Dangerous Waters: "
Distributed denial-of-service attacks may reshape the way courts evaluate liability for network security breaches.
BY WILLIAM COOK
Distributed denial-of-service (DDOS) attacks—the creation of a hostile computer network used to remotely shut down another network or website—continue to plague the Internet. In the past two years the Internet has experienced a 2,000 percent increase in worm-driven DDOS attacks. Some e-commerce websites have been completely shut down by the attacks and have reported as much as $250,000 in lost sales per half hour that they were down. But the damage doesn't stop there. The users of a victimized system can also suffer significant reputational loss from being unable to conduct business.
However, the legal response to DDOS attacks has been mixed. In the U.S. legal system, civil liability can arise from contract law, tort law or regulation. If one party breaches its contractual obligations, the law provides a remedy to the aggrieved party. Contract law, however, often fails to cover damage to third parties. Suppose a hacker breaks into Company A's inadequately secured network and then uses that network to attack Company B. The attack against Company B disables its networks, causing it to fail to deliver promised services to its customers. Although Company B has no contractual relationship with Company A, can B sue A for losses?
From a tort standpoint, many legal scholars, major law firms and a National Research Council Committee assert that the downstream victim can bring civil action for negligence against the upstream systems that were used as part of the DDOS attack. Reasoning that civil law intends to deter undesirable or wrongful conduct and to compensate those harmed by such conduct, legal theory posits that victims should be allowed to recover losses from third parties that were negligent if that negligence was the direct cause of the loss. In the Internet environment, negligent third parties may be the only source of loss recovery, since criminal law offers no compensation to the victim if the computer criminal cannot be identified. Furthermore, establishing the legal precedent to impose civil damages on a third party, such as a service provider that is proven to be negligent, could motivate companies to invest the necessary resources in improving security.