Panelists on a Senate Judicial Commitee hearing yesterday called for changes to the Computer Fraud and Abuse Act (CFAA) and other legislation that addresses cybercrime. The hearing, titled "Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks," was organized in the wake of Microsoft's botnet takedown that also took down some non-criminal customers of No-IP.
The conversation was about fighting botnets in general -- No-IP itself was never mentioned by name. It was, however, briefly implied by panelist Craig D. Spiezle, executive director and founder of the Online Trust Alliance:
Botnet take-downs and related efforts need to be taken with care and respect to three major considerations: the risk of collateral damage to innocent third parties, errors in identifying targets for mitigation, and respecting users’ privacy. For example, taking down an entire web hoster because they have a handful of bad customers may be an example of unacceptable collateral damage. At the same time hosters and ISPs cannot hide behind bad actors and must take reasonable steps to help prevent the harboring of criminals and enabling cybercrime activity.
The panel also included Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, which led the seizure of No-IP servers and domains.
"Microsoft’s philosophy to fighting botnets is simple. We aim for their wallets," he said. "We disrupt botnets by undermining cyber criminals’ ability to profit from malicious attacks."
However, going after "their wallets," is not always easy. Security professionals (in tandem with law enforcement) can use technological means to disrupt criminal infrastructure, but when it comes to prosecuting the perpetrators at the center of that black market, the law can fall short.
Therefore, Domingues Boscovich expressed support for some of the law amendments proposed by panelist Leslie Caldwell, assistant attorney general of the US Department of Justice's Criminal Division.
One of Caldwell's suggestions: Add a piece to the CFAA -- which has not been amended since 2008 -- that directly criminalizes the trafficking of botnets. That way the people selling the botnets for other people to use could also be held accountable for their role in the criminal infrastructure.
Another suggestion was to amend the Access Device Fraud statute. The statute currently allows prosecutors to bring charges against the perpetrators of phishing and credit card fraud schemes if they're based in the United States, but does not apply to offenders in foreign countries. Caldwell recommends that the overseas sale of stolen US financial information be criminalized.
Another suggestion is to amend the CFAA to eliminate the requirement to prove intent to defraud. As Caldwell explained, "Such intent is often difficult -- if not impossible -- to prove because the traffickers of unauthorized access to computers often have a wrongful purpose other than the commission of fraud. Indeed, sometimes they may not know or care why their customers are seeking unauthorized access to other people’s computers."
Any suggestion to remove the need to prove intent, however, gets tricky.
Other elements of the CFAA do not require prosecution to prove a defendant's intent to do harm. This is particularly dangerous for security researchers -- web researchers in particular -- because some of their work can be considered criminal, punishable by jail time, if they don't have consent to access the property (the servers) of others.
That raises another question: What does "access" mean? The panelists discussed this as well. Common law that defines words like "access" and "trespass" was created centuries ago, far before the Internet or botnets were thought of. The panelists said that common law needs to be updated for the 21st century so that it can prosecute (or not prosecute, as the case may be) those people who break cybercrime laws.
Another snag: The Internet is borderless, but laws have many borders. This is one reason international cooperation among law enforcement agencies is so essential to taking down botnets and other cyber criminals.
"One factor has harmed our relationships with foreign law enforcement agencies, however," said Caldwell, "our inability to rapidly respond to foreign requests for electronic evidence located in the United States. Our capacity to do so simply has not kept up with the demand."
She said the DoJ needs more staff and more training to adequately keep up with that demand.
US Senator Sheldon Whitehouse (D-RI) led the panel. He asked the panel of private sector representatives whether or not private sector litigators could use civil measures to complement the government's efforts to bring criminal suits against perpetrators. The panelists were not enthusiastic about the idea.
Yet there are other measures the private sector can take to address cybercrime -- ones that don't require the law at all.
Paul Vixie, CEO of Farsight Security (and Internet pioneer), was also on the panel, and he went after the fact that the technology industry is pushing products out to market before they're truly ready.
"We would need to somehow address the lack of testing," he said. "We have got to test the way the bad guys do." Vixie also recommended retiring the use of some outdated programming languages and possibly using underwriters to enforce testing standards; he does not see underwriting as a government role.
Despite discussions of expanding the ability of both public and private sector entities to take down criminals, No-IP's CEO and founder, Dan Durrer, was pleased with yesterday's hearing:
The legislative process around these issues has been in discussion for months, and it was never meant to be about No-IP getting its name in the lights. We feel the hearing went extremely well, and we believe our customers’ pain from the recent experience was well understood by the influencers present. Our hope is that the government, law enforcement, and private companies can work together in a collaborative manner to develop new legislation and processes for dealing with cybercrime, with protections that limit the potential collateral damage to innocent Internet users. Many of the laws governing this area were, literally, written before the invention of electricity. It is clearly time for an update.