With ransomware on the rise, Senate botnet bill gets another shot

A Senate bill to give law enforcement greater power to tackle botnets is back under consideration and its chief backer, Rhode Island Democrat Sheldon Whitehouse, hopes this time is the charm.

Whitehouse was exasperated last fall when his amendment, which would have updated a legal injunction against fraud to include botnets, did not make it into cybersecurity legislation that Congress eventually passed and became law. Botnets are armies of computers that are hijacked to distribute spam, malware, or carry out distributed denial-of-service attacks.

Whitehouse and Sen. Lindsey Graham (R-S.C.) on May 16 introduced the Botnet Prevention Act, and held a May 18 hearing to, among other things, rally support and seek feedback. Sen. Richard Blumenthal (D-Conn.) is a co-sponsor, and Sen. Charles Schumer (D-N.Y.) has also expressed support for the bill, according to Whitehouse.

The new bill isn't significantly different from the amendment left out of the Cybersecurity Information Sharing Act, Whitehouse told FCW. The measure would create a new criminal offense for selling or providing access to botnets.

Justice Department official Richard Downing testified in favor of a key provision in Whitehouse's legislation. The 30-year-old Computer Fraud and Abuse Act criminalizes hacking into a computer to create a botnet but is vague about selling or renting the computer zombies, Downing told the Senate Judiciary Subcommittee on Crime and Terrorism, which Graham chairs.

"We support closing this loophole," said Downing, an acting deputy assistant attorney general.

Some computer security researchers criticized Whitehouse's amendment last year as overly broad to the point of potentially criminalizing research in the public good. Asked by FCW to address that criticism, Whitehouse pointed to an October 2015 blog post from Rapid7, a cybersecurity vendor, in which a company executive said she was satisfied that updated language in the amendment "does not create negative consequences for research."

Ransomware unites analog and cyber-savvy lawmakers

Botnets can be particularly malicious when used to distribute ransomware, which encrypts a computer user's data until hackers are paid off, usually via crypto-currency.

Hackers exacted $209 million in ransomware payments in the first three months of 2016, according to the FBI. A typical ransom fee ranges from $200 to $10,000, according to Downing, who cited one scheme that he said extorted $27 million over two months.

There has been a spate of recent ransomware attacks on U.S. hospitals, alarming policymakers like Whitehouse. This past March saw an uptick in ransomware due to a spamming campaign targeting users in over 50 countries, according to new research from cybersecurity firm FireEye Inc.

Federal agencies are far from immune from the menace. There have been at least 321 incident reports of "ransomware-related activity" affecting 29 different federal networks since June 2015, DHS reported earlier this year.

Ransomware can inflict lasting damage in that even if hackers are paid off and the data is released, they may still have a backdoor to an organization's website or network from which to target users, according to Tom Kellerman, CEO of Strategic Cyber Ventures, a venture capital firm. The ease with which one can acquire a ransomware kit has allowed criminals who otherwise might not be capable of carrying out cyber crime to get into that business, Kellerman said in an interview.

The rise of ransomware, and the fact that its malevolence is easy to grasp, has attracted the attention of self-described analog lawmakers. "If it weren't for Sen. Whitehouse I would know zero about this," Graham said. Whitehouse is credited as being one of the more cyber-savvy senators, and the same security researchers who took issue with his amendment gave him credit for a thoughtful study of the problem.

After the hearing, the two senators could be heard cracking botnet jokes, with the hawkish Graham saying "our new slogan [is] the only good botnet is a dead botnet."

"To hell with the botnet caucus," Whitehouse added.