Cybersecurity and Deterrence
Why Current Botnet Takedown Jurisprudence Should Not Be Replicated
On June 17, a bipartisan group of U.S. senators reintroduced the International Cybercrime Prevention Act. If passed, this bill would grant federal prosecutors access to new tools in their fight against cybercrime. A section of the legislation would expand the government’s legal arsenal against global networks of compromised computers called botnets. Such botnets infect millions of global computers and “Internet of Things” (IoT) devices, hijacking them to participate in “distributed denial of service (DDoS) attacks, proxy and spam services, malware distribution, and other organized criminal activity” not to mention “covert intelligence collection” or attacks on “Internet-connected critical infrastructure.”
One rationale behind this bill is that while the U.S. is suffering from “a spate of crippling cyberattacks,” current law limits the Department of Justice’s ability to shut down botnets through court-ordered injunctive relief. It can do so only when botnets are engaged in “fraud or illegal wiretapping.” This limitation on federal prosecutors is in sharp contrast to the arsenal of available injunctive relief that Microsoft, as a private entity, has taken advantage of in its own fight against global botnets. Microsoft has successfully obtained injunctive relief against botnets for a significantly wider range of claims, including violations of the Computer Fraud and Abuse Act (CFAA), trespass to chattels, unjust enrichment, conversion, negligence, and most recently trademark and copyright claims. When granted relief, Microsoft can then “disable the [botnet’s] IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the [botnet’s] operators to purchase or lease additional servers.” If passed, the International Cybercrime Prevention Act would expand federal law enforcement’s ability to engage in similar court-ordered takedown protocols when botnets engage in a “broader range of illegal activity, including destruction of data, denial of service attacks, and other violations of the CFAA.” It would further allow law enforcement to obtain restraining orders and other prohibitions against the anonymous hackers behind the botnets and the compromised nodes at their disposal. The bill would also authorize federal law enforcement to seek seizures and forfeitures of any personal property, including “any Internet domain name or Internet Protocol address, that was used or intended to be used” in the commission or facilitation of a botnet.
While federal law enforcement would surely welcome the additional powers granted by the International Cybercrime Prevention Act, the bill ultimately does little to redesign the existing legal frameworks for public and private action against botnets. Far from proposing a new systemic and holistic solution to this growing problem, the authors of the bill continue to tinker at the edges, reaffirming an ad hoc program centered around court-ordered injunctive relief. In this short post, we explore what is now a decade-long history of civil case law pushed forward by Microsoft in its fight against botnets. We wish to demonstrate how Microsoft’s utilization of preliminary injunctions and temporary restraining orders has proved problematic across a set of dimensions, including in the areas of procedural fairness, effective judicial review, and the protection of public and foreign policy goals. Granting federal law enforcement the ability to rely on these same tools in the criminal context not only fails to address these problems, it actually entrenches them.
Microsoft the Botnet Hunter
At the end of 2020, Microsoft took down one of the world’s most persistent botnets, TrickBot. This botnet was first discovered in 2016 as a trojan “designed to steal banking credentials.” Over time, “Trickbot’s operators were able to build a massive botnet,” which evolved into a modular platform for malicious actors, a sort of malware-as-a-service. “The Trickbot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads,” including ransomware. Approximately 61,000 bots were identified by Microsoft, who also claimed that the botnet “infected a number of ‘Internet of Things’ devices, such as routers,” extending the botnet’s reach into households and organizations.
Tom Burt, corporate vice president of customer security and trust at Microsoft, noted that the company “disrupted Trickbot through a court order” as well as through “technical action [executed] in partnership with telecommunications providers around the world.” In essence, Microsoft sought and was granted a temporary restraining order and later a preliminary injunction against the unidentified hackers. The hackers were legally restrained from sending malicious software, compromising the security of networks, stealing and exfiltrating information, creating false websites, configuring and deploying the botnet, monitoring the activities of Microsoft, corrupting Microsoft’s operating system and applications on victim’s computers, and misappropriating Microsoft’s copyrighted work and proprietary interests.
