“We have gotten more comfortable, as a government, taking that step,” Adam Hickey, a deputy assistant attorney general for national security, said in an interview at the RSA cybersecurity conference in San Francisco.
The latest example of this approach came in April, when U.S. authorities wiped malware off of hacked servers used to control a Russian intelligence agency’s botnet, preventing the botnet’s operators from sending instructions to the thousands of devices they had infected. A year earlier, the Justice Department used an even more expansive version of the same technique to send commands to hundreds of computers across the country that were running Microsoft’s Exchange email software, removing malware planted by Chinese government agents and other hackers.
In both cases, federal prosecutors obtained court orders allowing them to access the infected devices and execute code that erased the malware. In their applications for these orders, prosecutors noted that government warnings to affected users had failed to fix the problems, thus necessitating more direct intervention.
Unlike in years past, when botnet takedowns prompted extensive debates about the propriety of such direct intervention, the backlash to these recent operations was limited. One prominent digital privacy advocate, Alan Butler of the Electronic Privacy Information Center, said malware removals required close judicial scrutiny but acknowledged that there was often good reason for them.
Still, DOJ officials said they see surreptitiously taking control of American computers as a last resort.
“You can understand why we should be appropriately cautious before we touch any private computer system, much less the system of an innocent third party,” Hickey said.
Bryan Vorndran, who leads the FBI’s Cyber Division, said in an interview at RSA that the government’s approach is to “move from least intrusive to most intrusive.”
In the early days of action against botnets, beginning with a 2011 takedown of a network called Coreflood, senior government officials were reluctant to push the limits of their powers.
“With Coreflood, it was, ‘Okay, you can stop the malware, but we’re not going to…