurely which is achieved by

having security by default and privilege separation.

Users will often lack security awareness and it should

be responsibility of IoT vendors to provide guidance.

The third actor, the ISP, despite not having legal

obligations towards security, several security experts

agree that they are in a suitable position to protect the

BASS 2018 - International Workshop on Behavioral Analysis for System Security

472

internet (Usman, 2013). Therefore it is believed that it

should become a common best practice that ISPs have

responsibility for trafﬁc coming from their network,

and this includes IoT-bots (Smith, 2017).

Not having the knowledge or the technical capa-

bilities for playing their part in avoiding a DDoS at-

tack of this scale can be at some extent an excuse (or

maybe not) for the “enablers”. This would bring a

fourth player to the game which is the type of actor

that is called to help solving both the awareness and

the tragedy of the commons problem: regulatory enti-

ties. This includes industry standards, as well as mar-

ket, and legal regulations. If the regulatory entities

only focus on the attacker and ignore the role of the

“botnet enablers” it will be an endless quest since they

will be missing out the big picture.

Finally there is a ﬁfth actor, which is the victim.

Basically the victim is all the internet community.

This includes the direct victim of the DDoS attack,

as well as everybody that is affected directly or indi-

rectly for the lack of availability of their services. Fi-

gure 1 shows a diagram with the different actors and

their current roles in a DDoS botnet of the type caused

by Mirai.

So lets see how the different elements involved in

a botnet relate to the tragedy of the commons problem

by doing the following analogy:

• The commons: they are a shared space in which

the actions of individuals affect either the availa-

bility or the quality of the resources in it. This cor-

responds to the cyber-space which clearly has the

characteristic of been susceptible to be affected in

its availability and quality of service by individual

decisions of its users.

• The herdsmen: they are the individuals that share

the commons whose decisions have an effect in

the community as a whole. As much as they get

affected themselves, as this effect is shared bet-

ween the members of the community, the herds-

men will not always perceive the harm as a direct

consequence of their actions. And even if they

do, they will not have the necessary incentives to

change their behaviour. In this case, the herdsmen

are the “botnet enablers” which are the ﬁrst three

actors: the manufacturer, the IoT owner, and the

ISPs.

• “Grazing cattle”: is the action of making use of

the common space. This can be done either in a

sustainable or in an abusive way. It would be con-

sider sustainable when the resources are far to re-

ach their limits in the foreseeable future or when

there is a sense of collective responsibility to pre-

serve the resources of this space. As this sense of

“collective responsibility” cannot always be gua-

ranteed for all individuals, different sorts of incen-

tives and deterrents can be allocated to compel the

herdsmen to limit their number of animals. It is

understood that “limiting the number of animals”

represents having a responsible behaviour towards

the sustainability of the resources.

When the herdsmen are free to graze their cattle

as they wish, they will try to maximise their own uti-

lity in detriment of the commons good which is the

preservation of the resources’ availability and quality.

The scenario of grazing cattle in a sustainable manner

represents making use of the cyber space in a secure

way. In the botnet example, this means manufactu-

ring, deploying, and using IoT devices securely, plus

ongoing monitoring and control of network trafﬁc in

the Internet. All of which can be done by the different

“botnet enablers”. The scenario of grazing cattle in an

abusive manner is the one that allows the development

of the botnets. The omission of actions to prevent the

IoT devices getting infected and used as bots, presu-

ming that this will not have any direct consequences,

could inﬂict as much damage to the community as the

malicious action itself.

On a nutshell, there are two main characteristics

of the IoT DDoS botnets, namely botnets based on

Mirai, which support doing the analogy with the tra-

gedy of the commons. First that there is a space that is

shared, and so are the resources that this space offers.

Second, that individual decisions made with the goal

of maximisation of the utility function of each stake-

holder is opposed to the goals of the common good. In

this case, keeping the internet as a safe place is consi-

dered to be for the best interest of society, reason why

cyber attacks are considered among the most relevant

risks that humanity faces at the moment (World Eco-

nomic Forum, 2018). So the whole society is the one

that suffers as a consequence of too many individuals

ignoring their social responsibility.

