Cybercrime Disruption through Civil Litigation and Equitable Remedies

Amy Hogan-Burney, George Ramsey
Wednesday, May 10, 2023, 9:15 AM
No single tool, legal or technical, is able to fight cybercrime. But civil action litigation, however imperfect, is an effective tool to disrupt cybercrime that is available now.

Published by The Lawfare Institute
in Cooperation With
Brookings

Microsoft’s Digital Crimes Unit works to protect Microsoft and its customers from digital threats. For several years, it has successfully pursued a strategy to disrupt cybercrime activity through civil litigation seeking injunctive relief by applying traditional common law tort and property principles to digital ecosystems. Equitable remedies have proved effective in halting harmful online activity, allowing courts to adapt rulings to factual circumstances and emerging technology and activity for which damages are an ineffective remedy or for which there is no other viable legal relief.

As a general manager at Microsoft in the Digital Crimes Unit and a technology litigation lawyer focusing on cybercrime and the global enforcement of legal rights, we read with great interest the July 21, 2021, Lawfare piece by Asaf Lubin and João Marinotti, “Why Current Botnet Takedown Jurisprudence Should Not Be Replicated,” in which the authors criticize Microsoft’s disruption strategy and the courts’ application of centuries-old principles to contemporary misconduct. They argue that such remedies are an inadequate means to effectively counter cybercrime at scale and should be abandoned in favor of pursuing global governance frameworks that might be realized in the future. Lubin and Marinotti also assert that Microsoft’s applications for injunctions are a misuse of courts’ equitable powers and pose unacceptable risks to third parties. Although we agree in principle with the value of a rigorous framework and institutions capable of preventing cybercrime, the authors’ analysis and recommendations are otherwise misguided. 

However imperfect a civil action might be, litigation is an effective tool to disrupt cybercrime that is available now. When a case can be made to stop cybercrime, it should be pursued. Inaction in the face of persistent threats in favor of holding out for a comprehensive internet governance framework is still inaction and is unreasonable. Our pleas for courts to enjoin harmful digital activity are entirely consistent with the principles and origins of the application of equitable judicial power. And courts have proved themselves more than capable of applying their powers consistent with due process to cases involving digital ecosystems and defendants who, unsurprisingly, evade judicial proceedings. As recently as March 31, the U.S. District Court for the Eastern District of New York exercised this power to issue a court order allowing Microsoft, Fortra, and Health-ISAC to disrupt cracked, legacy copies of Cobalt Strike and abused Microsoft software, which have been used by cybercriminals to distribute malware, including ransomware. The U.S. District Court for the Southern District of New York in April similarly issued a court order allowing Google to disrupt the information-stealing malware CryptBot. 

The White House released its new National Cybersecurity Strategy in March, identifying disruption as a central pillar. Therefore, we believe that it is the perfect time to respond to Lubin and Marinotti’s piece and to highlight the efficacy of this approach at the same time. Further, there is an increased potential for expansion of the disruption strategy. Courts continue to recognize that flexible injunctions are well suited to adapt to the “speed of technological advances,” providing a foundation for the development of new legal authorities to support the seizure of technology used in furtherance of cybercrime.

An Overview of Microsoft’s Strategy of Disruption Through Civil Litigation

While there are other types of disruption cases, Microsoft’s malware disruption cases proceed as follows. Through robust investigative capabilities and our somewhat unique position in the global networked environment, Microsoft is in possession of detailed information regarding the command-and-control infrastructure of certain types of malware. This malware targets Microsoft, our operating systems and applications, and our customers. These are uniformly domain names and IP addresses used by defendants to control malware installed on victims’ computers or otherwise used to direct malicious code, instructions, or fraudulent communications at victims. It takes time to develop a comprehensive view of this infrastructure, which is needed to have a reasonable chance of effectuating disruption that is meaningful and mitigates harm. Once this visibility is obtained, Microsoft moves as quickly as possible to file suit against known and unknown defendants, seeking a temporary restraining order and preliminary injunction under Rule 65 of the Federal Rules of Civil Procedure to disable or transfer such infrastructure away from defendants’ control and otherwise prevent their ability to utilize such infrastructure for injury that, as supported by evidence, is absolutely clear and severe.

