Is There Legal Retribution for Denial-of-Service Attacks?
With online commerce exploding, opportunities for computer crime and related damage also increase. Recently, several giant e-commerce sites reported attacks that made their Web sites inaccessible. All spend a significant amount of money on security. People are asking what went wrong and whether there are laws to protect against such attacks.
These distributed denial-of-service attacks occurred when hackers broke into hundreds of other people's computers and used those computers to bombard the target sites with streams of information over the Internet.
This resulted in service interruptions and lost revenues for the target sites, not to mention a blow to consumer and business confidence in online business.
Federal and State Law
Numerous federal and state laws apply to hackers. Computer crime statutes prohibit the unauthorized access and use of a computer. They also prohibit the unlawful denial of another person's access to a computer -- such as the situation that resulted from the DDoS attacks. Laws also make it illegal to use a computer to commit crimes.
For example, the federal Computer Fraud and Abuse Act prohibits unauthorized access to computers and networks. It also can be used to prosecute someone who transmits information, software or a command intentionally to cause damage.
The CFAA has been applied in cases involving the Melissa virus author, as well as the notorious hacker, Kevin Mitnick. The criminal penalties vary but typically include a fine and a prison term of up to 20 years. The act also provides for restitution and civil action in order to compensate the victim.
Many states have passed laws prohibiting the fraudulent use of computers to obtain money, services or property. This includes situations in which a person uses a computer or computer network without authorization and with the intent to harm another person.
Florida was the first state to enact a computer crime statute. State law makes it a crime to interfere with or deny another person's access to a computer. If the act is intended to defraud or obtain property of any kind, the offender is guilty of a felony. Other state laws that usually apply in the offline world, such as trespassing and fraud, also may apply.
Investigations and Enforcement
For most small businesses, pursuing civil remedies against hackers will be cost-prohibitive and unsuccessful. The law relating to computer security breaches and damages is still developing and varies in different states and countries.
U.S. Attorney General Janet Reno has said the FBI would investigate the DDoS matters. "We are committed in every way possible to tracking down those who are responsible," she said. Because e-commerce is interstate, interference with e-commerce was good enough justification to give the FBI authority to move forward.
The FBI's involvement is critical. The Internet is global and decentralized, and it makes it easy to cover tracks.
From a practical perspective, it is extremely difficult to locate a hacker. Even with forensic computer techniques, tracking down Internet criminals requires an unusual amount of cooperation among Internet service providers, businesses, security experts, governments and law enforcement agencies.
Moreover, the attackers may not be in the United States. If the FBI finds that the attacker is in another country, convincing that country to extradite the hacker or to enforce a judgment against the defendant in the foreign country, raises other complex international legal issues.
Prevention and Deterrence
The exchange and storage of information over the Internet is generally insecure. Security is a major issue that requires both technological solutions and legal responses from all levels of online business.
Although progress has been made, break-ins of different forms will continue to arise. Some hackers will steal money and information, and others simply will act maliciously.
Prevention is important. Generally, technical problems require technical solutions. In addition, for most online businesses, a good legal audit will include a review of Web site hosting agreements and software. Pay particular attention to warranty provisions and limitations on liability.
Companies probably have the duty to act reasonably and with at least the standard of care accepted by other companies similarly situated in the industry. Talk to Web hosting companies and security consultants, and discuss options such as firewalls and more advanced solutions.
Most Web sites also should have a policy that clearly states the conditions for visitors to access and use the Web site. If a visitor violates that policy, access rights should terminate immediately. Money damages may not be sufficient, and a court order enjoining the acts might be the best remedy. Furthermore, let visitors know the degree of security provided on the site, and address limitations of liability for interruptions of service.
Developing Law and Technology
In the final analysis, security breaches such as those experienced recently cost companies millions in lost revenues. These costs are incurred even when the breach results in only interrupted service and not theft of credit card or customer data. Highly publicized security problems also lower confidence in e-business solutions.
The doomsayers are convinced the DDoS attacks prove that even giant e-commerce sites are weak on security and that e-commerce must be doomed to fail. However, the irony is that the DDoS problems were not at the target sites. The problems resulted from intrusions into other computer systems, which were accessed through the Internet and used in the attacks.
The Internet's beauty and its curse is its interconnected design. All businesses connected to the Internet, big and small, need to address security and take preventive actions.
Laws related to online security must be developed quickly and need to be enforced. For this reason, the FBI's investigation of the recent DDoS attacks is a crucial response in the new Internet economy.
The enforcement of criminal laws, along with the development of new legal and technical initiatives, can deter destructive online attacks. Often, companies cannot be steps ahead of savvy hackers. The challenge is to keep technology and the law at least close on their heels.