Two actors in the botnet that are not considered

explicitly in the tragedy of the commons analogy are

the perpetrator of the attack and the direct victim of

the DDoS. In the case of the attacker, since this player

is not likely to follow any rules, he is not invited to the

game. On other words, there is no control over their

actions. So for the scope and purpose of this analysis

the attackers behaviour will be assumed as constant

rather than variable. The direct victim, although not

explicitly represented, they belong to the ﬁfth group

of actors: the community. This actor constitutes a par-

ticular case, which might require a separate subdivi-

sion in a future expansion of this model, since in a

single event they will be paying a much bigger pro-

portion of the costs than the rest.

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem

473

Figure 2: Roles and responsibilities of different actors in a Mirai IoT botnet.

It has to be noted, as well, that as much as the

last actor was named as the internet community,

actually there is an increasing amount of services

that rely on IT that serve people that might not

even use internet, such as elderly people. Banking,

health-care, utilities, retail, and public services are

example of services that highly depend on IT. On

other words, a denial of service can affect mostly

any ambit of human endeavour and this dependency

should be expected only to increase with the boom

of IoT and industry 4.0. In the long run, everybody

will suffer the consequences at some extent. If not in

the next botnet, in the consecutive or at some point

in the future. It is just a matter of big numbers and

probabilities, in which having this situation going on

for an extensive period of time makes likely that, at

some point, every member of the community will

become a victim.

According to this, for a period of time “t” we could

consider the following statement to be true:

If (t−→ ∞)

then,

The total costs of DDoSs will be distributed

among all Internet users

This is rather theoretical and probably in a ﬁnite

period of time the share of the consequences of a bot-

net will never be equal among all members of the

community. To make a consensus, we can agree that

in the long term, most members of society will at least

suffer some sort of consequences, although these will

not be equally distributed. While cannot demonstrate

an equal proportion of consequences among the com-

munity, we can still agree that the actors whose de-

cisions can make the difference are not signiﬁcantly

affected by the DDoS in a different way than any

random member of the community. Actually, an ex-

perimental study done to estimate the cost for an in-

dividual IoT owner to have their devices infected by

Mirai and used as bots in a DDoS attack showed these

costs are negligible (Fong et al., 2018). The analy-

sis demonstrated that while the overall cost for these

actors as a whole was signiﬁcant, the costs for each

individual IoT user was not that big, and could easy

remain imperceptible by them. They estimated 1.08

USD of cost per device in the attack against the Krebs

BASS 2018 - International Workshop on Behavioral Analysis for System Security

474

on security website and less than 0.01 USD. This cor-

responds to a direct cost which is electricity consump-

tion. They estimated also a higher cost attributable

to bandwidth consumption, but this is usually not di-

rectly payed by owners since it is very common to

have unlimited broadband contracts. So again the

whole community is the one that absorbs this cost.

Other consequences for IoT owners such low per-

formance of the device can be harder to measure and

were not included in the study just mentioned. It has

to be taken in consideration that many users might

not even notice issues with performance, especially

if they are not using the device at all moments during

the attack. And even if they did, this does not change

the fact that this impact is out of proportion compared

to the overall damage.

The unintended damage caused by the “botnet

enablers” could be also deﬁned as “economic exter-

nality” which is a direct effect of the activity of an

actor on the welfare of another (Asghari et al., 2015).

This is what can happen when in an interconnected

world free agents make selﬁsh decisions. DDoS bot-

nets produced by bots hosted in IoT devices threaten

to be a prevalent issue with the continuous growing

trends of the IoT market (Gartner, 2017). This me-

ans that if no practical and widely applicable solution

is implemented there are chances that this will be an

increasing problem.

There is apparently no technical solution to ensure

that the appropriate preventative measures are put in

place, which is one of the characteristic of the tragedy

of the commons dilemma. The typical conclusion that

is reached in these cases is that there is a need for ot-

her nature of solutions (Hardin, 1968). It could be

argued that, technically, it is very easy to prevent an

IoT device to get infected with Mirai: having a secure

password. Also, to clean an already infected device it

is a matter of rebooting it and changing the password.

But the real problem relies in the lack of incentives for

owners to do this and, even more important, for ma-

nufacturers to build security by default (e.g. enforce a

secure password). Therefore we are facing an econo-

mic and social problem which needs to be tackled as

such.

