Cybersecurity

Senators push for enhanced powers to battle botnets

Senators are seeking expanded powers for law enforcement to go after botnets, the networks of infected Internet-connected devices leveraged by cyber criminals and other malicious actors.

Sens. Sheldon Whitehouse (D-R.I.) and Lindsey Graham (R-S.C.) are renewing a push for legislation that would allow the Justice Department to “weed the garden of the Internet for botnets before they become an actual fraud or national security risk,” Whitehouse said at a national security forum on Wednesday.

The push is more evidence of the heightened attention that Washington is giving to the threats from botnets as devices become increasingly connected, thanks to the Internet of Things.

The Trump administration has ordered the Secretaries of Commerce and Homeland Security to spearhead an effort, along with stakeholders in the private sector, to reduce the threat of botnets to the internet and communications infrastructure.

The focus on botnets intensified in the wake of a distributed denial-of-service (DDoS) attack on web service provider Dyn that took out top websites like Twitter and Netflix last October.

Hackers leveraged thousands of devices, including digital video records, network-connected video cameras, and routers, to perpetrate the attack. 

“One of the reasons botnets are growing in prevalence is the growth of the Internet of Things,” said Jennifer Martin, a lawyer at Covington & Burling LLP who specializes in data privacy and cybersecurity matters. “As more and more things are connected, you can expect more and more things to be compromised and exploited.” 

Under current law, the Justice Department can obtain a court order to neutralize botnets in cases that involve fraud or illegal wiretapping.

Whitehouse told The Hill that his legislation, which has not yet been introduced, would enable the Justice Department to more swiftly go after botnets “by lifting the restriction that a botnet has to be actively used for fraud or for nefarious national security purposes before it can be weeded out.”

Sens. Whitehouse, Graham, and Richard Blumenthal (D-Conn.) introduced similar legislation in the last Congress to expand the department’s power to seek injunctions to shut down botnets to cover a broader range of illegal activity, including data destruction and DDoS attacks against websites.

The bill, which never advanced to the floor for a vote, spurred criticism among privacy and civil liberties groups.

The Center for Democracy and Technology argued in a blog post that the legislation could risk privacy by allowing the FBI to access infected computers without notifying or receiving consent from the owner.

This time around, Whitehouse said he and Graham — who together lead the Judiciary Subcommittee on Crime and Terrorism — are looking to attach the legislation to another vehicle to ensure it gets a vote in the Senate. 

“I don’t think it’s likely to be a unanimous consent bill and I don’t think it’s likely to get floor time on its own with all the demands Leader McConnell has on the floor time, so that means there has to be a vehicle in which it gets a vote,” Whitehouse said. “We don’t have clarity yet as to when a relevant vehicle might emerge.” 

Law enforcement agencies have already seen their power to go after botnets grow in recent months. Last year, an amendment to the Federal Rule of Criminal Procedures allowed the FBI and other law enforcement bodies to search multiple computers countrywide by obtaining a single warrant. 

The change to “Rule 41,” which was approved by the Supreme Court, garnered some opposition in Congress from lawmakers who raised concerns about privacy implications and expanded government hacking powers.

The Justice Department touted the new power as a necessary authority to swiftly investigate ransomware and other schemes facilitated by botnets and insisted that it would not allow for “indiscriminate surveillance of thousands of victim computers.” 

In April, the department announced actions to go after the Kelihos botnet, a global network of tens of thousands of infected computers controlled by a Russian cyber criminal named Peter Levashov.

Martin, a former senior counsel in the Justice Department’s computer crime and intellectual property section, said combating botnets is not purely a law enforcement issue.

Companies also need to be building security into their technologies in the first place, she said, to prevent them from falling to hacking. 

“The preventative measures and security have to be built in,” Martin said. “Developers, manufacturers, and users have to employ a layered approach to defend against cyberattacks.”