防不勝防的殭屍網絡 Where cyber space meets the Wild West

Four months ago Microsoft scored a cyber coup. Its digital sleuths identified a “botnet”, or fake server, that had installed malware on computers worldwide, and then it worked with the Federal Bureau of Investigation and others to shut it down. To their alarm they discovered that no fewer than 12m — yes 12m — PCs were infected, according to Tom Burt, the company’s deputy general counsel.

4個月前，微軟(Microsoft)在網絡世界取得了一次成功。該公司的數字化偵察器發現了一個在世界各地許多計算機中安插了惡意軟件的“殭屍網絡”（也就是假服務器），隨後與美國聯邦調查局(FBI)及其他方面合作關閉了該網絡。微軟副總法律顧問湯姆•伯特(Tom Burt)稱，讓他們擔心的是，他們發現有至少1200萬臺——沒錯，就是1200萬——個人電腦已被感染。

If you are tempted to shout “hooray”, that is understandable. After all, botnets pose a particularly pernicious threat since they are fiendishly hard to find. And cyber attacks in general are increasing explosively, costing global businesses $400bn a year, according to data from Microsoft.

如果你不禁大聲叫好，是可以理解的。畢竟，因爲“殭屍網絡”極其難以被發現，它們構成了極其可怕的威脅。微軟數據還顯示，總體來看，網絡攻擊數量呈爆炸式增長，每年對全球企業造成4000億美元的損失。

There is a catch, though. Microsoft and the FBI now hope to bring the cyber hackers who created that botnet to court. But since this botnet was not entirely run from US soil — and those 12m infected computers sit everywhere around the world, from China and India to Chile and the US — the saga could be about to plunge into a legal grey zone.

然而，有一個難題。微軟和FBI現在希望將創建這個“殭屍網絡”的網絡黑客訴諸公堂。但是，由於這個“殭屍網絡”並不完全在美國境內運行，同時那1200萬臺被病毒感染的電腦分散在從中國、印度到智利和美國的世界各地，這件奇功接下來可能會陷入法律灰色地帶。

“Think of a situation where you have a botnet in Singapore run by hackers in Bulgaria who cause damage to somebody in America,” Mr Burt told a Financial Times conference in Washington this week. “Who has jurisdiction? What laws are used?” Nobody knows. In cyber space, as in the global financial system a decade ago, a plethora of criminal activity is in danger of falling between the cracks because national rules are ill suited to a fast-moving digital world.

“試想這樣一個情境——保加利亞的黑客在新加坡運營的‘殭屍網絡’對美國某個人造成了損害，”伯特不久前在英國《金融時報》於華盛頓舉辦的一場會議上稱，“誰擁有司法管轄權？適用哪國法律？”沒人知道。在網絡空間，就像10年前的全球金融體系一樣，非常多的犯罪活動都可能會逃脫制裁，因爲各國法律沒跟上快速發展的數字化世界。

Investors and politicians around the world should take note — and worry. Deeply. In the past couple of years, western governments and businesses have made considerable strides in building defences against cyber crime. This week in Washington, for example, the Department of Homeland Security is launching an “automated information-sharing” program for utility companies. The aim is to ensure that, “when adversaries try something” against one US utility company, everyone else is alerted, according to Suzanne Spaulding, an undersecretary at the department.

世界各地的投資者和政界人士應該留意，併爲此感到擔憂——嚴重擔憂。過去幾年，西方政府和企業在構建網絡犯罪防禦網方面取得了長足的進展。例如，不久前在華盛頓，美國國土安全部(DHS)爲公用事業企業啓動了一項“信息自動分享”計劃。DHS副部長蘇珊娜•斯波爾丁(Suzanne Spaulding)稱，該計劃的目的是確保當有人對一家美國公用事業企業圖謀不軌時，每個人都會收到警報。

In truth, such information-sharing is still imperfect. John Carlin, assistant attorney-general for national security, admits “the vast majority of companies do not report small intrusions” to each other. But the situation is better than four years ago, when suspicion between business and the security establishment reached such depths that the US Chamber of Commerce dragged its feet about setting up mandatory information-sharing programs. And the fact that nobody has yet conducted a successful hack on a US utility, say, is one reason for comfort.

