Civil Cyberconflict: Microsoft, Cybercrime, and Botnets
Cyber “warfare” and hackback by private companies is a hot discussion topic for its potential to fight cybercrime and promote cybersecurity. In the shadow of this provocative discussion, Microsoft has led a concerted, sustained fight against cybercriminals by using traditional legal theories and court actions to dismantle criminal networks known as botnets. This article brings focus to the role of the private sector in cybersecurity in light of the aggressive civil actions by Microsoft to address a thorny and seemingly intractable global problem. A botnet is a network of computers infected with unauthorized code that is controlled from a distance by malicious actors. The extent of botnet activity is staggering, and botnets have been called the plague of the Internet. The general public is more commonly aware of the damaging results of botnet activity rather than its operation, intrusion, or infection capabilities. Botnet activity may result in a website being unavailable due to a denial-of-service (DoS) attack, identity theft can occur because the botnet collects passwords from individual users, and bank accounts may be emptied related to botnet activity. Spam, fraud, spyware, and data breaches are all the result of botnet activity. Technical remedies for stopping botnet attacks and damages are ongoing, but technical solutions alone are inadequate. Law enforcement is active in tracking down criminal activities of botnets, yet the number and sophistication of the attackers overwhelm it. In a new development, multiple civil lawsuits by Microsoft have created the legal precedent for suing botnet operators and using existing law to dismantle botnets and decrease their global reach. This article reviews the threats created by botnets and describes the evolution of legal and technical strategies to address botnet proliferation. The distinctive aspects of each of the cases brought by Microsoft are described and analyzed and the complex questions surrounding a botnet takedown are identified. Discussion of the details of the lawsuits are important, because over a relatively short period of time, government and private sector roles have evolved considerably in the search for a methodology to deal effectively with botnets. Theoretical and international questions surrounding the sustainability and policy ramifications of private sector leadership in cybersecurity are examined, and questions for future research are identified.