Opinion

DDoS Threats Create Dangerous Legal Waters

Distributed denial-of-service attacks may reshape the way courts evaluate liability for network security breaches.

By William Cook

August 01, 2004 — CSO — Distributed denial-of-service (DDOS) attacks—the creation of a hostile computer network used to remotely shut down another network or website—continue to plague the Internet. In the past two years the Internet has experienced a 2,000 percent increase in worm-driven DDOS attacks. Some e-commerce websites have been completely shut down by the attacks and have reported as much as $250,000 in lost sales per half hour that they were down. But the damage doesn't stop there. The users of a victimized system can also suffer significant reputational loss from being unable to conduct business.

However, the legal response to DDOS attacks has been mixed. In the U.S. legal system, civil liability can arise from contract law, tort law or regulation. If one party breaches its contractual obligations, the law provides a remedy to the aggrieved party. Contract law, however, often fails to cover damage to third parties. Suppose a hacker breaks into Company A's inadequately secured network and then uses that network to attack Company B. The attack against Company B disables its networks, causing it to fail to deliver promised services to its customers. Although Company B has no contractual relationship with Company A, can B sue A for losses?

From a tort standpoint, many legal scholars, major law firms and a National Research Council Committee assert that the downstream victim can bring civil action for negligence against the upstream systems that were used as part of the DDOS attack. Reasoning that civil law intends to deter undesirable or wrongful conduct and to compensate those harmed by such conduct, legal theory posits that victims should be allowed to recover losses from third parties that were negligent if that negligence was the direct cause of the loss. In the Internet environment, negligent third parties may be the only source of loss recovery, since criminal law offers no compensation to the victim if the computer criminal cannot be identified. Furthermore, establishing the legal precedent to impose civil damages on a third party, such as a service provider that is proven to be negligent, could motivate companies to invest the necessary resources in improving security.

In support of this idea is a 1932 decision in the case of T.J. Hooper v. Northern Barge Corp. In the case, two barges towed by two tugboats sank in a storm. The barge owners sued the tugboat owners, claiming negligence because the tugboats did not have radios aboard. The tugboat owners countered by noting that radios were not the industry norm at that time. Judge Learned Hand (the noted American jurist) found the tugboat owners liable for half the damages, even though the use of radios was not yet standard industry practice. He observed: "Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices.... Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission."