The neutralisation of a botnet of more than 1,260,000 “zombie” computers has made the news in recent days. This network used the Retadup worm to enable personal data (including personal health information) to be “stolen”, computing power to be diverted to mining of cryptocurrency (Monero), spam campaigns to be launched and distributed denial-of-service (DDoS) attacks to be carried out.
Without creating controversy, several cybersecurity experts in technical and legal fields raised the question of the legislation applicable to a botnet consisting of zombie computers scattered in many countries. On 24 September, the Digital Crime Centre (C3N) of the judicial division of the French Gendarmerie explained to the audience at the FIC Observatory how this botnet could be dismantled. A round table facilitated by the Research Centre of the French Gendarmerie Officers’ School (CREOGN) brought together Eric Freyssinet; Olivier Iteanu, a lawyer specialising in digital law and the Vice President of Hexatrust; and Aude Géry, a PhD student in Public Law at the University of Rouen and a member of the Géopolitique de la Datasphère (GEODE) research centre, who, in an article in Libération a few days earlier, had raised the question of the extraterritoriality of the actions taken by the gendarmes.
A brief summary of the facts and actions taken would seem to be in order prior to an examination of the law. Avast Software is a Czech company that produces the software program Avast Antivirus. In March 2019, the company reported a major breach to the C3N. The unit conducted a preliminary investigation entrusted to it by section F1 of the Paris public prosecutor’s office, specialising in attacks on automated data processing (ADP) systems. The technical aspects of the investigation determined that the Command & Control (C&C) server was located in the Île-de-France region. Every 30 seconds, the server received a request from zombie computers awaiting orders. A copy of this C&C server was made in order to replace the contentious server prior to its migration. Cooperation with the United States (FBI) was necessary, as some domain names were registered in that country. This cooperation allowed all the botnet’s traffic to be redirected to and captured by the French Gendarmerie’s “Server B”. The gendarmes discovered a flaw that allowed the worm to be disabled in the compromised computers. An empty order cancelled all previous commands and thus removed the computer from the botnet. The bots always sent requests to the server, never the other way round. This piece of information is crucial, because clearly no action was taken from within the compromised computers; those computers (unwittingly) requested their own “release”.
French national and international legislation (the 2001 Budapest Convention on Cybercrime, ratified by 64 States) protects the will of the master of the system against infiltration, constraint and shackling of ADP systems. In this case, the will of the master of the system was shackled and subsequently released. This was, in a way, a release of digital hostages. The Godfrain law does not explicitly address this situation. In any case, no charges could be brought; even if they could, Article 323-3-1 of the French Penal Code, which deems an action taken for purposes of IT security to be legitimate, could be used as a defence.
Was France required to have cooperated with all States concerned? Bilateral cooperation is known to entail certain difficulties. The botnet would still be active. No damage was done to any of those States; hence, no complaint was made by any of them. According to Prof. Theodore Christakis, a specialist in international law applicable to the digital space, the bona fide or good faith rule applies here, as the French public authorities have never acted against the interests of the States concerned. If such a legal action were taken, self-defence could be claimed. The compromised computers, had they not been neutralised, might have been used for attacks on French national interests. Action had to be taken immediately, and the action taken was suitable and proportionate. The States concerned might even thank France for having helped them, without their knowledge, abide by the due diligence rule, which requires them to prevent any action undertaken on their territory and targeting a foreign State. Does the current law need to be clarified? In the absence of litigation, no case law is applicable to this particular case.
Was France required to have sent a warning message to the holders of the 1,261,000 compromised computers? The C&C server that the C3N set up was a “passive” server. The process of hunting down the IP addresses needed to send individual warning messages would have been exceptionally long and complex. Moreover, messages sent by security forces must be strictly limited, so as not to supply fodder for phishing campaigns, which often rely on fake official documents.
The Retadup case created a precedent. It showed that the players in the fight against cybercrime are not devoid of all means against “21st century crime” (the theme of the first FIC, in 2007). It also showed that the job of gendarmes is swiftly changing, as these officers of the law must also be able to implement technical procedures that require a high level of expertise. This convergence of the “hard” sciences and the law may be seen today in many legal professions. Undoubtedly, processes of recruitment, training and career management must be revisited with a view to embracing the digital age.
Former Inspector General of French armed forces – National Gendarmerie, General Watin-Augouard is today at the head of the Research Center of the National Gendarmerie Officers’ School (CREOGN). He founded the FIC in 2007.