Home / Blogs

Public Private Cooperation: The Zeus Take Down Example

Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT’s director Ronald Prins for obstructing ongoing investigations and having used Fox-IT’s data. This was followed by the accusation that Microsoft obstructs criminal proceedings by divulging online aliases of digital, undercover investigators after a served court order into these e-mail addresses and sharing them online.

On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European Cyber Crime Centre as of 2013. Coincidences do not exist. Why?


When I heard about McColo first, the international spam fighting community of the London Action Plan met at eco in Wiesbaden, Germany. It was not during a presentation at the workshop, mind, no, it sort of syphoned through. Not one of the spam fighters present knew anything about it. This amazed me and also made me feel a little ashamed. How was this possible? Pretty soon the botnet was back online and serving the world its daily ration of spam.

Botnets are vulnerable

What McColo did show the world that its possible to stop bots from spewing spam and malware, as with all things it’s possible to go for the root and take it down. Even if the owner(s) are sort of invincible for now.

Several bots were taken down since. Some by Microsoft, some by coordinated police actions. And now both sides are fighting it out in the press, fighting each other instead of focussing on the common enemy: the bots/botherders. But hey, there’s a lesson here and stop overlooking it: both are successful!

Lessons from OPTA

In my years at OPTA, the Independent Post and Telecommunication Authority, as spam fighter, I specialised in human relations. Why? We soon found out that visiting a company that is somehow involved in sending spam, could also be the subject of other investigations. So we always checked with colleague organisations. At first they didn’t really know who we were, but after a while it became standard practice. Even better, it led to a regular informal meeting on cyber crime of most Dutch organisations involved with online enforcement, which I had the honour to chair for several years. At present, I’ve been told, relations are even much more formal, copying the ISAC model of information sharing. The best lesson learned here, was that openness comes from both sides, not just one. Let’s keep this thought in mind.

Lessons from Microsoft and Fox-IT

What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations’. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.

It is not without a good reason that in some countries it is possible to go for private actions in court against spammers and worse. This needs investigation, evidence and resources. Microsoft uses this possibility to go after the biggest spammers.

Unfortunately, uncoordinated a civil (class)action can intrude on or even disrupt criminal or administrative investigations of months or even years of preparation. Leading to the loss of evidence, the warning of criminals and even news reports like the ones at the base of this article. Reports damaging reputations at all sides, whether just or not. While both go for the same target. This solution seems sub-optimal to me. But where can the two meet in a trusted space?

The EU Cyber Crime Centre: trust and coordination

If the European Cyber Crime Centre is to act strongly where cooperation is concerned, it is to make sure that actions and investigations are well coordinated. It has to start with building an environment of trust. Also with industry.

If public and private organisations learn to trust each other and from there to coordinate, they can actually choose which way forward would be the most effective. This means that the EU Centre not only has to coordinate with industry, but that it becomes the centre stage of coordination for all investigations on the Internet. Not only for police, but also spam, malware, privacy and fraud investigations. The question laying at the top of prioritising should be: Who in which country is best equipped to gather evidence? That would truly lead to effective actions.

The EU has a chance to reach this level of effectiveness and so has the US. Will they grab it?

If the world learns to use the powers, knowledge and strengths available, Mrs. Malmström’s claim “being among friends and colleagues in this room today I’m hopeful we will win this battle” may well come true. It will take effort, courage and will though.

By Wout de Natris, Consultant internet governance

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix