An interesting paper from ENISA and the NATO Cyberdefence Centre illustrates the narrow space that the law allows for incident response, and the importance of ensuring that new laws don’t prevent incident response teams from protecting networks, systems, their users and information against attack. By comparing the details of German and Estonian law, the report also highlights just how different national laws can turn out, even when they are aiming to implement the same international legislation. The report looks specifically at the problem of deal with botnets, which may involve laws on surveillance, examining network traffic, processing personal data, and accessing or modifying computers. These laws are the subject of international instruments – EU Data Protection and telecommunications law and the EU Framework Decision on Cybercrime.
Detecting compromised computers that are part of a botnet involves looking at patterns, and sometimes content, of their network traffic. The first question raised by the report is whether this activity might fall within surveillance law. Normally it should not, since the subject of investigation is computers, not people. However it is possible that over-broad drafting of either law or judgments could bring network investigations within scope. Investigations, particularly if they involve looking at content, are likely to be covered by laws on the privacy of communications. German communications law protects traffic patterns (who sent packets to whom) as well as content but fortunately the law does allow network operators to examine this information where this is necessary “to recognise, limit or eliminate a disturbance or error of the telecommunication systems”. The Supreme Court has recognised “sending of spam, the dissemination of malicious software (trojan horses, viruses etc.) and the misuse of computer systems for running DDoS” as causing such disturbances. German law therefore allows network operators to retain and use all logs for seven days, and those relating to a particular incident for as long as it takes to resolve the incident. Disclosing information (unless it is first anonymised) or breaking encrypted or password-protected traffic are still illegal.
The German telecommunications law only extends to network operators, however, not to the operators of websites and other networked services. These organisations only have the general data protection law to rely on, and the authors are concerned that this may not give them a justification for looking at network traffic, producing a “lack of synchronisation” in the law. Estonian law seems to have a similar problem, though here the data protection law only provides for civil, and not criminal, sanctions. Hosts and networks could take the view that neither a botmaster nor a victim is likely to sue them for unlawful processing of personal data – a risk that the authors think “rather theoretical”. It would be better if these anomalies were fixed and incident responders given a secure basis for what they do (note that this is contained in the proposed Data Protection Regulation).
A common way to investigate botnets and other malicious network traffic is to set up a honeypot – a computer that offers itself as vulnerable but is in fact configured to collect information about attempts to compromise it. Honeypots seem to fall outside communications privacy laws, since the honeypot is a party to the communication so cannot intercept or surveil itself. This leaves data protection as the relevant law, so honeypots should be careful only to collect traffic that is necessary for their purpose.
The desired outcome of a botnet investigation will usually be to take down its command and control servers. Incident response teams are unlikely to be able to order an ISP to disconnect a server, though authority to do so is often included in ISP contracts. The report suggests that police may be able to order the disconnection of a command and control server (or to do it themselves) under general powers to protect the public order.
It is sometimes suggested that since botnets often include the ability to update software on infected computers, this technology could also be used to ‘clean up’ the botnet if access is gained to its command and control servers. The report warns that the law may prohibit this since the clean up will involve modifying the content of computers without the consent of their owners. Unauthorised modification of a computer is one of the best established cybercrime offences, and laws don’t usually consider why the modification is being done, only whether the person doing it knows they are unauthorised. A ‘good worm’ or botnet update will commit exactly the same crime as a bad one. Furthermore laws are now being implemented to criminalise the creation of tools, not just their use, so disinfection seems likely to face even more legal hurdles in future.