Bots,cops, and corporations: on the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime

Botnets currently pose the most serious threat to the digital ecosystem, providing an infrastructure that enables bank fraud, distributed denial of service attacks (DDoS), and click fraud. During the past few years, three main approaches have been used to fight botnets. First, police organizations have periodically arrested prominent hackers and scammers, hoping such high-profile operations would have a deterrent effect. Second, Microsoft has performed a number of takedowns, using an innovative blend of legal and technical means that attempt to disrupt botnet operations and reduce their profitability. Third, some countries – Japan, South Korea, Australia, the Netherlands, and Germany – encourage harm reduction strategies that rely on public-private partnerships involving internet service providers, anti-virus companies, and regulatory authorities. This article describes these three approaches (incapacitation, disruption, and harm reduction), the challenges they face, and their respective effectiveness in protecting the digital ecosystem from large-scale online harm.