Ensuring Botnets Are Not “Too Big to Investigate”

This blog post addresses the threat posed by botnets, and the need for an amendment to the Federal Rules of Criminal Procedure to identify a single court that can hear an application for a search warrant to investigate a nationwide botnet attack.  A previous post addressed the threat posed by internet anonymizing technology and the need for a related amendment to ensure that investigators can identify at least one court from which to seek a search warrant.  A third post will address arguments raised by commentators against the proposed amendments.

One of the fastest-growing species of computer crime is the botnet.  A botnet is essentially a mass hack—a network of victim computers that have been surreptitiously infected with malware and are controlled remotely by criminals.  Botnets range in size from hundreds to millions of infected computers, and they are used for a variety of criminal purposes: sometimes the criminals invade the privacy of the victim users by installing keylogging software to steal sensitive personal or financial information, or by secretly activating computer cameras.  Criminals also use botnets to install ransomware that holds a user’s critical information hostage by encrypting it unless the user agrees to pay a ransom.  And sometimes criminals use victim computers to attack other victims—for example, recent news reports state that a botnet was used to commit the distributed denial of service (DDoS) attack on an Internet infrastructure provider that crippled Internet usage in the United States on Oct. 21, 2016.  Studies by security firms suggest that the rise of botnets is one of the key cybersecurity threats facing American citizens and businesses, and that millions of computers in the United States may be surreptitiously under the control of criminal malware.

Fighting back against botnets, however, can be challenging.  Criminals use sophisticated malware to attack victims, and even a comparatively low infection rate can yield hackers a vast haul of compromised computers.  The malware also burrows into unexpected places on computers, masks itself among innocent files and communicates with command-and-control servers using encrypted traffic that may be unreadable to sophisticated intrusion-detection systems.  The masterminds are often located abroad, which confers upon them the benefit of all of the usual limitations we face in overseas investigations – limited access to digital evidence, delays caused by reliance on the mutual legal assistance process and the possibility of safe haven from arrest or prosecution in their country of residence.  Finally, some botnets are designed to inflict damage, such as by remotely erasing or encrypting data on the victim computers, at the criminals’ whim.  For all of these reasons, although botnets pose a grave threat to innocent Americans, attempts by law enforcement and computer security professionals to defeat them require a substantial investment of manpower and expertise, seamless public-private cooperation, and often months or more to plan.  Absent such efforts, our nation’s computer networks, including sensitive networks that may be located in hospitals or police stations, may remain effectively under the control of ruthless, mercenary and tech-savvy criminals.

Both the Department of Justice and the private sector have had some success in dismantling botnets.  In 2014, the FBI, in conjunction with a coalition of nearly a dozen foreign countries and a suite of elite computer security firms, dismantled the Gameover Zeus botnet, which used keystroke logging to collect online financial account information, inflicting over $100 million in losses on American victims alone, and which was also used to infect victim computers with the notorious Cryptolocker ransomware software.  The Gameover Zeus operation was conducted under federal court supervision and relied on both criminal authorities (to seize command and control servers) and a civil injunction (to authorize the redirection of enslaved computers to a server controlled by the court).  As a result of the operation, hundreds of thousands of computers around the world were freed from the control of an Eastern European criminal organization.  Similarly, the Microsoft Corporation has undertaken a number of operations against specific botnets that target Microsoft Windows software, relying on authorities such as civil injunctions under the Lanham Act and the Computer Fraud and Abuse Act, and orders issued under the All Writs Act.

More operations like the highly successful one against Gameover Zeus are necessary if we are to keep up with the cybercriminals engaged in this kind of mass hacking and privacy invasion.  But, unfortunately, current law has not kept up with the technology.  Beyond the technical obstacles, several key legal gaps can stymie botnet investigations and remediation before they even get off the ground.  One such obstacle is in the Federal Rule of Criminal Procedure governing search warrants.  Liberating a computer from a botnet might require first obtaining some information from that computer, such as what version of the malware it is running.  If the government wants to obtain that information, it might need a search warrant.  If investigators seek a warrant to search a single infected computer, they are authorized to bring the warrant application to the court where the computer is located.  And if investigators seek to search multiple infected computers—for example, to determine what kind of computers have been infected or what operating systems they are running—and those computers happen to be located in a single judicial district, they can bring their application to a single judge in that district.  But botnets are, typically, nationwide crimes.  In these cases, the Rules as currently written (and as conceived in 1917) would require the investigators to apply simultaneously for identical warrants in all 94 judicial districts in America—a severe impracticality if not impossibility.  The Rules did not anticipate nationwide crime of this type and make no provision to investigate it efficiently.  The result is that while we are struggling to keep up with criminals who, as you read this, are committing mass, harmful hacking of our computers, our own archaic procedural rules may prevent investigators from taking timely, smart, lawful and court-supervised enforcement action.  In short, under our current procedures, botnets may be “too big to investigate.”

However, there is good news: three years ago the Justice Department proposed an amendment to the Rules that would fix this problem.  The proposed amendment would require that agents must still bring their warrant applications to court and meet the same exacting constitutional requirements as before.  But in cases involving botnets—specifically, in cases involving the criminal hacking of computers in five or more judicial districts—the rule would permit the agents to bring the application to one federal court rather than up to 94 at the same time.  The rule would make no changes to the substantive law governing probable cause or particularity, or to when it may or may not be appropriate to search an infected computer.  The only thing the rule would do is identify a single court that is authorized to consider those questions in the context of an application for a search warrant.

The United States Supreme Court reviewed and approved the amendments, and they are scheduled to go into effect on Dec. 1, 2016.  We expect that the amendments will assist in protecting the privacy and security of thousands of Americans and American businesses.