事實上，這類信息分享計劃仍不完善。美國司法部負責國家安全事務的副部長約翰•卡林(John Carlin)承認，“絕大多數企業並不相互通報自己受到的小規模入侵”。但是如今的情況要好於4年前，當時企業和安全機構相互抱有極深的戒心，以至於美國商會(US Chamber of Commerce)在建立強制信息分享計劃時也拖拖拉拉。目前還沒有任何針對比如一家美國公用事業企業的黑客攻擊得手過，這是值得欣慰的地方。

But, as business and government strengthen their defences, the big missing piece of this campaign is punishment. As any parent or regulator knows, it is hard to deter wrongdoing without a system for imposing discipline. And, right now, remarkably few cyber criminals have been brought to trial relative to the scale of the current $400bn heist.

但是，隨着企業和政府加強防禦，這一行動一大塊缺失的部分也凸顯了出來，那就是：懲罰。正如任何父母或監管機構都知道的那樣，沒有一個強制施加管教的機制，就很難阻止不當行爲。相比現在每年4000億美元的損失規模，目前被告上法庭的網絡罪犯數量少之又少。

That partly reflects the difficulty of identifying and apprehending perpetrators, particularly in places such as Russia and China. The other big problem is the one faced by Microsoft: the legal framework across borders is a mess.

這部分反映出確認犯罪者身份和施加逮捕的難度，特別是在俄羅斯和中國等地區。另外一個大麻煩是微軟面對的問題：跨國法律框架一片混亂。

In a rational world, this would suggest a multilateral body, such as the UN, urgently needs to create some common laws or at least promote more mutual recognition. In the real world, sensible collaboration is hard to organise now; indeed, events such as the Edward Snowden affair — where revelations by a former US National Security Agency contractor about the extent of American internet surveillance fuelled transatlantic rows over privacy — are making this debate even harder. “Walls are going up,” says Mr Burt.

在理性的世界中，這意味着一家多邊機構（比如聯合國）迫切需要制定一些通用法律，或者推動各國加強法律互認。而在現實世界裏，理性的合作眼下很難組織起來；事實上，愛德華•斯諾登(Edward Snowden)等事件正使得相關討論更加難以進行。斯諾登是前美國國家安全局(NSA)合同工，他關於美國互聯網監視強度的爆料，引發歐美關於隱私問題的爭執。“高牆正在豎起，”伯特稱。

So in the interim, US officials are using whatever homegrown tools they have. Mr Carlin, for example, says Washington security officials recently managed to extradite from Malaysia a suspected hacker who had created a cyber attack against a US retailer that spearheaded a bigger Islamist plot.

因此，在現階段，美國官員正在利用一切本土手段。例如，卡林稱，華盛頓方面的安全官員最近成功從馬來西亞引渡了一名黑客嫌疑犯，此人對美國一家零售商發動了一場網絡攻擊，爲一個更大的伊斯蘭主義陰謀做先期準備。

But strong-arm US legal action is not an effective long-term solution; not least because such unilateral measures risk sparking a backlash. And many western companies are in effect stuck: they can build defences against cyber crime but cannot effectively retaliate.

但是，美國強硬的法律行動從長期來看並非有效的解決方案；尤其是因爲此類單邊措施可能會引發反作用。很多西方企業實際上都被困住：它們可以構建針對網絡犯罪的防禦網，但是無法有效反擊。

So when people describe cyber space as the new Wild West, they are only half correct. This is a place where baddies have an endless supply of cheap guns but ordinary citizens have only barricades. This looks unlikely to change soon — unless and until companies such as Microsoft find a way to put those botnet creators behind bars. That would be an even more remarkable coup.

所以，當人們把網絡空間形容爲新的“狂野西部”(Wild West)時，他們只說對了一半。網絡空間是這樣一個地方：壞人有源源不斷的廉價槍支供應，而普通公民只有防禦工事。這種狀況似乎不太可能很快改變——除非微軟等企業找到將“殭屍網絡”的創建者繩之以法的辦法。那將是一次更引人矚目的成功。