Four months ago Microsoft scored a cyber coup. Its digital sleuths identified a “botnet”, or fake server, that had installed malware on computers worldwide, and then it worked with the Federal Bureau of Investigation and others to shut it down. To their alarm they discovered that no fewer than 12m - yes 12m - PCs were infected, according to Tom Burt, the company’s deputy general counsel.
If you are tempted to shout “hooray”, that is understandable. After all, botnets pose a particularly pernicious threat since they are fiendishly hard to find. And cyber attacks in general are increasing explosively, costing global businesses $400bn a year, according to data from Microsoft.
There is a catch, though. Microsoft and the FBI now hope to bring the cyber hackers who created that botnet to court. But since this botnet was not entirely run from US soil - and those 12m infected computers sit everywhere around the world, from China and India to Chile and the US - the saga could be about to plunge into a legal grey zone.
“Think of a situation where you have a botnet in Singapore run by hackers in Bulgaria who cause damage to somebody in America,” Mr Burt told a Financial Times conference in Washington this week. “Who has jurisdiction? What laws are used?” Nobody knows. In cyber space, as in the global financial system a decade ago, a plethora of criminal activity is in danger of falling between the cracks because national rules are ill suited to a fast-moving digital world.
Investors and politicians around the world should take note - and worry. Deeply. In the past couple of years, western governments and businesses have made considerable strides in building defences against cyber crime. This week in Washington, for example, the Department of Homeland Security is launching an “automated information-sharing” program for utility companies. The aim is to ensure that, “when adversaries try something” against one US utility company, everyone else is alerted, according to Suzanne Spaulding, an undersecretary at the department.
In truth, such information-sharing is still imperfect. John Carlin, assistant attorney-general for national security, admits “the vast majority of companies do not report small intrusions” to each other. But the situation is better than four years ago, when suspicion between business and the security establishment reached such depths that the US Chamber of Commerce dragged its feet about setting up mandatory information-sharing programs. And the fact that nobody has yet conducted a successful hack on a US utility, say, is one reason for comfort.
But, as business and government strengthen their defences, the big missing piece of this campaign is punishment. As any parent or regulator knows, it is hard to deter wrongdoing without a system for imposing discipline. And, right now, remarkably few cyber criminals have been brought to trial relative to the scale of the current $400bn heist.
That partly reflects the difficulty of identifying and apprehending perpetrators, particularly in places such as Russia and China. The other big problem is the one faced by Microsoft: the legal framework across borders is a mess.
In a rational world, this would suggest a multilateral body, such as the UN, urgently needs to create some common laws or at least promote more mutual recognition. In the real world, sensible collaboration is hard to organise now; indeed, events such as the Edward Snowden affair - where revelations by a former US National Security Agency contractor about the extent of American internet surveillance fuelled transatlantic rows over privacy - are making this debate even harder. “Walls are going up,” says Mr Burt.
So in the interim, US officials are using whatever homegrown tools they have. Mr Carlin, for example, says Washington security officials recently managed to extradite from Malaysia a suspected hacker who had created a cyber attack against a US retailer that spearheaded a bigger Islamist plot.
But strong-arm US legal action is not an effective long-term solution; not least because such unilateral measures risk sparking a backlash. And many western companies are in effect stuck: they can build defences against cyber crime but cannot effectively retaliate.
So when people describe cyber space as the new Wild West, they are only half correct. This is a place where baddies have an endless supply of cheap guns but ordinary citizens have only barricades. This looks unlikely to change soon - unless and until companies such as Microsoft find a way to put those botnet creators behind bars. That would be an even more remarkable coup.
