Congress

With ransomware on the rise, Senate botnet bill gets another shot

Sen. Sheldon Whitehouse (D-R.I.)

Sen. Sheldon Whitehouse (D-R.I.) is looking to reboot a bill that criminalizes the renting and selling of botnet access.

A Senate bill to give law enforcement greater power to tackle botnets is back under consideration and its chief backer, Rhode Island Democrat Sheldon Whitehouse, hopes this time is the charm.

Whitehouse was exasperated last fall when his amendment, which would have updated a legal injunction against fraud to include botnets, did not make it into cybersecurity legislation that Congress eventually passed and became law. Botnets are armies of computers that are hijacked to distribute spam, malware, or carry out distributed denial-of-service attacks.

Whitehouse and Sen. Lindsey Graham (R-S.C.) on May 16 introduced the Botnet Prevention Act, and held a May 18 hearing to, among other things, rally support and seek feedback. Sen. Richard Blumenthal (D-Conn.) is a co-sponsor, and Sen. Charles Schumer (D-N.Y.) has also expressed support for the bill, according to Whitehouse.

The new bill isn't significantly different from the amendment left out of the Cybersecurity Information Sharing Act, Whitehouse told FCW. The measure would create a new criminal offense for selling or providing access to botnets.

Justice Department official Richard Downing testified in favor of a key provision in Whitehouse's legislation. The 30-year-old Computer Fraud and Abuse Act criminalizes hacking into a computer to create a botnet but is vague about selling or renting the computer zombies, Downing told the Senate Judiciary Subcommittee on Crime and Terrorism, which Graham chairs.

"We support closing this loophole," said Downing, an acting deputy assistant attorney general.

Some computer security researchers criticized Whitehouse's amendment last year as overly broad to the point of potentially criminalizing research in the public good. Asked by FCW to address that criticism, Whitehouse pointed to an October 2015 blog post from Rapid7, a cybersecurity vendor, in which a company executive said she was satisfied that updated language in the amendment "does not create negative consequences for research."

Ransomware unites analog and cyber-savvy lawmakers

Botnets can be particularly malicious when used to distribute ransomware, which encrypts a computer user's data until hackers are paid off, usually via crypto-currency.

Hackers exacted $209 million in ransomware payments in the first three months of 2016, according to the FBI. A typical ransom fee ranges from $200 to $10,000, according to Downing, who cited one scheme that he said extorted $27 million over two months.

There has been a spate of recent ransomware attacks on U.S. hospitals, alarming policymakers like Whitehouse. This past March saw an uptick in ransomware due to a spamming campaign targeting users in over 50 countries, according to new research from cybersecurity firm FireEye Inc.

Federal agencies are far from immune from the menace. There have been at least 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, DHS reported earlier this year.

Ransomware can inflict lasting damage in that even if hackers are paid off and the data is released, they may still have a backdoor to an organization's website or network from which to target users, according to Tom Kellerman, CEO of Strategic Cyber Ventures, a venture capital firm. The ease with which one can acquire a ransomware kit has allowed criminals who otherwise might not be capable of carrying out cyber crime to get into that business, Kellerman said in an interview.

The rise of ransomware, and the fact that its malevolence is easy to grasp, has attracted the attention of self-described analog lawmakers. "If it weren't for Sen. Whitehouse I would know zero about this," Graham said. Whitehouse is credited as being one of the more cyber-savvy senators, and the same security researchers who took issue with his amendment gave him credit for a thoughtful study of the problem.

After the hearing, the two senators could be heard cracking botnet jokes, with the hawkish Graham saying "our new slogan [is] the only good botnet is a dead botnet."

"To hell with the botnet caucus," Whitehouse added.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.