The “botnet enablers” perceive no beneﬁt from an

attack, as the herdsmen do by exploiting the com-

mons. But the tragedy of the commons is not al-

ways about beneﬁts but about maximising the utility

function, which is what rational decision makers tend

to do. This does not mean necessarily to obtain a be-

neﬁt, but can be also to avoid a cost. Taking action

to avoid a botnet has a cost for all the three enablers.

Even if for the IoT owner the cost is just some minutes

of their time, they do not see any beneﬁt in doing so.

If they also happen to own a device that does not allow

to change the default password, then the responsible

action would be getting a more secure one. In this

case the cost of security would appear to be bigger

for this actor. Of course, this is only in the case that

they knew the risk of connecting an unsafe device in

the ﬁrst place.

Another factor that matters in this problem is awa-

reness. Not necessarily all “botnet enablers” are in

purpose causing damage. There is a question here re-

lated to what if creating awareness and educating in

the matter will result on them making a different deci-

sion making process. This is another issue that is co-

vered in the tragedy of the commons analysis done by

Hardin. He states that “education can counteract the

natural tendency to do the wrong thing”, but he also

explains that this is neither a deﬁnitely nor can be the

only solution to this sort of problem. It is of common

knowledge that, once given all the relevant informa-

tion, some people will act in a responsible way, but

others will not. In the second case is when incentives,

deterrents, and coercive measures are brought to the

conversation which will be discussed further in secti-

ons 4 and 5.

3 CYBER-SECURITY AND THE

TRAGEDY OF THE COMMONS

To the best of our knowledge, this is the ﬁrst acade-

mic paper that analyses IoT botnets explicitly from

this angle. Nevertheless, the idea of a link between

IoT botnets and the tragedy of the commons pro-

blem has been suggested in some articles written

shortly after the high coverage of the Mirai attacks

of 2016 (Smith, 2017)(Krebs, 2016b). Also a num-

ber of published papers (Roy et al., 2010) (Herley

and Flor

encio, 2009) and articles (Cerf, 2013)(Ian-

nela, 2017)(Davidow, 2012) relate this economic and

social dilemma with cyber-security.

While the overuse of the internet is not a typi-

cal scenario of the tragedy of the commons, a limi-

ted number of papers have been written relating it

with network trafﬁc (den Hartog et al., 2017)(Lutu

and Bagnulo, 2011)(Cole et al., 2006). In this case,

more than bandwidth, the resources that appear to act

as a bottleneck are network devices such as routers,

which have limited processing and memory capabili-

ties (Lutu and Bagnulo, 2011). Also anarchy in rou-

ting (Cole et al., 2006) or in assignation of Wiﬁ chan-

nels (den Hartog et al., 2017) is a cause of these bott-

lenecks. In neither of these cases the individual de-

cisions are motivated for a gain but rather for avoi-

ding the cost of investing energy to reduce entropy

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem

475

levels. The solutions proposed in these cases were re-

lated to algorithms for collaborative channel selection

(den Hartog et al., 2017) and to introducing a tax me-

chanism (Lutu and Bagnulo, 2011). While the ﬁrst

approach appeals to a sense of collective responsibi-

lity, the second introduces a deterrent to prevent an

unwanted behaviour. What both cases have in com-

mon is that they solved the problem by introducing

new rules to the game in order to motivate a change

in individual decisions. If the application of deter-

rent measures such as paying royalties, ﬁnes or taxes

is agreed within the community for the greater good,

this is called “mutual coercion” (Hardin, 1968).

An important issue yet to be solved in cyber se-

curity is the allocation of incentives and deterrents

among the stakeholders that are well positioned to ap-

ply defence measures. Speaking about botnets, crimi-

nal incentives are only one side of the problem and

the other side is that there is no incentive for defen-

ders (Asghari et al., 2015). This lack of incentives

is the same that makes the utility function of the IoT

owners to remain almost the same either the take or

not action. Therefore, leading them to do nothing,

which is at the end some sort of decision. A decision

that has consequences for society as a whole. Ge-

nerally speaking, poor security levels in IT and IoT

systems have a social cost, due to the fact that most

of the society beneﬁts one way or another from the

ICT ecosystem meaning that cyber-security has si-

milar characteristics of a public good. The problem

is that the fact that defences are put in place mostly

as a decision made by privates (e.g. individuals and

companies) provokes that costs and beneﬁts are not

evenly distributed among the different actors (Bauer

and Van Eeten, 2009). When an actor does not di-

rectly perceive all the consequences of their choices

cyber-security problems become more complicated.

