The EU Agency for Cybersecurity’s latest Threat Landscape Report identifies so-called botnets as the most detected malware category in corporate environments. The interconnected ecosystem of the Internet of Things and Industry 4.0 are particularly vulnerable and provide an ideal breeding ground for cyberattacks executed by botnets.
What are botnets? How are botnets used?
Cybercriminals use so-called ‘botnets’ to access data stored by businesses remotely and without detection to deploy ransomware on company servers or to temporarily shut down a business’s IT infrastructure or its web services, eg by means of so-called Distributed Denial-of-Service (DDOS) attacks.
A botnet consists of an almost endless number of botware-infected devices, all connected to each other. These serve as the cybercriminal infrastructure behind large-scale cyberattacks. Botnets are not only used by the cybercriminals that have created them, but are also provided to third parties in exchange for payment (botnets-as-a-service).
How can businesses mitigate the aftermath of a botnet attack?
If a botnet attack results in a personal data breach, businesses face different obligations. For example:
- Businesses in Europe must notify the competent data protection authorities without undue delay, and in any event within 72 hours of becoming aware of the breach.
- Businesses in the US must assess the specific data breach reporting requirements of their respective state, as all states have enacted rules on notifying individuals and/or regulators and take a closer look at the Federal Trade Commission’s most recent guidance from May 2022. The latter stipulates that failure of disclosure of information about a data breach to affected parties could violate the FTC Act and may lead to an enforcement action by the FTC.
- Various breach notification laws may be triggered across jurisdictions in the Asia Pacific region and in the rest of the world, even in countries where data protection and cyber security regulation has in the past not been the primary focus of lawmakers and regulators.
Additional sector-specific IT security legislation might also apply. Businesses in certain critical infrastructure sectors must meet reporting obligations under the EU’s NIS Directive and/or the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
While failure to fulfil these notification requirements may lead to an enforcement action by the competent data protection authority, law enforcement agencies repeatedly emphasise the need for businesses to cooperate with law enforcement and file criminal charges to effectively combat cybercrime. For example in its latest report on the state of Cybercrime in Germany, the Federal Police Office highlights the importance of assistance from private businesses in taking down the Emotet botnet in 2021.
Both botnet perpetrator and victim?
Considering the economic losses caused by data breaches for businesses, combatting cybercriminals serves every company’s intrinsic commercial interests. A successful criminal investigation might not only lead to the prosecution of a botmaster using a botnet, but could also aid cracking down on botnet-as-a-service-providers.
However, every measure to assist law enforcement agencies constitutes a disclosure of information that might be relevant for other regulators and claimants in litigation, in particular if the appropriateness of technical and organisational cyber security measures is challenged. The victim can, therefore, quickly become a perpetrator, depending on the agenda of the relevant authorities. Each step of cooperation must, therefore, be carefully weighed against the regulatory and litigation risk and, where possible, safeguards to ensure confidentiality communications should be put in place.
It must also be taken into account that law enforcement might potentially decide, in the course of the authority’s fact finding, to raid a business’s data centre or other sites if a company does not cooperate. This may cause reputational harm, and trigger red flags for other regulators, which might assume the business lacks robust post-breach policies and thus scrutinise its technical and organisational measures more closely. Deficiencies in this regard have led to large fines and we are seeing a substantial flow of mass claims (coming from affected customers or even employees) against companies suffering a data breach.
Lawmakers on the offense
As the number of botnet attacks grows, regulators across Europe and the US are calling for an expansion of cybercrime legislation, which could impact businesses’ future risk assessment in the aftermath of a botnet attack.
In Germany, the Federal Council, for the third time since 2016, has introduced a bill on digital trespass with the purpose of expanding criminal liability for the establishment of botnets.
In the US the International Cybercrime Prevention Act was introduced to the Senate in June 2021, which would bolster the DOJ’s powers in relation to shutting down botnets.
Businesses are advised to carefully consider cyber risks such as botnet attacks and implement measures, both to comply with ever-stricter data protection requirements, as well as to safeguard against (criminal) liability risks.