Since the hackers were unidentified (and likely outside the jurisdiction of the court), to implement the temporary restraining order, the court order was directed at data centers and hosting providers in Arizona, California, Florida, New York, Pennsylvania and Georgia. These companies were identified by Microsoft as having servers that were hijacked by the hackers to serve as command-and-control hubs for the botnet. Microsoft provided a list of IP addresses of these servers to the court. The court then ordered the relevant companies to identify and take reasonable steps to block traffic associated with these IP addresses and to completely disable the computers, servers, storage devices and software relating thereto. The order further authorized Microsoft to unilaterally make supplemental requests to these data centers to take further action against any new IP addresses identified by Microsoft, as the hackers attempted to move their infrastructure.
This was not the first time that Microsoft relied on such equitable procedural relief in the form of temporary restraining orders and preliminary injunctions to take down botnets. Beginning in 2010, two years after the creation of its Digital Crimes Unit, Microsoft sought court authorization to launch these botnet hunts in more than a dozen cases, including the Waledac, Rustock, Kelihos, Mariposa, Citadel, Zeus, Nitol, Bamital, Shylock, Dorkbot, Strontium, and Necurs botnets. As “each botnet takedown was successfully pursued through legal means, the cumulative nature of prior cases built stronger precedent for the requested relief.” The development of a new botnet-hunting portfolio for Microsoft over time also meant increased collaboration with the FBI and with law enforcement agencies outside the United States.
The legal academy has mostly applauded Microsoft for developing and adopting this innovative legal framework for cybercrime prevention. Janine Hiller, for example, praised Microsoft’s “active leadership” in developing a “civil legal strategy to disrupt botnets” that has become a “powerful tool to fight cybercrime globally.” However, this botnet takedown jurisprudence is insufficient to properly address this area of the law even if the cybercrime bill were passed. Furthermore, the current system is ripe for procedural abuse given the ad hoc model of privateering against global botnets.
Restraining orders and other equitable mechanisms of relief were never designed to address such a unique challenge as global cybercrime. The remedies offered by the courts in the context of botnets—whether to Microsoft or federal law enforcement—step outside what they were originally meant to cover, and the proposed legislation should not seek to replicate the private sector’s remedial methods. Moreover, the ad hoc civil or criminal approach in the fight against global botnets has serious implications. Courts are not in a position to adequately analyze takedown requests and do not have the technological or policy expertise to ensure their orders are sufficiently narrow and will not cause further damage to computer networks, or more broadly to foreign relations. Realizing that the threat of cybercrime is only likely to increase in size, particularly in the context of malware-as-a-service and one-stop-shop ransomware solutions, an institutional approach to addressing botnets is long overdue. To address botnets, the government must invest in new institutional capacity with procedural safeguards to ensure cyber operations against botnets, whether by public or private entities, do not unintentionally cause more harm than good.
Systemic Problems With Existing Remedies Against Botnets
The existing framework of botnet takedowns relies on an ad hoc system of judicial intervention that resembles a game of whack-a-mole. Given the global nature of botnets, various commentators have questioned the efficacy of this framework, with some cybersecurity firms even predicting “little medium- to long-term impact.” While we leave the claims of (in)efficacy to those engaging in empirical work, efficiency is not our only concern. In a forthcoming piece titled “Destroying Botnets, Abusing Remedies,” we seek to offer a comprehensive analysis and critique of the dangers of the existing system. For this post, however, we highlight three initial observations that should give everyone pause.
First, the current system builds on temporary procedural remedies to achieve permanent substantive goals. Microsoft’s past civil actions were initiated with the purpose of obtaining a temporary restraining order or a preliminary injunction to interfere with the hackers’ operation rather than anything else. Their past claims solely made a prima facie case. They illustrated a lack of interest in litigating the merits of these disputes, whether to reaffirm their rights, property or otherwise, or to deter or punish a particular party (as the identities of alleged defendants were unknown). But temporary restraining orders and preliminary injunctions are legal tools historically developed by courts “to preserve the relative positions of the parties until a trial on the merits can be held” (emphasis added). Reliance on these remedies as the primary substantive method of disrupting botnets seems abusive to these legal tools, as they were never designed to be used in this way. Microsoft is relying on the alleged (or manufactured) urgency posed by the botnet to squeeze from the court an authorization to take immediate unilateral action that will essentially nulify the case it filed.