Therefore, this asymmetry is an important cause of

this tragedy. And it is not just the problem of availa-

bility but that this situation can lead to the risk that at

some point the internet could become too unsafe for

reliable use (Cerf, 2013).

The consideration of the economic and the human

factor in the search of cyber security solutions is ba-

sed on the fact that technology has no moral value by

its own but it reﬂects human intentions having the po-

wer, as well, to amplify them (Iannela, 2017). Botnets

are, in fact, a good example of using technology to

amplify a malicious intent. It is then necessary to ﬁnd

the means to facilitate collaboration within different

actors to counteract this situation, concerting efforts

within the public and private sectors, including legal

measures, if necessary (Bauer and Van Eeten, 2009).

The literature suggests that the tragedy of the com-

mons analogy, as well as game theory can be promi-

sing in providing perspectives, insights, and models

to address cyber-threats (Roy et al., 2010).

4 COLLECTIVE

RESPONSIBILITY VERSUS

MUTUAL COERCION

In October 2016 an US senator who also called the

Mirai botnet a tragedy of the commons problem ex-

pressed his worry that in this case security which is

“so vital to all internet users remains the responsibi-

lity of none”(Krebs, 2016b). It is important to notice

that speaking of collective responsibility can imply

that it is everybodys problem but, at the end of the

day, nobody is accountable for it. This would be like

a famous Spanish play called “Fuenteovejuna” where

a whole village takes blame for a murder to cover the

murderer. The idea behind was that if the fault was

committed by the whole village, nobody would pay

the consequences. In the case of an IoT botnet the

“murder” is, indeed committed by the village of the

“botnet enablers”. It is true that they are mostly guilty

by omission rather than by action and it appears as

quite unfair to attribute the condition of “criminal” to

these actors, for been merely unintentional enablers

of a cyber-crime. But what if they knew about the

risk? Can we still defend their cause as an unintenti-

onal sort of complicity with the cyber criminals?

So the ﬁrst step for collective responsibility should

be creating awareness of the role that each actor plays

and what they can do to prevent a DDoS attack. This

would mean to trust that, having all the facts, they

will have no choice but change their behaviour, dri-

ven by moral principles. But Hardin does not totally

supports this hypothesis in his theory. If we accept the

analogy between the commons and the cyber space to

be truth, then the security of the internet can no longer

depend on self-regulation (Davidow, 2012). Knowing

that some components of the utility function of each

actor are individual and others are shared the logical

action would be to take concrete actions to balance the

equation. The same as is in the case of solving over-

population, environmental pollution, and the tragedy

of the commons.

According to Hardin, “the social arrangements

that produce responsibility are arrangements that cre-

ate coercion of some sort”. Examples of this are taxes,

payed parking spaces, and punishment for crimes.

The validity of these kind of measures would be based

on the agreement among the majority of the people

affected (aka “mutual coercion”). This is because to-

BASS 2018 - International Workshop on Behavioral Analysis for System Security

476

tal freedom is not possible when this will affect the

common good (Hardin, 1968). Another example of

how individuals will not act against what they believe

to be their self interest in favour of collective interest

unless there is an explicit agreement is the prisoners

dilemma. Taking this back to cyber security, it means

that there should be some sort of agreement in place

rather than having actors deciding independently. The

ideal outcome of this agreement will be that manufac-

turing, selling, and connecting insecure IoT devices

becomes intolerable.

The use of “altruistic punishment” can be demon-

strated as an effective way to solve the tragedy of the

commons dilemma through a zero sum game simu-

lation experiment (Greenwood, 2016). Altruistic pu-

nishment means that some player will support the ap-

plication of punishment to players that act against the

common interest even if they do not perceive any di-

rect gain for it and even if the punisher has to pay a

cost. The reasons of this result is that the punishment

acts as a deterrent and after a few rounds of the game

the transgressors would change their behaviour.

Another interesting quote from Hardin’s paper

is when he states that “the morality of an act is a

function of the state of the system at the time it is

performed”. Therefore, as much as using a default

password for a connected printer cannot be stigmati-

sed as “immoral” by itself; how this changes if you

know that it can be part of a DDoS attack targeting a

critical service, such as a hospital?

