The threat from botnets — networks of victim computers surreptitiously infected with malicious software — has increased dramatically over the past several years. In our second post in this series, we discussed a proposal to ensure that courts have the authority to disrupt them. Another part of the department’s response to the threat of botnets has been to identify and bring to justice those who create and control them. While we have had significant successes to date prosecuting these offenders, we’ve encountered shortcomings in the existing law.
Criminals have found more and more ways to illegally make money through botnets. Law enforcement officers now frequently ascertain that creators and operators of botnets not only use botnets for their own illicit purposes, but also sell or even rent to other criminals access to the infected computers. The criminals who purchase access to botnets then go on to use the infected computers for various crimes, including theft of personal or financial information, the dissemination of spam, for use as proxies to conceal other crimes, or in distributed denial of service (DDoS) attacks on computers or networks. Think about it: your computer may be hacked by one criminal, and that criminal may rent surreptitious access to your computer to another criminal. Americans are suffering extensive, pervasive invasions of privacy and financial losses at the hands of these hackers.
Current criminal law prohibits the creation of a botnet because it prohibits hacking into computers without authorization. It also prohibits the use of botnets to commit other crimes. But it is not similarly clear that the law prohibits the sale or renting of a botnet. In one case, for example, undercover officers discovered that a criminal was offering to sell a botnet consisting of thousands of victim computers. The officers accordingly “bought” the botnet from the criminal and notified the victims that their computers were infected. The operation, however, did not result in a prosecutable U.S. offense because there was no evidence that the seller had created the botnet in question, and accordingly the seller was free to continue his activity. While trafficking in botnets is sometimes chargeable under other subsections of the Computer Fraud and Abuse Act, this problem has resulted in, and will increasingly result in, the inability to prosecute individuals selling access to thousands of infected computers.
We maintain that it should be illegal to sell or rent surreptitious control over infected computers to another person, just like it is already clearly illegal to sell or transfer computer passwords. That’s why the Administration’s proposal recommends amending current law to prohibit the sale or transfer not only of “passwords and other information” (the wording of the existing statute) but also of “means of access,” which would include the ability to access computers in a botnet. In addition, the proposal would replace the current requirement that the government prove that the offender had an “intent to defraud” with a requirement to prove that the offender not only knew his conduct is “wrongful,” but also that he knew or should have known that the means of access would be used to hack or damage a computer. We propose this last change because, as noted above, criminals don’t only use botnets to commit fraud — they also use them to commit a variety of other crimes.
Some commentators have raised the concern that this proposal would chill the activities of legitimate security researchers, academics, and system administrators. We take this concern seriously. We have no interest in prosecuting such individuals, and our proposal would not prohibit such legitimate activity. Indeed, that’s precisely why our proposal requires that the government would have the burden to prove, beyond a reasonable doubt, that the individual intentionally undertook an act (trafficking in a means of access) that he or she knew to be wrongful. And the government would similarly have to prove that the individual knew or had reason to know that the means of access would be used to commit a crime by hacking someone else’s computer without authorization.
We think that this approach makes clear that ordinary, lawful conduct by legitimate security researchers and others is not at risk of criminal prosecution. But we’re also engaging with the security research community and other groups, and with Congress, to make sure any amendment prohibits the pernicious conduct we’ve described without chilling the activities of those who are trying to improve cybersecurity for all.
Up next: how do we prosecute those who sell stolen credit cards overseas?