Assuring Authority for Courts to Shut Down Botnets

Courtesy of Leslie R. Caldwell, Assistant Attorney General for the Criminal Division

In our first post, we noted the dramatic growth over the past several years in the incidence of cybercrime that victimizes Americans.  One of the most striking examples of this trend is the threat from botnets — networks of victim computers surreptitiously infected with malicious software, or “malware.”  Once a computer is infected with the malware, it can be controlled remotely from another computer with a so-called “command and control” server.  Using that control, criminals can steal usernames, passwords, and other personal and financial information from the computer user, or hold computers and computer systems for ransom.  Criminals can also use armies of infected computers to commit other crimes, such as distributed denial of service (DDoS) attacks, or to conceal their identities and locations while perpetrating crimes ranging from drug dealing to online child sexual exploitation.  The scale and sophistication of the threat from botnets is increasing every day.  Individual hackers and organized criminal groups are using state-of-the-art techniques to infect hundreds of thousands — sometimes millions — of computers and cause massive financial losses, all while becoming increasingly difficult to detect.  If we want security to keep pace with technological innovations by criminals, we need to ensure that we have a variety of effective tools to combat evolving cyber threats like these.

One powerful tool that the department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process.  Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of specified fraud crimes or illegal wiretapping, by authorizing actions that prevent a continuing and substantial injury.  This authority played a crucial role in the department’s successful disruption of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014.  These botnets used keystroke logging or “man-in-the-middle” attacks to collect online financial account information, and they transferred stolen funds to accounts controlled by the criminals.  The Gameover Zeus botnet, which infected computers worldwide, was estimated to have inflicted over $100 million in losses on American victims alone, often on small and mid-sized businesses.  Because the criminals behind these particular botnets used them to commit fraud against banks and bank customers, existing law allowed the department to obtain court authority to disrupt the botnets by taking actions such as disabling communication between infected computers and the command and control servers.  Taking action to shut down botnets has been praised in the press and in Congress.

The problem is that current law only permits courts to consider injunctions for limited crimes, including certain frauds and illegal wiretapping.  Botnets, however, can be used for many different types of illegal activity.  They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute DDoS attacks against web sites or other computers.  Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping.  In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood and Gameover Zeus botnets.

The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief.  Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked.  This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ).

The same legal safeguards that currently apply to obtaining civil injunctions, and that applied to the injunctions obtained by the department in the Coreflood and Gameover Zeus cases, would also apply here.  Before an injunction is issued, the government must civilly sue the defendant and demonstrate to a court that it is likely to succeed on the merits of its lawsuit and that the public interest favors an injunction; the defendants and enjoined parties have the right to notice and to have a hearing before a permanent injunction is issued; and the defendants and enjoined parties may move to quash or modify any injunctions that the court issues.

In sum, this proposal would provide the government with an effective tool to shut down illegal botnets or certain widespread malicious software to better match the ways that criminals are using these technologies.  It assures that the legal mechanism that has proven effective to date will be available. 

In our next posting, we’ll take a look at another threat from malware that invades the privacy of Americans:  spyware.