Finally, the realisation that a resource is in dan-

ger reveals an urgent need for regulations to be put

in place (Davidow, 2012). At the beginning of ti-

mes, when the resource is safe from been corrupted

and appears to be unlimited, there is room for free-

dom. There are several examples of this such as ﬁs-

hing, hunting, agriculture, environment pollution, and

of course, the herd grazing in the commons. The in-

ternet seems no different to these other economic acti-

vities in the sense that it is becoming unsafe to be used

freely (Cerf, 2013).

While several regulations are currently active re-

lated to behaviour in the internet including the re-

cent enforcement of the General Data Protection Ru-

les (GDPR) in the European Union, there is a lack

of such regulations regarding IoT. Examples of con-

crete but isolated actions regarding coercive measures

that involve IoT have been cases of smart toys for-

bidden in Germany in 2017 for threats to privacy and

drug pumps pulled off the market by their manufac-

turer due to be found vulnerable to hacking. Similar

measures should be taken regarding devices that are

easily hacked to be used as bots.

5 POSSIBLE SOLUTIONS

The present paper does not aim to provide a deﬁni-

tive answer but to propose possible areas of solution.

Speciﬁc ways to apply these solutions require to be

developed in more detail, adding an in-depth analysis

that takes in consideration the multiple disciplines in-

volved. The fact that this is a complex problem that

involves several actors, requires an analysis that inclu-

des the technological, economical, social, and legal

points of view. It is suggested to integrate different

types of solution rather than looking for some sort of

silver bullet.

In order to provide material for further discus-

sion, four areas of solution where identiﬁed, based on

the premise that either consciously or unconsciously

every rational decision maker will seek to maximise

their utility function (Hardin, 1968). The four groups

are: solutions that change the utility function, soluti-

ons that change the inputs of the utility function, so-

lutions that involve coercive measures, and solutions

that involve providing a better information about the

variables of the utility function.

1. Solutions that Change the Utility Function:

This means introducing moral values to the equa-

tion by creating awareness about the problem and

the major social implications, appealing to the

consciousness of the different actors. Examples

of this are doing campaigns that, one hand serve

for education and, on the other, can make appear

as “socially unacceptable” to connect devices in-

securely to the internet.

There are several examples of behaviours that

were considered acceptable in the past, like thro-

wing litter in the street or smoking inside a buil-

ding which are currently no accepted anymore.

This is also known as “blame and shame”. Un-

der this order of values, for manufacturers to pro-

duce an insecure IoT device would be the equi-

valent of selling toys with lead paint: not only a

transgression to regulations but also a reason to

appear in the newspapers. On other words, ma-

king a threat of serious damage to brand reputa-

tion could be used as a deterrent for “bad beha-

viour”. Making public which vendors sell secure

devices and which ones do not is another form of

“blame and shame” or positive reinforcement, de-

pending on the case.

2. Solutions that Change the Inputs of the Utility

Function:

These solutions imply introducing incentive and

deterrents to change the utility value of the “ena-

blers” in order to induce rational decision making.

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem

477

This should produce the same outputs that col-

lective responsibility would, but it adds measures

for assurance of “good behaviour”. Examples of

this are taxes, ﬁnes, or other sort of mutually coer-

cive measures that add to the costs of the utility

function of individuals. This can also be used as

adding to the beneﬁt part of the equation. For ex-

ample by public recognition and good publicity

for manufacturers that do “the right thing” as an

incentive for secure design in IoT.

ISPs besides been an actor themselves, can also be

an agent of change of the utility function inputs by

identifying device owners that have insecure devi-

ces connected and applying them a ﬁne or additi-

onal charge in their service bill. This additional

charge, in fact, would be totally justiﬁable in the

sense that these users are in fact more costly for

the system than the responsible ones.

3. Solutions that Involve Coercive Measures:

In this case, rather than trying to guide the actors

behaviour by modifying their utility function, the

solutions are oriented to put restrictions. On other

words, they would be “compelled to do the right

thing” by putting in place laws and regulations.

For example, not allowing insecure IoT devices to

be sold in the market.

