8.9. Domestic Legal Issues

Let us now revisit the earlier attack scenario, only this time it is a much larger attack. Our attacker now breaks into 100,000 computers and builds a series of large bot networks. The attacker now goes after a site that receives on the order of $1 million per day in advertising revenue. The attacker has taken her time and knows the available bandwidth to the victim site, and understands the network topology and response capabilities of the victim's upstream providers. She uses only sufficient numbers of DDoS agents at a time to take the site down, assuming it will be cleaned up over time by incident response teams and the attack capacity of the botnet will decrease over time. She brings in new attack networks at just the right time to keep the pain at a sufficiently high level. Using this tactic, the attacker can keep the attack going for more than a week.

Legal counsel for any victim should consider the following issues when determining what advice and which course of action to take after an attack:

• Negligence on the victim's part. Consider whether there was negligence on the part of your client. Some issues to address are: (1) what precautions did the victim take prior to the attack to prepare for the possibility of an attack; (2) did the victim do an adequate risk assessment and balance defenses with insurance coverage to mitigate financial risk; (3) how did the victim respond to the attack once it was aware of the attack; and (4) was the response justifiable morally, ethically, and legally?

  Addressing the preceding issues is important because it is likely that your client/victim may be called to account to shareholders, customers, subcontractors, or any others who may be financially harmed as a result of an inadequate or a legally questionable response by the victim.

  The main message here is that counsel and client should perform an adequate risk assessment that addresses the prevention, detection, and reaction elements of information assurance.

• Criminal culpability. Consider whether your client/victim is able to identify a suspect in the attack, either through communications by the attacker that reveal an identity, involve a consistent communication method that can be traced back to the attacker, or through the legal discovery or investigative processes. It is best to provide this information to federal law enforcement as soon as possible to allow them an opportunity to investigate.

  Where a suspect cannot readily be identified by the victim, the possibility of investigation still exists. However, if the attacker has taken advanced measures to cover her tracks and thereby remain anonymous, the possibility of a successful prosecution becomes much more difficult, if not impossible.

  Either way, as mentioned in Section 8.7 regarding losses in criminal prosecutions, sufficient economic injury to the victim must be shown in order to meet the statutory limits required to pursue prosecution. Thus, it is important that any victim thoroughly assesses and collects evidence of the harm caused by an attacker.

• Liability. There are two primary types of liability that could apply in DDoS attacks. There is direct or "attacker" liability for the harm caused by an attacker, and indirect, or "downstream" liability, for the harm caused by those sites whose systems are compromised and used for an attack.

In an attacker liability suit, the person or persons responsible for the attack are sued. However, in a downstream liability suit, the plaintiff would be trying to prove negligence on the part of the owner of computers that were compromised and used to launch an attack against a third party. As previously mentioned, proving negligence involves showing, by a preponderance of the evidence, that four factors exist:

The key here is establishing a duty of care which is judged using a "reasonable person" standard (i.e., what would a reasonable person do to secure her computer, and did the defendant fail to do at least the same?). In other words, negligence cannot exist where there is no preexisting duty, or where a duty cannot be established.

Laws that establish some form of requirement for computer security include the Gramm-Leach-Bliley Act [Ele], which suggests a number of security measures that banks, credit unions, and other financial institutions should implement to protect their computer databases (and institutes civil and criminal penalties for businesspeople who do not adequately protect personal or financial information from compromise due to computer intrusions).

In the health care field, there is the Health Insurance Portability and Accountability Act (HIPAA) of 1996 [hip], which holds system administrators, information security officers, and administrators financially liable for disclosure of health-related information that could result from a computer intrusion.

It is important to note that liability cases are usually brought in local courts. Thus, trial venue may become another important factor that comes into play (e.g., where did the "damage" actually occur?).