Senate Weighs Botnet Busting ChangesU.S. Justice Department Seeks Stronger Anti-Hacking Laws
The Obama administration wants Congress to update U.S. anti-hacking laws to allow law enforcement agencies to more easily crack down on fraudsters operating abroad, disrupt botnets used to distribute spam and distributed-denial-of-service attacks and bust "for hire" malware and botnet service providers.
Leslie Caldwell, the head of the Justice Department's criminal division, told a Senate subcommittee on July 15 that the Computer Fraud and Abuse Act, the primary federal law against hacking, must be updated to address "shortcomings in the criminal law."
Some of those shortcomings have arisen because CFAA was passed in 1986, but only last amended in 2008, despite the Obama administration requesting additional changes in its May 2011 legislative agenda to "keep federal criminal law up to date," Caldwell told the Senate Judiciary Committee's crime and terrorism subcommittee at the hearing: "Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks."
Sen. Sheldon Whitehouse, D-R.I., who chairs the committee, and fellow committee member, Sen. Lindsay Gramm, R-S.C., are exploring introducing legislation designed to better battle both malware and botnets. Whitehouse says his concerns include not just the financial security and privacy ramifications of botnets, but also threats to national security. "Botnets are effective weapons not merely for those who want to steal from us, but also for those who wish to do us far more serious harm," Whitehouse says. "Experts have long feared that the next 9/11 may be a cyber-attack. If that's the case, it is likely that a botnet will be involved."
3 Proposed Changes
But Caldwell, who assumed her post in June - becoming the Justice Department's first permanent criminal division chief in more than a year - avoided such doomsday scenarios, focusing instead on three specific CFAA changes the Department of Justice wants:
- Target Overseas Carders: The Justice Department wants Congress to criminalize the unlawful use of "access devices" - which refers to machines for creating fake cards and similar technology that's used by "carders" for the overseas sale of card data. The Justice Department says it can file charges against individuals who traffic in credit card data that's been stolen from U.S. financial institutions when related crimes occur within U.S. jurisdiction. But criminals who traffic in that information entirely outside the United States cannot be charged under CFAA.
- Criminalize More Malware: The Justice Department wants greater powers to disrupt botnets and other malware campaigns. Currently, Caldwell says, the attorney general can file charges against botnet operators only if they're suspected of violating fraud or wiretapping laws, as he did against Coreflood in 2011 and Gameover Zeus this year. "These botnets collected online financial account information as it was transmitted from infected computers, thus violating the Wiretap Act, and the criminals used their access to steal from victims' bank accounts, which constitutes wire and bank fraud," Caldwell says. But there are currently no laws "to use against botnets or other types of malware that criminals employ for other purposes, such as DDOS attacks," she says.
- Bust For-Hire Botnets: Some botnet operators - known as botmasters or bot herders - directly use their collection of infected, or zombie, PCs to launch attacks. Many others, however, rent their botnets to others, who may use the botnet to distribute spam or malware, or to launch DDoS attacks. So the Justice Department wants to make it easier to go after the botnet owners. "The CFAA does not clearly cover such trafficking in access to botnets, even though trafficking in infected computers is clearly illegitimate, and can be essential to furthering other criminal activity," Caldwell says.
Targeting Overseas Fraudsters
The Justice Department has recently taken a much more aggressive stance on overseas cybercrime that affects the United States, for example, by indicting five Chinese army officers in May, for hacking U.S. systems. In June, meanwhile, the U.S. Secret Service arrested a Russian national in the Maldives who was indicted in 2011 for hacking into U.S. point-of-sale systems.
"It's a very high priority to send a message," Caldwell recently told the Wall Street Journal. "Even if you can be anonymous in one country, you're not safe if you travel if you've engaged in some kind of cyber crime in the United States."
The Justice Department has also continued to work with other law enforcement agencies abroad, including to disrupt Gameover Zeus, which from 2011 to May 2014 infected up to 1 million PCs and caused more than $100 million in losses. The FBI was also instrumental in helping the U.K. National Crime Agency disrupt the Shylock botnet earlier this month.
Collateral Damage Risk
Multiple members of the technology community also testified before the Senate subcommittee July 15, emphasizing that many previous botnet disruptions - including the Gameover Zeus and Cryptolocker crackdown - have resulted from private companies working with the government. "Law enforcement can't fight today's sophisticated cybercriminals alone. They need help from industry partners," said Craig Spiezle, executive director of the Online Trust Alliance. "Similarly, the private sector can't fight cybercriminals without help from law enforcement."
But he cautioned that "botnet takedowns and related efforts need to be taken with care and respect," to avoid collateral damage, relying on incomplete intelligence or violating people's privacy rights.
Without naming names, he referenced Microsoft's recent botched disruption of two malware families - which resulted in 1.8 million No-IP customers' websites and devices becoming unreachable and 5 million legitimate hostnames going dark and - as a cautionary lesson (see Was Microsoft Takedown 'Draconian?').
"Taking down an entire Web hoster because they have a handful of bad customers may be an example of unacceptable collateral damage," he said. "At the same time, hosters and ISPs cannot hide behind bad actors and must take reasonable steps to help prevent the harboring of criminals and enabling cybercrime activity."