Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown

Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet.

The situation is much more nuanced. The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research. You can trace this back to when the Honeynet Project first defined "data control" as one of the requirements for honeynet/honeypot deployments. The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors.

We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe. These people do not act in ways that are moral, ethical, or legal. But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations. If we do, we become no different than them.

We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner. Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different. What are the benefits? What are the risks? How do they balance each other? Do our actions jeopardize legal investigations? These are all questions that need to be considered and the outcome will determine how to proceed. In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown (see below for a detailed assessment.) In other situations, the determination and plan of action may be different. In the instance of Zeus, for instance, legal action may be necessary.

The Honeynet Project is committed to conducting research in a model, ethical, and legal way. Weighing risk/benefits – an important aspect to conduct research in such a way - is what every researcher implicitly does. However, the risk of not considering all aspects of the research exists. As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner.

Today, we are publishing a draft of this code of conduct. We hope you find the code of conduct useful and are looking forward to your thoughts and comments.