DDoS Threats Create Dangerous Legal Waters
Distributed denial-of-service attacks may reshape the way courts evaluate liability for network security breaches.
By William Cook
August 01, 2004 — CSO — Distributed denial-of-service (DDOS) attacks—the creation of a hostile computer network used to remotely shut down another network or website—continue to plague the Internet. In the past two years the Internet has experienced a 2,000 percent increase in worm-driven DDOS attacks. Some e-commerce websites have been completely shut down by the attacks and have reported as much as $250,000 in lost sales per half hour that they were down. But the damage doesn't stop there. The users of a victimized system can also suffer significant reputational loss from being unable to conduct business.
However, the legal response to DDOS attacks has been mixed. In the U.S. legal system, civil liability can arise from contract law, tort law or regulation. If one party breaches its contractual obligations, the law provides a remedy to the aggrieved party. Contract law, however, often fails to cover damage to third parties. Suppose a hacker breaks into Company A's inadequately secured network and then uses that network to attack Company B. The attack against Company B disables its networks, causing it to fail to deliver promised services to its customers. Although Company B has no contractual relationship with Company A, can B sue A for losses?
From a tort standpoint, many legal scholars, major law firms and a National Research Council Committee assert that the downstream victim can bring civil action for negligence against the upstream systems that were used as part of the DDOS attack. Reasoning that civil law intends to deter undesirable or wrongful conduct and to compensate those harmed by such conduct, legal theory posits that victims should be allowed to recover losses from third parties that were negligent if that negligence was the direct cause of the loss. In the Internet environment, negligent third parties may be the only source of loss recovery, since criminal law offers no compensation to the victim if the computer criminal cannot be identified. Furthermore, establishing the legal precedent to impose civil damages on a third party, such as a service provider that is proven to be negligent, could motivate companies to invest the necessary resources in improving security.
In support of this idea is a 1932 decision in the case of T.J. Hooper v. Northern Barge Corp. In the case, two barges towed by two tugboats sank in a storm. The barge owners sued the tugboat owners, claiming negligence because the tugboats did not have radios aboard. The tugboat owners countered by noting that radios were not the industry norm at that time. Judge Learned Hand (the noted American jurist) found the tugboat owners liable for half the damages, even though the use of radios was not yet standard industry practice. He observed: "Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices.... Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission."
This case—along with the Verizon case discussed in a previous Flashpoint (read "A Foreseeable Future" at www.csoonline.com/printlinks)—shows that the meaning of "reasonable care" is never static and must constantly be reevaluated. Moreover, an industry's failure to develop a standard or to adapt the standard to changes in technology could lead courts to develop their own standard.
A company can avoid or reduce its liability exposure for DDOS attacks if it maintains a proactive IT staff and aggressively gathers information about developing DDOS technology. This information can be obtained from advisories issued by the CERT Coordination Center, the U.S. Secret Service and the FBI.
From a due diligence perspective, a company's goal should be to be able to prove in court that it had a security plan and took appropriate security precautions. Conducting security audits using well-accepted principles of testing and analysis will enable a company to document that it exercised its best business judgment, within its budget, to make its systems safe. Finally—because you cannot afford to be charged with participating in a DDOS attack that caused another company to lose millions or go under—consider offloading some of your risk to a cyberinsurance policy. ##
William Cook, a partner with Wildman, Harrold, Allen & Dixon based in Chicago, specializes in intellectual property litigation, business continuity and security. Cook is also president of InfraGard-Chicago and a founding member of the U.S. Secret Service Chicago Electronic Crimes Task Force.
Read more about data protection in CSOonline's Data Protection section.