Bots, cops, and corporations: on the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime

Botnets currently pose the most serious threat to the digital ecosystem, providing an infrastructure that enables bank fraud, distributed denial of service attacks (DDoS), and click fraud. During the past few years, three main approaches have been used to fight botnets. First, police organizations have periodically arrested prominent hackers and scammers, hoping such high-profile operations would have a deterrent effect. Second, Microsoft has performed a number of takedowns, using an innovative blend of legal and technical means that attempt to disrupt botnet operations and reduce their profitability. Third, some countries – Japan, South Korea, Australia, the Netherlands, and Germany – encourage harm reduction strategies that rely on public-private partnerships involving internet service providers, anti-virus companies, and regulatory authorities. This article describes these three approaches (incapacitation, disruption, and harm reduction), the challenges they face, and their respective effectiveness in protecting the digital ecosystem from large-scale online harm.

[1]  Albert Camus,et al.  The myth of Sisyphus, and other essays , 1955 .

[2]  John Braithwaite,et al.  Responsive Regulation: Transcending the Deregulation Debate , 1992 .

[3]  Tom Tietenberg,et al.  Disclosure Strategies for Pollution Control , 1998 .

[4]  A. Giddens Risk and Responsibility , 1999 .

[5]  J. Braithwaite,et al.  Global Business Regulation , 2001 .

[6]  Ray Pawson,et al.  Evidence and Policy and Naming and Shaming , 2002 .

[7]  Julia Black,et al.  Critical reflections on regulation , 2002 .

[8]  C. Shearing,et al.  Nodal Governance, Democracy, and the New ‘Denizens’ , 2003 .

[9]  M. Ouimet Explaining the American and Canadian Crime Drop in the 1990’s , 2004 .

[10]  Russell G. Smith,et al.  Cyber Criminals on Trial: List of figures and tables , 2004 .

[11]  Lorraine Mazerolle,et al.  Third Party Policing: References , 2006 .

[12]  Nodal governance as an approach to regulation , 2005 .

[13]  Y. Benkler,et al.  The Wealth of Networks , 2008 .

[14]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[15]  S. Schneider Privatizing Economic Crime Enforcement: Exploring the Role of Private Sector Investigative Agencies in Combating Money Laundering , 2006 .

[16]  Kim-Kwang Raymond Choo Zombies and botnets , 2007 .

[17]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[18]  D. Wall Policing Cybercrimes: Situating the Public Police in Networks of Security within Cyberspace , 2007 .

[19]  M. Levi,et al.  European Private Security, Corporate Investigation and Military Services: Collective Security, Market Regulation and Structuring the Public Sphere , 2007 .

[20]  Jay Zarfoss A Scalable Architecture for Persistent Botnet Tracking , 2007 .

[21]  M. Kenney From Pablo to Osama: Trafficking and Terrorist Networks, Government Bureaucracies, and Competitive Adaptation , 2007 .

[22]  Peter Grabosky,et al.  Lengthening the Arm of the Law: Enhancing Police Resources in the Twenty-First Century , 2008 .

[23]  Martin Cave,et al.  Introduction: Regulation—the Field and the Developing Agenda , 2010 .

[24]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[25]  J.-P. Brodeur The Policing Web , 2010 .

[26]  Maxim Raya,et al.  ISPs and Ad Networks Against Botnet Ad Fraud , 2010, GameSec.

[27]  Nir Kshetri,et al.  The Economics of Click Fraud , 2010, IEEE Secur. Priv..

[28]  Marcelo F. Aebi,et al.  Is There a Crime Drop in Western Europe? , 2010 .

[29]  Nick Tilley,et al.  The Crime Drop and the Security Hypothesis , 2011 .

[30]  Brent R. Rowe,et al.  The Role of Internet Service Providers in Cyber Security , 2011 .

[31]  Christopher Krügel,et al.  The Underground Economy of Fake Antivirus Software , 2011, WEIS.

[32]  Benoît Dupont,et al.  Skills and Trust: A Tour Inside the Hard Drives of Computer Hackers , 2012 .

[33]  Alana Maurushat,et al.  The role of Internet Service Providers in combating botnets: an examination of recent Australian initiatives and legislative reform , 2012 .

[34]  David Décary-Hétu,et al.  The social network of hackers , 2012 .

[35]  Ahmed F. Shosha,et al.  BREDOLAB: Shopping in the Cybercrime Underworld , 2012, ICDF2C.

[36]  Stefan Savage,et al.  PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs , 2012, USENIX Security Symposium.

[37]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[38]  Richard J. Enbody,et al.  Crimeware-as-a-service - A survey of commoditized crimeware in the underground market , 2013, Int. J. Crit. Infrastructure Prot..

[39]  P. Grabosky BeyondResponsive Regulation: The expanding role of non-state actors in the regulatory process: BeyondResponsive Regulation , 2013 .

[40]  Sarah Myers,et al.  Ronald J. Deibert, Black Code: Inside the Battle for Cyberspace , 2013 .

[41]  T. Holt Examining the Forces Shaping Cybercrime Markets Online , 2013 .

[42]  Matthew Leighton Williams,et al.  Multi-agency partnerships in cybercrime reduction: Mapping the UK information assurance network cooperation space , 2013, Inf. Manag. Comput. Secur..

[43]  P. Grabosky Beyond Responsive Regulation: The expanding role of non-state actors in the regulatory process , 2013 .

[44]  M. Robert The proliferation of cyber security strategies and their implications for privacy , 2013 .

[45]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[46]  Zach Lerner Microsoft the Botnet Hunter: The Role of Public-Private Partnerships in Mitigating Botnets , 2014 .

[47]  Janine S. Hiller Civil Cyberconflict: Microsoft, Cybercrime, and Botnets , 2014 .

[48]  Johannes M. Bauer,et al.  Economics of Fighting Botnets: Lessons from a Decade of Mitigation , 2015, IEEE Security & Privacy.

[49]  C. Shearing Criminology and the Anthropocene , 2015 .

[50]  Alan J. Lizotte,et al.  The Dark Figure of Online Property Crime: Is Cyberspace Hiding a Crime Wave? , 2016 .

[51]  R. Broll Collaborative responses to cyberbullying: preventing and responding to cyberbullying through nodes and clusters , 2016 .