Of Botnets and CISA

In one of the more colorful episodes of the Senate's recent debate on the Cybersecurity Information Sharing Act, Rhode Island Democrat Sheldon Whitehouse solemnly took to the podium to wonder if there was "some hidden pro-botnet, pro-foreign cybercriminal caucus here that won't let a bill like mine get a vote."

Whitehouse grew exasperated during the late-October speech, as he mused about why lawmakers would not consider his amendment to crack down on botnets, the armies of computers that are high-jacked to distribute spam or carry out distributed denial-of-service attacks. The amendment was bipartisan and supported by the Justice Department, but still missed the boat, Whitehouse lamented.

The Senate approved CISA on Oct. 27.  Yet Whitehouse's proposed changes were provocative enough that debate over them continues.

The amendment would have updated a legal injunction against fraud to include botnets. It also would have added broad language to the legal code to target anyone who "intentionally traffics in the means of access to a protected computer."

That measure and others in the amendment drew the ire of a coalition of civil liberties groups and security experts. The amendment would have expanded prohibited behavior to include "means of access" to a computer, "without clarifying how the law applies to legitimate computer security research," groups such as the Electronic Frontier Foundation and the Government Accountability Project wrote in an open letter.

Tony Cole, vice president and global government CTO at FireEye, a cybersecurity firm, echoed those concerns. The Whitehouse amendment was "vague enough where it could have unintended consequences on cyber researchers that are trying to help us and could potentially open new avenues for prosecution of researchers," he said.

Whitehouse argued that the amendment would empower the DOJ to proactively take down botnets rather than waiting for the commandeered computers to do harm to American citizens. A spokesperson for Whitehouse did not respond to questions on the senator's future plans for botnet legislation.

The Rhode Island Democrat knows far more about botnets than other lawmakers, but still fell short in his attempt at legislation because it was vaguely worded to the point of potentially criminalizing research in the public good, said Paul Vixie, an Internet security expert who has helped take down botnets.

"What we need to do is to define responsible disclosure" of discoveries of malicious computer activity such as botnets and zero-day threats, added Vixie, who is CEO of Farsight Security. "Right now, responsible disclosure is pretty well understood by industry but not at all by government."

But not all IT security experts interviewed by FCW were opposed to the Whitehouse amendment. Cheri McGuire, a vice president at Symantec, said her firm supported the amendment because it would have provided a clearer framework for shutting down botnets.

"We need to ensure our law enforcement is equipped with the tools to effectively fight botnets and cybercrime," McGuire said.

Zombies on the cheap

As with many other cyber exploits, the economics of botnets favor the attacker. A look at 20 botnets-for-hire by cybersecurity firm Imperva found their average cost to be just $38 per month.

Crackdowns by the FBI, Europol and other law enforcement agencies have in the last year cut down on the number of bots in circulation, with an 18 percent decline in botnets in 2014 compared to 2013, according to a Symantec report.

Estimates of bots in circulation vary. Cybersecurity firm Trend Micro puts the number of bots active in the last two weeks at about 5.5 million.

But while botnets can be disruptive and wreak financial havoc, Justin Harvey, chief security officer at Fidelis Cybersecurity, said the zombie computer armies are less acute of a cyber threat than, say, attempts to hack sensitive government or commercial data. The botnet problem, like a lot of computer security challenges, can't be legislated away, he added.

There will always be the technological means for cyber criminals to target endpoints, Harvey said. "If certain nefarious characters want to figure out how to harness a lot of those people's computers into attacking some other organization, it's going to happen, regardless of what lawmakers want to do."