Harm Reduction and the Immediacy of Cybercrime—An Operational Perspective 

The most effective disruption operations to date have been, and inevitably must be, driven by large-scale, global, multi-stakeholder coordination that leverages unique visibility into the threat ecosystems of stakeholders such as Microsoft and other infrastructure providers, governments, and security community partners. Lubin and Marinotti’s supposition that improved global internet governance includes well-defined, systematic, and consistent global reach; strong global mutual legal assistance; sufficient technical operational capabilities; sufficient threat intelligence and targeting data; and threat prioritization is well founded. New international government institutions that serve as hubs for cyber threat information-gathering, threat prioritization, and collective global action to effectuate systematic cybercrime infrastructure disruption are efforts well worth deep consideration and investment. 

However, this is all an enormous and long-term project. The authors miss the perspective of parties who cannot afford to stand idly by waiting for the perfect constellation of internet governance frameworks, institutions, treaties, and public-private partnership to unfold in an ideal manner over the course of years. Indeed, even assuming such evolved institutions and frameworks could exist, there will always be a place for individual cybercrime victims to protect themselves through litigation, given the exigencies of risk. The new National Cybersecurity Strategy also recognizes that victims of cybercrime, and private-sector stakeholders with capability and responsibility to those victims, must be able to exercise straightforward, pragmatic, and well-established legal and procedural tools to disrupt, to share information to help support deterrence, and to immediately mitigate injury. These stakeholders must grapple on a daily basis with systematically threatening cybercrime infrastructure causing injury right now and must do their best to reduce that harm. They need tools to achieve disruption in support of harm mitigation, even if the result is somewhat imperfect.

Lubin and Marinotti’s position seems to be that victims of cybercrime, including Microsoft, are overstepping when we even bother to try to disrupt botnets or, more broadly and accurately, technical infrastructure used by cybercriminals. At points, the authors nearly advocate for just letting injury to corporate and end-user victims continue until policymakers have crafted a “systemic and holistic solution” that includes the establishment of adequate institutions and sorting out all the grand niceties of international law to account for “potential fallout in foreign relations.” In the meantime, the implication seems to be to let the victims be victimized.

The solution is not to simply ignore these real-world practicalities or treat cybercrime as activity that is beyond ordinary, available legal recourse or straightforward, practical solutions. 

Cybercriminals Are Not Beyond the Reach of the Law

One overarching premise in Lubin and Marinotti’s piece appears to be the belief that private-sector actors have no business bringing lawsuits against threat actors involved in systematic cybercrime. How can this be so? Microsoft’s past lawsuits have gone well beyond botnets and sought to disrupt malware distribution, phishing, or other forms of fraudulent online conduct. The threat actors targeting and injuring Microsoft and its ecosystem for profit or other self-interest are individuals carrying out targeted harmful conduct that situates them in relation to Microsoft as defendants, just like any other commercial or competitive threat. Indeed, the entire legal disruption strategy is predicated on the reality that cybercriminals are simply strategic competitors vying for Microsoft’s own resources and customers and utilizing illegal and harmful means to do so. Surely, Lubin and Marinotti would not take issue if Microsoft brought a lawsuit against a competing company or rogue partner who illegally breached a contract, infringed a patent, stole trade secrets, or engaged in good old-fashioned commercial fraud against the company through digital or nondigital means.

Sophisticated cybercrime groups are no different and are not beyond the reach of ordinary civil legal recourse. Microsoft’s lawsuits are not “privateering,” as the authors suggest. Rather, these legal actions are simply the sober pursuit of legal recourse—even if imperfect—by the victim of civil wrongs through the most obvious institutions: the U.S. courts.

The Powerful Tradition of Flexible Equitable Remedies

Lubin and Marinotti’s first objection to Microsoft’s strategy is that there is purportedly no place for the equitable remedy of injunctions in legal proceedings involving cybercrime. Yet the ability of courts to craft flexible equitable remedies to mitigate harm is an ancient part of common law legal traditions. Courts routinely define injunctive remedies that fit the situation and the facts at hand in a wide variety of legal proceedings, involving all manner of harmful and illegal human behavior. The whole point of injunctions is to provide for relief in new or unanticipated situations, and to fill gaps where damages or existing codes, statutes, or precedent fail to do justice. This is a well-settled and commonplace part of the U.S. legal system. As the Supreme Court put it, “Once a right and a violation have been shown, the scope of a district court’s equitable powers to remedy past wrongs is broad, for breadth and flexibility are inherent in equitable remedies.”