An extreme example would be to prosecute botnet

enablers for criminal offence. An analogy to jus-

tify such a radical coercive measure is the case of

a person that legally owns a gun and does not keep

it in a safe place. As a result of this it is found by

somebody and used to commit a crime. The ow-

ner of the gun will be certainly brought into jus-

tice and in the best scenario will need to provide

a good explanation. In the worst, they will have

to serve in prison. The situation is very clear, this

person is facilitating the perpetration of a crime

by been oblivious to a known risk. Therefore they

have to respond for this. Then performing a de-

nial of service attack is a crime, and IoT owners

are enabling this crime.

This solution points to, rather than making “ena-

blers” collectively responsible for an attack, to

make them individually accountable. Of course

bringing hundreds of thousands of users around

the world to a court will present some logistic pro-

blems, but maybe there are other possible measu-

res that are less extreme like making them pay an

extra fee for their internet service.

ISPs also have an important role due to been well-

positioned to regulate trafﬁc and detect offenders,

reason why some authors defend the idea to create

laws that bring them into the chain of responsibi-

lity (Usman, 2013).

4. Solutions that Involve Informing about the Va-

riables Involved in the Utility Function:

This area of solution differs from the ﬁrst one be-

cause it does not bring the moral speech to the

table; it provides the decision maker with infor-

mation about different variables that should be

present in their utility function which might have

been either omitted or miscalculated because of

having incomplete information.

If IoT owners are informed that it is a wrong as-

sumption to believe that connecting insecure IoT

devices to the network has no direct impact to

them, they might change their behaviour. Actu-

ally, having insecure devices also exposes them to

other threats such as data theft and ransomware at-

tacks. For manufacturers, there can be also other

consequences like been forced to take products

out of the market and bad brand reputation. They

also can have wider beneﬁts if they can make an

effective marketing campaign and build a reputa-

tion for selling secure devices.

Trust of the customers should be considered as a

valuable asset because consumers have the power

to affect the market with their purchase decisions.

Thus, IoT owners should be better informed about

which brands are more reliable. To do this last bit,

it will be necessary to have standards that allow

developing some sort of labelling for IoT devices

analogue to the one that domestic appliances have

for power consumption efﬁciency. An example

of this is the IoT Security Foundation User Mark

which can be used by organisations that imple-

ment their latest security compliance framework

(IoT Security Foundation, ).

It must be considered that although some soluti-

ons and analogies might seem extreme, it is not me-

ant to do a moral judgement of the so called “botnet

enablers”. The main purpose of the examples is to

bring on a debate of how responsibilities could be as-

signed according to the capabilities of each actor to

apply preventative measures. The only actors that ac-

tually have the intention to perform the attack, are the

ones who infect the devices and launch the DDoS at-

tack and, as it was explained in section 2, they were

on purpose left out of the analysis.

While ISPs already offer DDoS mitigation servi-

ces to potential DDoS victims amongst their custo-

mers, they also could clean trafﬁc of malware and

hence help prevent infection. They could, as well, no-

tify and provide support to owners of insecure IoT de-

vices and sources of DDoS trafﬁc and penalise those

who, after been warned, do not disconnect or con-

BASS 2018 - International Workshop on Behavioral Analysis for System Security

478

ﬁgure securely their device. For example, by extra

charges.

The involvement of ISPs could present technical

difﬁculties due to the need to process big amounts of

data in near real time. Also, there might be constraints

regarding privacy. Particularly, the General Data Pro-

tection Regulations of the European Union (GDPR)

establishes conditions for consent regarding data pro-

cessing (The European Parliament and the Council of

the European Union, 2016). Possible ways to over-

come these challenges are using advanced data ana-

lytics and that the internet consumers sign speciﬁc

forms of consent for this purpose. Ideally, solutions

should be oriented to look into suspicious characteris-

tics in the heading, IP address, and size of the packa-

ges, rather than looking into the payload.

6 CONCLUSIONS

While avoiding an IoT botnet has fairly simple techni-

cal solutions, there is no simple way to enforce the

relevant actors to apply them. The analysis presented

in this paper does not see the botnet as a technolo-

gical problem but as a behavioural problem. A “tra-

gedy of the commons” approach can give clues of the

nature of possible solutions, by studying how similar

problems have been solved in other contexts such as

over population, pollution, and network bottlenecks.

