The White House has released its new legislative proposals on cybersecurity information sharing, federal data breach notification, and amendments to cyber-related law enforcement provisions.
All three proposals merit discussion, but I want to focus here on the curious botnet takedown provision in the law enforcement proposal (proposed Sec. 104). According to the section-by-section analysis from the White House, Section 104 of the proposed bill “would empower courts to issue injunctions to disrupt or shut down botnets” by adding the Computer Fraud and Abuse Act (18 U.S.C. § 1030) “to the list of offenses for which injunctive relief may be sought under 18 U.S.C. § 1345, upon a showing that the criminal conduct would affect 100 or more protected computers during a 1-year period.” Fair enough. But what’s interesting about this provision is that the government is already seeking—and courts are already issuing—injunctions to shut down botnets pursuant to 18 U.S.C. § 1345. Why is the government seeking authorization to do something it already claims authority to do?
By way of background, a botnet is a network of computers infected with malware that allows attackers (known as botherders) to take control of the infected computers and use them en masse for things like sending spam, stealing financial data, and launching denial of service attacks. In the last several years, the FBI and tech companies, like Microsoft and Facebook, have taken actions to disrupt botnets. Often botnet disruptions—or “botnet takedowns”—take the form of a court order effectively permitting the U.S. government or a company to seize control of the botnet in order to shut it down.
For example, in June 2014, the Department of Justice, acting with private sector and international partners, filed suit to disrupt the Gameover Zeus botnet, which stole banking credentials and, according to the FBI, caused over $100 million in losses worldwide. The government’s filings are available on the FBI website. As set out the complaint, the government brought the civil suit in federal district court pursuant to 18 U.S.C. § 1345 and 18 U.S.C. § 2521 “to enjoin the Defendants [the alleged botherders] from continuing to engage in wire fraud, bank fraud, and unauthorized interception of electronic communications” in violation of federal criminal law through use of the Gameover Zeus malware (among others). The government also sought and the district court granted a preliminary injunction that, in basic outlines, enjoined the alleged botherders from using malware to commit wire or bank fraud, authorized the U.S. government to replace the defendants’ command and control servers with servers controlled by the government, and directed domain registries and Internet Service Providers to assist in implementing the order.
As the Gameover Zeus example makes clear, the government is already obtaining injunctions to takedown botnets pursuant to 18 U.S.C. § 1345. The White House’s proposed botnet legislation then seeks authority for a power the government already claims and that courts have recognized. It’s no accident that Sec. 104 is titled “Ensuring Authority for Courts to Shut Down Botnets,” rather than “Granting Authority for Courts to Shut Down Botnets.” Using “ensuring” counters the impression that the proposed language, and particularly the summary of the section, would otherwise give, namely, that without this new provision courts lack the authority to issue injunctions related to botnet takedowns.
The government presumably stands by the injunctions it has obtained under § 1345 for past botnet takedowns, but in a May 2013 speech, Deputy Attorney General James M. Cole, in discussing a prior botnet takedown, explained that the United States engaged in “creative lawyering” to seize control of the botnet’s command and control servers. The government may have tired of being creative.
The new legislation is less creative, but more direct and potentially broader. It would allow the government to seek injunctions based directly on violations of the Computer Fraud and Abuse Act’s prohibitions on unauthorized access to computers, rather than additional crimes such as wire fraud and bank fraud, and it would ensure that the government could obtain an injunction even if the targeted malware did not meet the definitions of the fraud crimes that are already covered by § 1345.
In addition to “ensuring” courts’ authority to issue botnet injunctions, the proposed Section 104 also includes a provision allowing courts, in the context of a botnet takedown restraining order or injunction, to provide immunity for persons complying with the court’s order and to require the United States to “pay to such person a fee for reimbursement” of “reasonably necessary” costs that are “directly incurred in complying” with the court’s order. These protections are triggered “upon application of the Attorney General,” and are presumably aimed at securing the assistance of, for example, domain name registries and Internet Service Providers, like those mentioned in the Gameover Zeus injunction. The FBI has touted past botnet takedowns, done in conjunction with non-governmental and international entities, as examples of successful public-private partnerships. The proposed legislation, if adopted, would create the possibility of financial compensation for at least some aspects of that cooperation.