An interesting question with troubling implications.
The Justice Department is increasingly seeking and receiving permission to secretly reach into Americans’ computers to delete malware — a shift officials say reflects a growing embrace of aggressive and creative tactics for combating a surge in cyberattacks.
Botnets — armies of hacked computers used to power everything from email spam campaigns to denial-of-service attacks that take down websites — pose a major threat to internet security, as do mass malware infections.
A botnet coordinates a large number of hacked machines to launch attacks. Those botnets are often being run by foreign operations in China and Russia with likely state links. Fighting them has national security components, but the growing casualness about this particular tactic is troubling.
In the past year, federal prosecutors and FBI agents have increased their efforts to defeat botnets and contain malware outbreaks by directly removing malicious code from infected computers, without the knowledge or authorization of those computers’ owners.
“We have gotten more comfortable, as a government, taking that step,” Adam Hickey, a deputy assistant attorney general for national security, said in an interview at the RSA cybersecurity conference in San Francisco.
No part of that quote sounds good.
After identifying infected devices, the government asks a court for permission to send commands to those devices that will cause the malware to delete itself. Essentially, the FBI uses the malware as a point of entry to the infected computers — it doesn’t need to hack the computers itself, because it’s piggybacking on someone else’s hack. These operations rely on intelligence that the bureau gathers about the botnet in question, including, sometimes, the passwords necessary to control the malware. A court’s permission is necessary, at least for devices in the U.S., because accessing them constitutes a search under the Fourth Amendment…
Whereas in the past it was hard for prosecutors to justify intrusive actions to their superiors, Hickey said, it is now harder for them to justify not taking those actions and leaving a botnet intact. “We’ve gotten to this point where we’re like, okay, if we’ve tested [our code], if we’ve worked with the manufacturer, if we’ve done everything we can to ensure there will not be collateral damage, why would we just leave the malware there?”
These changes have not just been driven by an increased comfort with reaching into people’s computers. Companies whose products are being abused are now more likely to share what they know with the government, according to Hickey. “They don’t have the authority to get a search warrant,” he said, “but they know that we will do that.”
And that growing comfort level is exactly the issue.
Slippery slopes begin with convenient rationalizations and then end with a downhill luge ride into casual abuses of power. There’s a reason why the Fourth Amendment exists and its current application. Once the feds are able to casually piggyback their way into someone’s machine, what else might they do? Once the loophole has been established that they’re not breaking in, just exploiting an existing breach, and that it’s justified in dealing with the work of a foreign adversary, where does it go next?