The assertion that “[r]estraining orders and other equitable mechanisms of relief were never designed to address such a unique challenge as global cybercrime” is fundamentally flawed. To the contrary, the purpose of equitable remedies is to flexibly join previously unencountered factual circumstances in a manner that results in justice. Equity’s purpose is to adapt. Accordingly, it is erroneous to assert that injunctions used in cybercrime cases “step outside what they were originally meant to cover,” given that, for many hundreds of years, a fundamental purpose of equitable relief has been to flexibly account for circumstances that were previously unforeseen and unaddressed through other authorities and proceedings. It is procedurally and factually incorrect that injunctions are typically “developed by courts,” when litigators know that it is the litigants that explain and propose forms of injunction to courts in particular cases. Injunctions addressing cybercrime infrastructure are not exotic, unusual, or improper. In fact, nothing could be further from reality. For example, courts have issued such injunctions in typical commercial contexts addressing simple trademark and copyright infringement to disable or transfer internet infrastructure (domains or IP addresses) since the early days of the World Wide Web. 

In sum, there is no better mechanism to join unique and new challenges, such as the technical practicalities of global cybercrime, given that injunctions bring with them attributes of flexibility, adaptability, and speed, all necessary to the changing conditions and exigencies of cybercrime.

Civil Cybercrime Actions Are Fully Litigated

It is also a mischaracterization that Microsoft’s actions against cybercriminal defendants are not fully litigated on the merits against the defendants or that the requirements of due process and elements for injunctive relief are not met.  

To begin, Lubin and Marinotti inaccurately assert that urgency is “alleged (or manufactured) …  to squeeze from the court an authorization to take immediate unilateral action that will essentially nullify the case it filed.” Victims of ransomware attacks would likely disagree. When millions of dollars of potential injury are at stake, millions of victims are in harm’s way, and there is no other legal device available to promptly attempt to stop that injury, this is precisely the moment for which equitable remedies are designed. Microsoft prepares as much as possible, but it cannot wait forever and instead chooses to act quickly—once there is sufficient evidence. Courts do not order injunctive relief on threadbare evidence and Microsoft does not simply plead a prima facie case. Rather, it supports its claims with documentary evidence and sworn declarations. Courts then hold legal and evidentiary hearings in which witnesses and lawyers are questioned, and a record is developed. These are fulsome proceedings that result in substantial evidence before the court that actually proves the case and establishes the evidentiary bases for the injunction.

The authors take issue with obtaining such injunctions designed to “interfere with the hackers’ operation rather than anything else.” But litigation with precisely this goal is entirely appropriate. Cybercriminals are not beyond the reach of the rule of law and should not be allowed to continue operations with impunity. That they evade legal proceedings through anonymity or by residing or obscuring their locations outside of the United States or in jurisdictions hostile to legal process are not valid reasons to capitulate to their activity. And obtaining these injunctions is nothing new. Providers hosting the malicious infrastructure have uniformly required a court order inside the U.S. or needed to ask for government direction outside the U.S. for decades. And so, for U.S.-based infrastructure, Microsoft obtains a court-ordered injunction. Outside of cybercrime, the purpose of remedial injunctions is always to “disrupt” some defendant’s operations and to bring about cessation of harmful activities—to remediate existing, irreparable harm. In the context of cybercrime infrastructure, that most certainly means interfering with the hacker’s operations that are the source of the harm.

It is correct that Rule 65 is designed to prevent irreparable harm and afford provisional remedies that preserve the relative positions of the parties during the pendency of a case. However, the authors take an artificially narrow view of what the pendency of a case means, asserting that temporary relief is purportedly invalid unless there is a “trial on the merits.” Not all cases can and do end in a trial, and that is true of every form of federal court dispute. Indeed, the law reflects this: “A preliminary injunction will normally issue only for the purpose of preserving the status quo and protecting the respective rights of the parties pending final disposition of the litigation.” Federal Rule of Civil Procedure 55 provides that such a “final disposition” may be in the form of a default judgment, issued after a defendant has had a full opportunity to appear but refuses to do so. It happens every day in U.S. courts and most certainly happens in cybercrime cases. The authors assert that Microsoft displayed a “lack of interest in litigating the merits of these disputes, whether to reaffirm their rights, property or otherwise, or to deter or punish a particular party.” That is simply not so.

