Laws That May Apply to DDoS Attacks
On the criminal side, the primary federal law that applies to most DDoS-related attacks is the Computer Fraud and Abuse Act, or 18 U.S.C. §1030.[2]
An example of this law being applied to DoS attacks is the case of United States v. Dennis in the District of Alaska in 2001 [ws]. In 2001, a former computer systems administrator in Alaska pled guilty to one misdemeanor count for launching three e-mail based DoS attacks against a server at the U.S. District Court in New York. He was charged under 18 U.S.C. §1030(a)(5) with "interfering with a government-owned communications system."
Other DDoS-related attacks mentioned elsewhere in this book, such as the extortion attempts against online gambling sites and online business, may fall under 18 U.S.C. §1030(a)(7), which covers extortionate threats. Analysis of a Congressional Research Service report [fra] suggests such attacks may also violate
The act of breaking into hundreds or thousands of computers to install DDoS handlers and agents may violate 18 U.S.C. §1030(a)(3) (trespassing in a government computer). If a sniffer is used to obtain passwords as part of this activity, the attacker may have violated 18 U.S.C. §1030(a)(6) (trafficking in passwords for a government owned computer) or 18 U.S.C. §2510 (wiretap statute).
Even an attempt to violate any of the sections of 18 U.S.C. §1030 listed above is itself a violation of 18 U.S.C. §1030(b).
On the civil side, 18 U.S.C. §1030(g) creates a civil cause of action for violation of subsection (a)(5)(B), which includes any of the following:
Damages include only economic damages, and the civil action must be brought within two years of the act or when the damage was discovered.
Another civil action surrounding a DDoS attack against a business, which prevents customers from engaging in business with the victim and thus damages its business, would be "Tortious Interference with Business Relationship or Expectancy." To prove this, the plaintiff (the DDoS victim) would have to show several things, including such elements as knowledge of the business relationship between the victim and its customers, knowledge that the action (the DDoS attack) would disrupt this relationship, knowledge that the result would cause damage to the victim, proof that the defendant caused such disruption and damage, and proof that the victim has suffered a loss. (Here is where careful evidence collection and realistic incident cost estimation become very important.)
The Department of Justice Cybercrime Web site [fra] also lists these laws as applying to computer intrusion cases:
This is a representative, yet not exhaustive, list of laws that may apply. Readers are urged to consult with an attorney and local/federal law enforcement agencies in their jurisdiction in order to learn more about what legal options exist in the event of a DDoS attack, and how to prepare to exercise these options when and if a DDoS attack occurs. It is also important to understand your responsibilities and potential liabilities in the event that your own systems are taken over and used to attack someone else, in which case you may be the defendant, not the plaintiff, in a civil suit.
|
0 comments:
Post a Comment