Please ensure Javascript is enabled for purposes of website accessibility

Congress looking to battle the botnets

Denise M. Champagne//July 24, 2014//

Congress looking to battle the botnets

Denise M. Champagne//July 24, 2014//

Robot computer networks stealing millions from Americans and people around the world are being looked at by members of .

Sens. Sheldon Whitehouse, D-R.I., and Lindsey Graham, R-S.C., are putting together legislation to battle the botnets, a network of computers connected over the Internet that can be instructed to carry out specific tasks, often without the owners’ knowledge.

“Botnets have existed in various forms for well over a decade, but they are now recognized as the weapon of choice for cybercriminals,” Whitehouse said, opening a July 15 hearing on “Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.”

“A cybercriminal with access to a large botnet can command a virtual army of millions, most of whom have no idea that they’ve been conscripted,” he said. “Botnets enable criminals to steal individuals’ personal and financial information, plunder bank accounts and commit identity theft on a massive scale.”

Besides threatening wallets, Whitehouse said botnets are also a threat to national security and it is feared the next 9/11 may be a cyberattack.

Graham, the subcommittee’s ranking member, said his state’s Department of Revenue was hacked in October 2012, resulting in the theft of millions of individual Social Security numbers of online income tax filers and private information of hundreds of thousands of businesses. He said the state is allocating $35 million to protect its residents.

“It happened in South Carolina, it can happen to any business,” Graham said.

Leslie Caldwell, an assistant attorney general with the Department of Justice’s Criminal Division, testified the threat from botnets, which she defined as networks of victim computers infected with malicious software, or malware, controlled by individual criminals or a group, has increased dramatically over the past several years.

By hijacking numerous victims’ identities, credit cards and bank accounts, she said criminals have stolen hundreds of millions of dollars from Americans and violate their privacy daily on a staggering scale.

Caldwell, one of six witnesses, said recent investigations reveal that botnets are used by criminals half way around the world to commit crimes of a sophistication difficult to imagine only a few years ago.

She talked about the Department of Justice and FBI’s successful efforts to disrupt GameOver Zeus, widely regarded as the most successful criminal botnet, which she said has infected between 500,000 and 1 million computers and caused more than $100 million in financial losses.

Caldwell said the department takes two approaches to botnets: Arresting, prosecuting and incarcerating criminals who use them to victimize Americans; and using seizures, forfeitures, restraining orders and other civil and criminal legal processes to dismantle criminal infrastructure.

“Cybercriminal threats post very real risks to the economic security and the privacy of the United States and its citizens,” said Joseph Demarest Jr., assistant director of the FBI’s Cyber Division. “They also affect universities, hospitals, defense contractors, government and even private citizens.”

He said according to industry estimates, botnets have caused more than $9 billion in losses in the United States and more than $110 billion globally with about 500 million computers — 18 victims per second — affected annually.

Demarest testified that a lot of criminal attacks are coming from Eurasia, where the FBI is opening dialogues and working to improve relationships. He agreed to provide Graham with a list by the end of the year of which countries are more cooperative and which have been resistant.

To understand the devastating effects of botnets, Richard Boscovich talked about a United Kingdom chef who turned on her laptop one day to find she could not access her files unless she paid a ransom within 72 hours.

“When she failed to meet the deadline, all of her photos, financial account information and other data were permanently deleted,” he said. “As she later told a reporter, ‘If someone had robbed my house, it would have been easier.’ Indeed, botnets conduct the digital equivalent of home invasions, on a massive scale.”

Boscovich is assistant general counsel for the Digital Crimes Unit at Microsoft Corp., which has partnered with other companies and global law enforcement to battle malicious cybercriminals.

He said Microsoft supports amending the Computer Fraud and Abuse Act to cover trafficking in access to botnets and agrees Congress should amend the Access Device Fraud Statute to apply to offenders in foreign countries who use phishing and other credit card schemes to harm individuals and financial institutions in the United States.

Information sharing legislation that facilitates cooperation between international organizations, business and law enforcement, while still protecting privacy, is needed, according to Cheri McGuire, vice president, Global Government Affairs & Cybersecurity Policy at Symantec Corp.

She said no single company can go it alone; the threats are too complex and the stakes too high. Defeating the threat of malicious botnets and the criminal networks behind them will require strong technical capabilities, effective counter measures, industry collaboration and law enforcement cooperation, McGuire said.

Paul Vixie, chief executive officer of Farsight Security, suggested going after the causes, enablers and attractions of botnets, rather than just beefing up an ability to take them down.

Those suggestions include awareness campaigns, having Internet users secure their connections and having a committee identify and recommend best practices for securing network and service architecture operating industrial control systems.

Craig Spiezle, executive director of Online Trust Alliance, said any effort requires a strategy to address international networks.

“We have a shared responsibility to increase investments in data sharing and adopt privacy enhancing practices, while finding new approaches to work with law enforcement and expand international cooperation,” he said. “Working together, we can make the Internet more trustworthy, secure and resilient while promoting innovation.”

Whitehouse said he has a very strong group of bipartisan senators interested in the issue and looking forward to coming up with legislation to protect the economy and companies from cyberattacks, which he noted are largely coming from overseas.

A video of the hearing may be viewed on the committee’s website at www.judiciary.senate.gov.

Case Digests

See all Case Digests

Law News

See All Law News

Polls

How Is My Site?

View Results

Loading ... Loading ...