Microsoft’s Digital Crimes Unit (DCU) is an interdisciplinary group that pioneered the use of legal strategies to disrupt cybercrime. Richard Boscovich, a former assistant US attorney, is the DCU’s Assistant General Counsel and leads the team’s legal litigation and disruption strategy. Here, Boscovich (affectionately known as “Bosco” to his colleagues) explains the team’s unique strategy of disrupting malware by adapting legal precedent to the lawless world of cybercrime.
At a high-level, how do you define the DCU’s hybrid technical and legal strategy for disruption?
Ultimately, our main goal is to protect victims. The first thing we need to do when we identify a threat is stop the spread of malware. We do that by identifying the “farming medium”—the command-and-control structure that propagates the malware—and working with the courts to take it down. By targeting the source, we’re able to help service providers identify victims who have already been infected and clean their computers.
What were some early legal innovations at the DCU?
We first brought together the multidisciplinary group that’s now the DCU in 2008. At that time, the biggest malware threats were domain-based. That means the criminals register a domain and use it as the “farming medium” to infect victims. I believed that we could make a legal case for seizing domains from threat actors by looking at precedents around asset forfeiture. When you register a domain, you’re basically leasing a piece of property. If you’re acting maliciously with that property, we can file a civil action to seize it, which enables us to cut off communication between a registered domain and the computers it has infected with malware. And if we can show the courts that the crime meets the conditions of an emergency, we can do it on an expedited ex-parte basis, which means we can act without notifying the perpetrators—that’s key, because if they get notice, they’ll just move everything off the domain.
We collaborated with a cross-industry, public-private group to use this strategy to take down some of the biggest malware threats at that time, including Rustock, which was a spam botnet that was sending billions of emails a day. The reduction in global email traffic was so drastic that Treehugger magazine actually calculated the drop in CO2 emissions as a result of the reduced electricity consumption. The DCU today is built on that model of applying laws in unique ways and partnering with law enforcement and government agencies, as well as other private companies, to take action.
What was the next big inflection point in the development of the DCU’s strategy?
We started to partner with Microsoft Threat Intelligence Center (MSTIC) to disrupt nation-state actors with the Russian infiltration of the Democratic National Convention in 2016. Our approach was to distort their business model by forcing them to harden their infrastructure, which increases the cost and complexity of their operations. Nation-state actors are much more sophisticated and difficult to identify. They want to blend into traffic, and there are very few victims. We had to devise new investigative techniques, as well as adapt our legal techniques.
How did you change your approach to disrupt nation-state threats?
At that time, nation-state actors were using domain-based malware like cybercriminals were, but they’d register a domain and keep it silent for several years. Then, all of a sudden, they would pop up. But our investigators learned that those domains would always have a specific type of malware that was unique to each attack. We would search for that malware, or at least bits and pieces of it, in a domain. When we found it, that would allow us to legally substantiate our need to take the domain down. But they would come up with new domains all the time, and each time we’d have to go back to the court for additional orders. That’s much too slow when you’re dealing with a nation-state threat.
We did something very unique, which was to use what’s called a “special master” or “court monitor,” which is primarily used in divorce proceedings. It’s a process in both federal and state law that allows you to ask the court to appoint a monitor to keep watching the case after it’s closed. This allows you to act quickly on problems that arise over and over again without having to go back to court every time. If we find a domain that fits a set of predetermined criteria, we can have a phone hearing with the court monitor within 24 to 48 hours and take it down. Being able to accelerate the process was a real evolution in our legal and technical strategy.
What have been some more recent innovations in your strategy?
We developed a tactic we call Statutory Automated Disruption (SAD) that uses copyright law. In the 2021 case of Google vs. Oracle, the US courts ruled that application programming interfaces (APIs) are copyrightable. That gave us an idea: we started reverse engineering malware to see if threat actors were using Microsoft’s APIs. Very often, they were. We have copyright rules in the terms of use for our APIs, so now we can very quickly disrupt cybercriminals by showing violation of our copyright due to illegal use.
In the US, the Digital Millennium Copyright Act (DMCA) allows you to send a legal request to a service provider to take down content that’s violating your copyright. Companies send DMCA notices all the time to take down things like pirated movies. But we’re using the same strategy to take down cybercriminals’ command-and-control infrastructure. The built-in penalties in the statute are very high, so providers have to take down the malware immediately. No one’s ever done this before, and it makes disruption much more efficient and effective.
The DMCA doesn’t apply in other countries, so we can’t compel foreign entities to comply, but there are a few ways we use SAD tactics internationally. We share our DMCA notices with international registries to help law enforcement build cases against cybercriminals. We also work with private-sector cybersecurity partners around the world, and for many security companies, copyright violation constitutes a breach of contract. Sharing our DMCA notices frequently gives these companies all the proof they need to force a cybercriminal to take down malware.