Most of these problems have technical solutions that

depend on the collaboration between different stake-

holders which ends up becoming by itself a problem.

This analysis reveals that IoT botnets can be easily

seen as an economic problem in the sense that diffe-

rent actors have the freedom to decide in favour of

their individual utility even if this brings harm to the

society as a whole. Therefore, there will be no realis-

tic solution if human behaviour and economic princi-

ples are not taken in account. It is recommended to

do a deeper study on the different areas of solution

proposed and how it is the best way to combine them.

The solutions proposed are not meant to be re-

stricted to control IoT botnets but also can apply to

a number of cyber security issues and consider, as

well, other risks introduced by IoT such as propa-

gation of malware and privacy threats. Other actors

should be considered such as Cloud and Software as

a Service (SaaS) providers. The example developed

is only an simpliﬁcation of the problem to illustrate

the analogy with the “tragedy of the commons” and

to discuss how current cyber-security challenges can

be faced introducing non-technical solutions.

Because it is known that people are the weakest

link of the security chain, it should be understood

that the amount of preventative measures that depend

on the user should be minimised. The manufacturer

should ship the products secure by default and pro-

vide appropriate guidance to users on how to connect

and operate securely their IoT devices. Nevertheless,

users still should be given the necessary information

to develop, at least, a basic level of security aware-

ness.

As humans are the cause of many cyber secu-

rity problems, and not technology, human behaviour

should be under consideration to ﬁnd solutions for

IoT security. It is, as well, important to consider a

multi-disciplinary approach. The disciplines should

include, but not necessarily be limited to the follo-

wing:

• Technology: To create and implement techni-

cal solutions. This should consider different per-

spectives such as software and ﬁrmware design,

hardware design, software and hardware integra-

tion, network security, cloud security, and physi-

cal security, in order to include all aspects of IoT.

• Processes: To identify key activities during deve-

lopment, deployment and operation where secu-

rity aspects need to be considered. It is important

to have experts that can identify the proper stan-

dards and sets of good practices, as well as secu-

rity certiﬁcation mechanisms.

• Economics: To understand how the market might

react to the different types of solutions suggested,

and to changes in consumers behaviours.

• Human Behaviour: To understand the decision

making process of individuals, what are their dri-

ves and what is the potential effect of incentives,

deterrents, and coercive measures.

• Law and Regulations: To deﬁne pertinent coer-

cive measures and appropriate legal mechanisms

for compliance.

• Communication and Marketing: To spread the

message in an effective way.

The introduction of mechanisms of “mutual coer-

cion” appears like a plausible alternative to ensure

that there would be accountability, not only for per-

petrating a cyber-attack, but also for facilitating it. It

has to be noted that coercion and education are not

mutually exclusive. Enhancing security awareness is

still an important issue to consider in order to create

consciousness in “botnet enablers” and induce them

to adopt secure behaviours. We believe that a good

start point is developing standards to categorise and

label IoT devices according to their level of security.

This is because, the rest of the solutions can be then

more effectively applied once there is a benchmark of

Collective Responsibility and Mutual Coercion in IoT Botnets - A Tragedy of the Commons Problem

479

what is understood as “secure” in IoT, and what it is

not. When education fails, the application of coer-

cive measures should serve as a valid mechanism to

preserve cybersecurity, as it does in other spheres of

common interest such as trafﬁc laws, environmental,

health, and public safety affairs.

REFERENCES

Antonakakis, M., April, T., Bailey, M., Bernhard, M.,

Bursztein, E., Cochran, J., Durumeric, Z., Halderman,

J. A., Invernizzi, L., Kallitsis, M., et al. (2017). Under-

standing the mirai botnet. In USENIX Security Sym-

posium.

Asghari, H., van Eeten, M. J., and Bauer, J. M. (2015). Eco-

nomics of ﬁghting botnets: Lessons from a decade of

mitigation. IEEE Security & Privacy, 13(5):16–23.

Bauer, J. M. and Van Eeten, M. J. (2009). Cybersecurity:

Stakeholder incentives, externalities, and policy opti-

ons. Telecommunications Policy, 33(10-11):706–719.

Boddy, S. and Shattuck, J. (2018). Threat analysis re-

port. the hunto for iot. the growth and evolution of

thingbots ensures chaos. https://www.f5.com/labs/

articles/threat-intelligence/the-hunt-for-iot-the-

growth-and-evolution-of-thingbots-ensures-chaos.