Once litigation commences, Microsoft obtains authority to pursue discovery to identify defendants and as many points of contact for defendants as possible. Microsoft advances that effort vigorously over the course of many months in every single case and engages in communication with the defendants, generally through email and instant messaging addresses used by defendants, which are iteratively discovered through subpoenas, international discovery requests, and informal requests to the extent the latter approach is viable. It is a massive and committed undertaking. We do everything possible to identify, name, and pursue the defendants.  

While specifically naming the defendant is not always possible, given the nature of cybercrime, the work undertaken to identify is always extensive with robust communication with the defendants that fully meets the requirements of due process—whether defendants respond or not. The parties receive a significant volume of communications that provide absolutely explicit and repeated service of process and notice of the proceeding, including in native languages where such is known and in English where the actors are known to operate in that language. They are, therefore, participants in these proceedings that are able to come to court at any time during the case. Microsoft’s engagement with the defendants toward a final judgment is an act of what Lubin and Marinotti characterize as “a lack of interest in litigating the merits of these disputes … to reaffirm [Microsoft’s] rights, property or otherwise, or to deter or punish a particular party.” Indeed, like any other case, the defendants have been made fully aware of the proceeding, that the court has subjected them to jurisdiction and will issue final orders binding them, and that they will be subject to ongoing relief in the future. Thus, by the end of these cases, there is nothing “temporary” about the process or the relief at all.

Courts Are Capable of Handling Cybercrime Matters

Anyone who has ever set foot inside a federal court to appear before a federal judge likely understands the gravity of that institution and the seriousness with which judges take their responsibilities. Any assertion that federal judges do not have sufficient capabilities to handle litigation involving cybercrime infrastructure is inaccurate. The lawyers who appear likewise take their obligations very seriously. It is important to recognize the real capacity that U.S. federal courts have as an institution. To do otherwise risks trivialization of the courts and officers of the court.

Specifically, it is inaccurate to assert that “[c]ourts are not in a position to adequately analyze takedown requests and do not have the technological or policy expertise to ensure their orders are sufficiently narrow and will not cause further damage to computer networks, or more broadly to foreign relations.” Federal courts handle a massive volume of matters involving the internet and myriad forms of digital wrongs. They decide matters involving the interplay between government action and private interests on a regular basis. They have a deep understanding of jurisdictional issues and sovereignty. Judges are generally well informed; understand the implications of their orders; approach the matters with a critical eye; ask hard questions; attend to deconfliction with government efforts; constrain their orders to infrastructure well within their jurisdiction; build in structures to manage potential collateral risk such as posting of bonds, tight timelines, required engagement with third parties, and prompt reporting and disclosure; and generally hold litigants to account. 

The authors cite “absurdly low bonds” that judges impose on Microsoft as evidence of the courts’ “limited ability to properly review botnet takedown requests.” However, the amounts of bonds required are not conclusive evidence of a flawed process. The bond amounts are entirely consonant with the relief granted; in other words, $50,000 to $250,000 bond amounts are more than adequate to secure routine cooperation by third parties and risk associated with infrastructure that is being used only for cybercrime and which has been deconflicted with the public and private sectors alike. The decisive factor in setting a bond amount is the cost to the enjoined party, not the potential damage to the movant. If defendants impacted by an injunction believe bond amounts are disproportionately low, they can appear in the case and seek reconsideration or appeal. Argument between plaintiff and defendant regarding the bond amount occurs in nearly every contested preliminary injunction action, and should defendants of cybercrime matters wish to engage on the topic, they have every opportunity to do so.

Further, the assertion that “judges lack the technical expertise necessary to serve as a useful check in the course of approving remedies in an ex parte process” is misguided. Courts are equipped to effectively assess the scope of IP addresses and domain names provided by the claimants and apply scrutiny to the evidence at hand. Every day, federal judges consider extraordinarily complex technical issues such as patents involving cancer drugs, artificial intelligence, nuclear physics, and the internet. They do so with meaningful scrutiny through precisely the same processes employed in Microsoft’s matters, whether adversaries are present or not, with documentary and declaratory evidence by experts in the field, live testimony in evidentiary proceedings, and discussion with counsel in hearings.

Community Input, Underestimated Efficacy, and Overstated Collateral Risk

Potentially lost in the criticism of Microsoft’s litigation is a real issue that there are potentially impacted stakeholders and interests in the broader picture that are not sufficiently accounted for in these legal proceedings. In the decade that Microsoft has been pursuing these lawsuits and disruptions, a substantial amount of refinement and maturation of the process has taken place. And, admittedly, as Lubin and Marinotti point out, these disruptions have not been flawless. One example was a technical issue early in the life of the program. In Microsoft v. Al Mutairi et al, when applying the court-ordered remedy that had effectively been applied in a previous case, there was a brief period of outage to non-defendant third-party users. In that case, the infrastructure provider seemed to have crossed the line into complicit action with threat actors, making direct notification and cooperation with the provider impossible. The issue was not the nature of the legal proceeding, order, or the technical remedy as the authors describe, but rather that implementation of the technical remedy was imperfect. That circumstance does not call into question the entirety of the legal theories, procedural devices, or judicial regimes. But it was an important learning moment that resulted in changes to our work in assessing the processes, input, and planning leading up to these operations.  

The reality is that, prior to filing these matters, Microsoft deconflicts globally with a variety of appropriate government and private-sector stakeholders. Some operations go further and involve coordination with, but not direction from, governments. In any case where the public sector is involved, all parties act independently. Microsoft also engages with trusted security community members to provide third-party validation of the nature of threat, identified cybercrime infrastructure, and technical remedies. Microsoft has also matured its risk management techniques and engages with owners of compromised websites or servers being used for cybercrime. Those owners then assist in the background, outside of what is visible in the court proceedings. Microsoft engages with third-party infrastructure providers to which orders are directed. Of course, in extremely fast-moving situations, new infrastructure providers emerge and are directed to assist by court order prior to dialogue. The sum of these steps is that Microsoft takes care not to disturb the balance of equities in the activities of the U.S. government and its partners, avoids impacting security researchers, and avoids impacting users. 

Microsoft’s efforts are often criticized as “ad hoc” or “whack-a-mole,” not just by these two authors, and questions are raised about the efficacy of those efforts. In some cases, there has been very decisive permanent disabling of infrastructure, such as the Rustock botnet matter. In other cases, some threat infrastructure remains over time, despite action. But the results cannot be viewed in a wholly binary manner. These matters impose significant cost on the defendants and, in some cases, greatly slow attempts to rebuild infrastructure, given that financial incentives are disrupted and defendants must seriously assess whether continued investment is worthwhile. Permanent takedown may not occur in all cases, but that should not diminish the very real positive impact where harm has been decreased, victims remediated, or risk reduced. As a result of botnet and other litigation undertaken by the Digital Crimes Unit, Microsoft and its customers experience actual sustained relief.

Conclusion

The complex web of challenges—the technical resilience of cybercrime infrastructure, the issues of sovereignty implicated by globally distributed infrastructure and threat actors, and the relatively ad hoc legal, practical, and technical governance of the global internet as it has developed—demands an international response, robust public-private partnership, and a reenvisioning of internet governance at its core.  

The first step in this reenvisioning is to scale the disruption model, deploying it in a much deeper and more widespread manner. In doing so, a true long-term cost-leveling between adversary and victim is quite possible. To truly protect all network-connected stakeholders—including individual end users, companies, and government actors—from systematic, global cybercrime, a multifaceted and holistic global set of tools, approaches, and policies is needed. Civil litigation and injunctive relief are some of these tools. Technology providers, victims, and courts should continue to use them. And this is precisely the very rationale and beneficial goal that the new U.S. National Cybersecurity Strategy advocates for and that the International Cybercrime Prevention Act is designed to advance, if passed.


Amy Hogan-Burney is a General Manager at Microsoft in the Cybersecurity Policy & Protection team, which includes the Digital Crimes Unit (DCU). Prior to leading CPP, Ms. Hogan-Burney led the DCU and the Privacy Compliance team during the implementation of the EU’s General Data Protection Regulation. She started her career at Microsoft managing the Law Enforcement and National Security team, ensuring Microsoft’s compliance with law enforcement and national security legal obligations.
Gabe Ramsey is a technology litigation partner at Crowell & Moring LLP. He focuses on cybercrime, intellectual property, and global enforcement of legal rights.

Subscribe to Lawfare