Second and relatedly, judges lack the technical expertise necessary to serve as a useful check in the course of approving remedies in an ex parte process of the kind both Microsoft and federal law enforcement employ. The courts are not equipped to effectively assess the scope of IP addresses and domain names provided by the claimants nor do they expose those claims to any meaningful scrutiny. When granting preliminary injunctions, for example, federal courts “generally agree” that they should consider four factors when ruling: “(1) the threat of irreparable harm to the movant if the court denies the preliminary injunction; (2) the balance between this irreparable harm and the harm the court would inflict on the nonmovant by granting the injunction; (3) the probability that the movant will succeed on the merits; and (4) the effect of the court's decision on the public interest.” In the context of botnets, we question whether courts are in a position to assess any one of these four factors meaningfully, especially outside of an adversarial process.
An example of the courts’ limited ability to properly review botnet takedown requests comes in the form of the absurdly low bonds they have imposed on Microsoft over the years. Rule 65 of the Federal Rules of Civil Procedure states that the court may issue a preliminary injunction only if the movant for the preliminary injunction gives security (in the form of a bond) that the court deems proper to pay for the potential costs and damages of any wrongfully enjoined or restrained party. According to Rule 65, the judge has discretion over the amount of the security bond. In this way, “the judge usually will fix security in an amount that covers the potential incidental and consequential costs.” In each of Microsoft’s botnet cases, this was determined to be between $50,000 and $250,000. Given the scale of the seizures and the potential for harm (in the form of costs borne by private third parties, or potential fallout in foreign relations, or even unintended damage to cyberinfrastructure), these sums seem to demonstrate a judicial inability to properly apply the general doctrine in the context of botnet takedowns. This is not merely a theoretical concern, as the Electronic Frontier Foundation (EFF) highlighted: “[I]n 2014 Microsoft’s attempt to stop an 18,000-node botnet resulted in termination of Domain Name Service (DNS) to nearly 5,000,000 innocent subdomains—all because Microsoft obtained an ex parte court order that blocked notice to the DNS provider.” Given this incident, it is not surprising that the EFF criticized a prior version of the International Cybercrime Prevention Act for failing to provide innocent third parties with prior notice or recourse if their systems are harmed.
We have also witnessed the courts’ inability to procedurally and substantively review claims in the criminal context. On April 9, the U.S. District Court for the Southern District of Texas approved a search warrant allowing the Department of Justice to carry out an operation to access privately owned computers without their owners’ knowledge or consent and to delete certain web shells that were targeting networks running Microsoft Exchange software. This unilateral cleanup operation on victims’ computers was based on a dubious legal claim, that Rule 41 of the Federal Rules of Criminal Procedure grants the courts the power to issue such a warrant. This rule authorizes a judge in one district to issue remote search and seizure warrants to computers outside the jurisdiction in which the warrant was granted.
To expand “seizure powers” under Rule 41 to cover remote and nonconsensual mass cleanup and patching operations is quite a dramatically expansive interpretation. It exemplifies again, now in the criminal context, how the procedure can be abused to achieve cyber policy agendas. Instead of regulating and developing a real solution to the problem, law enforcement follows in the footsteps of Microsoft to push the courts to advance interpretive and remedial solutions to problems that should be addressed directly and systemically by the legislature. Not only that, but as Scott Shackelford discusses, “What if, for example, the privately owned computers were damaged in the FBI’s process of removing the malicious code?” What if these computers controlled critical cyber infrastructure, whether public or private? Much like in Microsoft’s civil litigation, it is not clear how the court is in a position to assess the potential harms as well as any other incidental and consequential costs that could result from issuing the warrant. The precedent set by these cases highlights the willingness of courts to circumvent and abuse procedures in civil and criminal cases to resolve supposedly urgent cybersecurity needs as they rise on an ad hoc basis, without addressing them systemically and without adequately weighing the cost of these procedural acrobatics.
