As botnet bill gains new life, old concerns about scope linger

As more commercial devices and products connect to the internet, lawmakers have sought to grapple with the fallout and damage caused by remotely controlled malicious bot networks or botnets.

For years, one of the most prominent pieces of legislation on this topic -- the Botnet Prevention Act first introduced in 2016 -- languished in Congress. Just last December, however, a version of the bill quietly passed through the Senate Judiciary Committee as part of a larger legislative package focused on countering the Russian government.

The version that passed out of the Senate Judiciary Committee in December would update criminal statutes on fraud to include anyone operating a botnet in control of 100 or more computers over any one-year period. The legislation covers the use of malware to take over devices and other instances that impair "the availability or integrity of the protected computers without authorization."

The measure also imposes new sentencing requirements on courts to seize the IT assets and infrastructure of botnet traffickers, including domain names and IP addresses that were used or intended to be used to commit a violation, along with any proceeds and property obtained as a result.

For years, Sen. Lindsey Graham (R-S.C.), currently chairman of the Senate Judiciary Committee, and others like Sen. Sheldon Whitehouse (D-R.I.) have pushed the bill as a tool to rein in the use of botnets, which Whitehouse once likened "a weed in the garden."

"There is no good to a botnet as far as I can tell," Whitehouse said at a 2018 hearing.

Botnets have become a global cybersecurity plague. In addition to the thousands -- sometimes hundreds of thousands -- of computing devices initially compromised, botnets have been used to conduct denial of service attacks, facilitate illegal cryptocurrency mining operations and amplify disinformation campaigns on social media.

Cybersecurity experts expect the problem to only get worse as the internet of things advances, with industry connecting billions of additional devices every year and malicious groups increasingly targeting the IT infrastructure that underpins much of the web.

Tom Gann, head of public policy for cybersecurity firm McAfee, told FCW that botnets are an tool of statecraft for advanced persistent threat (APT) hacking groups as well as "a very good source of revenue and strategic capability for criminal organizations."

"Our own government is…oftentimes limited in their capabilities to prosecute these criminals both domestically and abroad," said Gann. "My reading of this bill is that it's quite reasonable."

However, previous versions of the bill have come under criticism for seeking to further expand the 1986 Computer Fraud and Abuse Act, a controversial hacking law many digital rights groups argue is already overly broad and used to criminalize many forms of legitimate modern security research.

Digital rights groups like the Electronic Frontier Foundation came out strongly against a previous version of the bill in 2016, calling it a dangerous expansion of the Computer Fraud and Abuse Act (CFAA) at a time when lawmakers should be exploring ways to narrow, not expand, its applications and scope.

The proposal "fails to address ambiguity in current law that has led to the use of the CFAA to prosecute security researchers, levy disproportionate penalties, and criminalize ordinary Internet activity," EFF and 13 digital and civil liberties groups wrote in a June 2016 letter to Congress.

A spokesperson from EFF said the organization is still reviewing language in the latest version of the bill, and referred FCW to its past statements of opposition.

Department of Justice officials have expressed support for the legislation, telling lawmakers it would be "very helpful" to law enforcement organizations that investigate and prosecute botnet traffickers.

"Certainly DOJ is going to need to write the [regulations] clearly and crisply," said Gann. "We don't want mission creep, and I do think the views of the civil rights community does need to be taken into account … but I think on balance this bill is a sensible addition."

Michael Daniel, president and CEO of the Cyber Threat Alliance and former Obama White House Cyber Coordinator, echoed those concerns while also arguing that it was "important" to provide the government with additional legal tools to mitigate the harm from botnets.

"This legislation would not prevent botnets from being formed, but it would make it easier for the government to take them down and punish bot 'herders' or masters," Daniel said in a statement to FCW. "In order to ensure the new authority isn't abused or stretched too far, DOJ needs to provide implementing guidance to also protect privacy."