Botnet Badinage: Regulatory Approaches to Combating Botnets

Abstract

A botnet is a collection of remotely controlled and compromised computers that are controlled by a bot master. Botnets are the main crime tool used by cybercriminals. To use an analogy, many crimes may be committed with a gun ranging from murder to rape to armed robbery to assault to breaking and entering to theft. Likewise, a botnet may be used in many forms of cybercrime and civil wrong ranging from sending spam, to denial of service attacks, to child pornography distribution, to worm propagation, to click-fraud, to keylogging technology and traffic sniffing which captures passwords and credit card information, and to mass identity theft. Botnets are a major crime tool used on the internet in a similar fashion to how a gun is used on the street. This thesis explores the regulation of botnets and the role that botnets play as a tool to commit many forms of cybercrime. In exploring regulation of botnets, countermeasures against fighting this crime tool will be analysed, and policy options evaluated as to under what circumstances society should prioritise combating botnets at the expense of encroaching on civil liberties, in particular the values of privacy and freedom of expression. This thesis argues that Internet service providers, domain name service providers and self-organised security communities are best positioned to effectively combat botnets. In determining the most effective regulatory measures to combat botnets, this thesis has investigated, and at points discounted, a range of other measures such as data breach notification, Sarbanes-Oxley, banking law, user education and training, non-criminal legal remedies, the range of technologies that botnets utilise, economic models to disrupt profitability, national and international criminal law, and technologies non-essential to botnets. This thesis is the result of inter-disciplinary research on botnets, combining insights from the disciplines of computer security, information systems, risk management, economics, regulation and law. Based on this inter-disciplinary research, the thesis demonstrates how cybercrime laws both at the national and international levels are rendered impotent through modern obfuscation crime tools. Reforms to the law are necessary to offer security research exemptions, remote search and seizure by law enforcement and the introduction of unwanted software legislation. At the same time, more safeguards to preserve civil liberties must also be built into Australian regulatory practice. In the course of examining the most effective ways to regulate botnets, the thesis also provides a case study demonstrating weaknesses in Lessig's Internet regulatory theory. Internet regulatory theories have generally placed emphasis on civil liberties and the struggles between users and governments over control of the regulation of the Internet. These theories, however, ignored the complex issues that cybercrime would bring into the discussion. The regulation of botnets is used to evaluate the utility of Lawrence Lessig's theory of Internet regulation through four modalities (market, norms, law and code). It is argued that the levels and types of cybercrime which have occurred in the last decade and in the decades to come were not anticipated by these theories and poses new theoretical issues. This thesis will demonstrate that effective botnet regulation will involve some use of illegal means, and inevitably will challenge not only the mindset that the law plays an authoritative role in regulation, but also Lessig's theory that market, code, and norms are the only significant forms of regulation. Changes or developments of Lessig's model are required. For example, many of the actions by self-organised security groups to combat botnets may be conceived as effective and moral though, as will be demonstrated, clearly illegal. The work of self-help remedies by these groups does not fit well with Lessig's theory. Self-organised security communities do not fall within any of Lessig's modalities and yet, the efforts of such groups are the most important countermeasures in combating botnets, and possibly in combating many forms of cybercrime.