Why Current Botnet Takedown Jurisprudence Should Not Be Replicated

On June 17, a bipartisan group of U.S. senators reintroduced the International Cybercrime Prevention Act. If passed, this bill would grant federal prosecutors access to new tools in their fight against cybercrime. A section of the legislation would expand the government’s legal arsenal against global networks of compromised computers called botnets. Such botnets infect millions of global computers and “Internet of Things” (IoT) devices, hijacking them to participate in “distributed denial of service (DDoS) attacks, proxy and spam services, malware distribution, and other organized criminal activity” not to mention “covert intelligence collection” or attacks on “Internet-connected critical infrastructure.”

One rationale behind this bill is that while the U.S. is suffering from “a spate of crippling cyberattacks,” current law limits the Department of Justice’s ability to shut down botnets through court-ordered injunctive relief. It can do so only when botnets are engaged in “fraud or illegal wiretapping.” This limitation on federal prosecutors is in sharp contrast to the arsenal of available injunctive relief that Microsoft, as a private entity, has taken advantage of in its own fight against global botnets. Microsoft has successfully obtained injunctive relief against botnets for a significantly wider range of claims, including violations of the Computer Fraud and Abuse Act (CFAA), trespass to chattels, unjust enrichment, conversion, negligence, and most recently trademark and copyright claims. When granted relief, Microsoft can then “disable the [botnet’s] IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the [botnet’s] operators to purchase or lease additional servers.” If passed, the International Cybercrime Prevention Act would expand federal law enforcement’s ability to engage in similar court-ordered takedown protocols when botnets engage in a “broader range of illegal activity, including destruction of data, denial of service attacks, and other violations of the CFAA.” It would further allow law enforcement to obtain restraining orders and other prohibitions against the anonymous hackers behind the botnets and the compromised nodes at their disposal. The bill would also authorize federal law enforcement to seek seizures and forfeitures of any personal property, including “any Internet domain name or Internet Protocol address, that was used or intended to be used” in the commission or facilitation of a botnet. 

While federal law enforcement would surely welcome the additional powers granted by the International Cybercrime Prevention Act, the bill ultimately does little to redesign the existing legal frameworks for public and private action against botnets. Far from proposing a new systemic and holistic solution to this growing problem, the authors of the bill continue to tinker at the edges, reaffirming an ad hoc program centered around court-ordered injunctive relief. In this short post, we explore what is now a decade-long history of civil case law pushed forward by Microsoft in its fight against botnets. We wish to demonstrate how Microsoft’s utilization of preliminary injunctions and temporary restraining orders has proved problematic across a set of dimensions, including in the areas of procedural fairness, effective judicial review, and the protection of public and foreign policy goals. Granting federal law enforcement the ability to rely on these same tools in the criminal context not only fails to address these problems, it actually entrenches them.

Microsoft the Botnet Hunter

At the end of 2020, Microsoft took down one of the world’s most persistent botnets, TrickBot. This botnet was first discovered in 2016 as a trojan “designed to steal banking credentials.” Over time, “Trickbot’s operators were able to build a massive botnet,” which evolved into a modular platform for malicious actors, a sort of malware-as-a-service. “The Trickbot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy a