Cyber Defence Library

Conficker: Considerations in Law and Legal Policy

Conficker: Considerations in Law and Legal Policy

While the present paper will give a short synopsis of the known facts about the spread and characteristics of Conficker, it will not explore the technical details of the infection and propagation of Conficker in depth, neither will it analyse all the countermeasures used. There is excellent research available about the Conficker malware, which we recommend to those interested in a closer acquaintance with the subject; also, the Conficker Working Group, as well as some of its individual parties, has documented the mitigation effort in detail. A list of recommended reading can be found at the end of this paper.

The focuses of this paper are the legal and legal policy implications related to the creation, distribution and operation of the Conficker malware, as well as the legal implications related to the technical, procedural and organisational mitigation measures taken in response to the incident. Given the persisting uncertainty about the identity and intent of the author of Conficker, as well as the global spread of the malware and the fact that incident response involved a number of bodies in more than a hundred countries, it is inevitable that, instead of a comprehensive legal analysis, a choice needs to be made about the issues that a paper like this can tackle. Also, there is too little factual information available to offer definite legal assessments. However, some issues raised by Conficker either appear as novel developments in cyber security, or verify a trend of a presence of legal obstacles in responding to large-scale cyber incidents. For this reason, this paper focuses on three main topics: the preparedness of substantive criminal law to address sophisticated and large-scale cyber attacks, the registration of domain names as a method of cyber defence, and private and public sector collaboration.