Finally, Microsoft’s botnet jurisprudence exemplifies how public cyber policymaking has been outsourced. As Sen. Sheldon Whitehouse once said: “Congress, of course, cannot and should not dictate tactics for fighting botnets.” But where does one draw the line between the operational tactics—which can indeed be left to those on the technological front lines—and the overarching strategy? This dichotomy also raises another concern: Because Microsoft’s and law enforcement’s fights against botnets have been largely through ad hoc claims, proceedings, and court orders, the legislative and executive branches may feel less pressure to pursue new, innovative, and systemic solutions that could properly address the true problem of botnets. The recently reintroduced International Cybercrime Prevention Act (which has been proposed, in roughly the same language, five different times) is a stark example of this prescriptive stagnation. With this bill, the legislature has shown a willingness to entrench the status quo without exploring whether the current framework is itself part of the problem. Rather than proposing an analytical framework to determine when and how to disrupt botnets, the bill simply grants law enforcement the ability to “scale up” its existing ad hoc approach.
Within the limits of this short post we can’t possibly develop a complete framework, but we do want to propose some general elements that we believe should be part of any alternative model.
A Tailored Framework
As mentioned, the general tests currently used to grant injunctive relief offer only a limited guide to judges who are asked to approve private and public cybersecurity measures. A specialized statutory framework could affirm a new set of botnet-specific factors that judges will be required to consider through targeted briefings before granting any relief. These could include the size and geographic dispersion of the botnet; the identity of the botnet master/controller alongside any assessment of their goals and motivations; the logic behind pursuing anti-botnet measures against this particular botnet at this particular time; prior iterations of this botnet and the efficacy of prior takedown attempts against it; and what alternative measures could be employed to ensure containment of the spread, operation, and impact of the botnet, without unintentionally harming or risking the rights of innocent third parties. This is by no means an exhaustive list of factors, but it is a starting point for a conversation around new analytical tools for judges that could better assist them in their role as botnet takedown assessors.
Dealing With the Ex Parte Problem
One of the biggest concerns with the current model is the ex parte nature of the court proceedings. A new framework should center around innovative solutions to this problem. The 2015 USA Freedom Act authorized the Foreign Intelligence Surveillance Court to appoint amici in any instance the court deems appropriate, and especially when the case involves “novel or significant interpretation of the law.” Those amici are drawn from a pool of individuals with the necessary security clearance and expertise in “privacy and civil liberties, intelligence collection, communications, technology, or any other area that may lend legal or technical expertise.” In the ever-evolving area of cybercrime mitigation, courts too could benefit from similar expertise provided through amici. At the very least, the data centers and hosting providers, who are targeted by the injunctions granted, could be given an opportunity to participate in the proceedings and thereby give voice to their clients, who will be immediately affected by the measure.
Increased Transparency and Reporting Obligations
Microsoft and law enforcement have, at times, worked together to pursue their botnet takedown agendas. Nonetheless, much ambiguity remains around the way the two divide research, decision-making and active takedown responsibilities. There is also uncertainty about the considerations that go into deciding which botnets will be taken down through private action versus criminal action. Greater transparency on the scope and nature of the collaboration and the apportionment of resources would increase understanding of this public-private partnership. Relatedly, routine reporting obligations on the effectiveness of approved measures could increase confidence in the process and increase the external legitimacy of the operations involved.
On June 17, in a press conference announcing the reintroduction of their act, Sens. Lindsey Graham, R-S.C., Richard Blumenthal, D-Conn., and Sheldon Whitehouse, D-R.I., claimed that the bill would best address the threat of botnets; it would essentially pluck this “weed in the internet garden.” In a period of toxic partisanship on the Hill, any bipartisan effort by lawmakers to advance legislation that could enhance the country’s cybersecurity and prevent future crime should be commended. Unfortunately, this bill is unlikely to achieve either goal to a satisfactory degree. But the senators’ analogy is an apt one. Keeping with it, observers might think of two reasons why these weeds keep growing in the internet garden: Not only are the weed control products currently used inadequate, but the soil itself has a problem. In other words, not only are the current tools to fight against botnets ineffective, but the entire botnet-takedown ecosystem is flawed. The senators acknowledged this. Graham noted that “deterrence has been lost” and Whitehouse admitted that “criminal prosecution has to fit into an integrated foreign policy strategy.” The question the senators should therefore ask themselves is whether leaning further into the status quo, as their bill does, would indeed create a vibrant, dynamic, and sustainable ecosystem where public policy will be consistently generated and tested and where new public-private partnerships may be forged. Reducing the development of botnet public policy down to the occasional restraining order (among other court-ordered remedies) is a step in the wrong direction.