Retrieved on: 2018-06-25.

Cerf, V. G. (2013). Revisiting the tragedy of the commons.

Communications of the acm, 56(10):7–7.

Cole, R., Dodis, Y., and Roughgarden, T. (2006). Bottle-

neck links, variable demand, and the tragedy of the

commons. In Proceedings of the seventeenth annual

ACM-SIAM symposium on Discrete algorithm, pages

668–677. Society for Industrial and Applied Mathe-

matics.

Davidow, B. (2012). The tragedy of the internet commons.

The Atlantic, 18.

den Hartog, F., Raschella, A., Bouhafs, F., Kempker, P.,

Boltjes, B., and Seyedebrahimi, M. (2017). A pathway

to solving the wi-ﬁ tragedy of the commons in apart-

ment blocks. In Telecommunication Networks and Ap-

plications Conference (ITNAC), 2017 27th Internatio-

nal, pages 1–6. IEEE.

Fong, K., Hepler, K., Raghavan, R., and Rowland, P.

(2018). Quantifying Consumer Costs of Insecure

Internet of Things Devices. https://groups.ischool.

berkeley.edu/riot/. Accessed on: 2018-05-30.

Gartner (2017). Gartner newsroom. http://

www.gartner.com/newsroom/id/3598917/. Accessed

on: 2017-07-30.

Greenwood, G. W. (2016). Altruistic punishment can help

resolve tragedy of the commons social dilemmas. In

Computational Intelligence and Games (CIG), 2016

IEEE Conference on, pages 1–7. IEEE.

Hardin, G. (1968). The tragedy of the commons. Science,

162(3859):1243–1248.

Herley, C. and Flor

encio, D. (2009). A proﬁtless endeavor:

phishing as tragedy of the commons. In Proceedings

of the 2008 New Security Paradigms Workshop, pages

59–70. ACM.

Iannela, R. (2017). Tragedy of the digital commons: Ampli-

ﬁed zombies [opinion]. IEEE Technology and Society

Magazine, 36(3):15–16.

IoT Security Foundation. Best practice user mark faq and

best-practice-user-mark/. Accessed on: 2018-06-26.

Krebs, B. (2016a). Hacked Cameras, DVRs Powe-

red Todays Massive Internet Outage. https://

krebsonsecurity.com/2016/10/hacked-cameras-dvrs-

powered-todays-massive-internet-outage. Accessed

on: 2017-02-22.

Krebs, B. (2016b). Senator Prods Federal Agencies

on IoT Mess. https://krebsonsecurity.com/2016/10/

senator-prods-federal-agencies-on-iot-mess/. Acces-

sed on: 2018-05-30.

Lloyd, W. F. (1833). Two Lectures on the Checks to Popu-

lation: Delivered Before the University of Oxford, in

Michaelmas Term 1832. JH Parker.

Lutu, A. and Bagnulo, M. (2011). The tragedy of the in-

ternet routing commons. In Communications (ICC),

2011 IEEE International Conference on, pages 1–5.

IEEE.

Mansﬁeld-Devine, S. (2016). Ddos goes mainstream: how

headline-grabbing attacks could make this threat an

organisation’s biggest nightmare. Network Security,

2016(11):7–13.

Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V.,

and Wu, Q. (2010). A survey of game theory as app-

lied to network security. In System Sciences (HICSS),

2010 43rd Hawaii International Conference on, pages

1–10. IEEE.

Smith, M. (2017). The tragedy of the commons in the

IoT ecosystem. https://computerworld.com.au/article/

626059/tragedy-commons-iot-ecosystem/. Accessed

on: 2018-05-30.

The European Parliament and the Council of the European

Union (2016). General data protection regulation-

gdpr. https://gdpr-info.eu/. Retrieved on: 2018-06-25.

Usman, S. H. (2013). A review of responsibilities of inter-

net service providers toward their customer’s network

security. Journal of Theoretical & Applied Informa-

tion Technology, 49(1).

World Economic Forum (2018). The global

risks report 2018. http://weforum.org/docs/

WEF

GRR18 Report.pdf/.

BASS 2018 - International Workshop on Behavioral Analysis for System Security

480