Of 'Zombie' Computers and DDoS Attacks: The Security Liability

By on

Two years ago, Internet security in the United States changed dramatically when Amazon.com, CNN, Yahoo, E*TRADE, ZDNet and others fell victim to what has come to be known as a distributed denial-of-service (DDoS) attack.

While DDoS attacks can be found as far back as 1998, it was not until these sites were brought down through the use of distributed computing that the media focused on such attacks. No longer were the attackers few in number and relatively easy to trace.

A DDoS attack occurs when a targeted system is flooded with traffic by hundreds or even thousands of coordinated computer systems simultaneously. These attacking computer systems are surreptitiously 'commandeered' by a single source well in advance of the actual attack. Through the use of a well-placed trojan program that awaits further commands from the originating computer, the attacking computer is turned into what is commonly referred to as a 'zombie.'

These zombie computers are then coordinated in an assault against a single or multiple targets. Zombie computers, such as home computers using cable modems, are typically targeted and utilized because of their lax security. While a DDoS attack has two victims, the attacking zombie computer and the ultimate target, it is the latter of these two that suffers the most damage. Not only has the security and performance of the victim's computer system been compromised, but economic damage can run into the millions.

Does the attack by a zombie computer system because of lax security create liability on the part of the zombie system's owner? To answer this, an analysis of negligence and the duty that attaches upon connection to the Internet is warranted.

This analysis applies to U.S.-based firms and U.S. case law, but there are certainly liability concerns in the international arena. Obviously DDoS attacks can happen anywhere to anyone, and each country will have varying degrees of risk associated with them. The best advice is for organizations outside the United States to consult with legal counsel on the extent of their liability. Although in many cases these issues have yet to be addressed, it is always better to err on the side of caution when it comes to information security and liability. The following can serve as a good basis for questions regarding this subject.

There is a universal caveat in U.S. tort law that states that whenever you are out of a familiar element, a reasonable and prudent person becomes even more cautious. The Internet fits the profile of an unfamiliar element in every sense of the word, be it transactional, jurisdictional or legal. There is no clear, concise standard for the Internet as it applies to business transactions, political borders, or legal jurisdictions and standards. Therefore, every computer user, service provider, and business entity on the Internet should exercise extra caution in his or her travels across the Net.

But beyond such a general duty to be extra cautious, is there more expected of the Internet community? Specifically, is there a duty to others online? Information security is a dynamic field, and in today's business and legal environments the demands for confidentiality, integrity, and availability of computer data are increasing at fantastic rates. But at what level is information security sufficient?

The Duty Requirement

For years information security legal professionals in the United States have looked to a case that involved a tugboat caught up in a tremendous storm that was subsequently involved in an accident that resulted in the loss of property. Naturally, a lawsuit resulted, and the captain was found guilty of negligence for failing to use a device that was not industry standard at the time, but was available nonetheless - a two-way radio. The court succinctly stated, "There are precautions so imperative that even their universal disregard will not excuse their omission." In essence, the court stated that despite what the industry might be doing, or more precisely failing to do, there are certain precautions we must implement to avoid disaster and liability. What the courts look to is what the reasonable and prudent person (or corporation) might do in such unfamiliar territory.

Because information security is so dynamic, instead of trying to define a universal standard of what to do, the more practical method would be to attempt to define what rises to the standard of negligence. Here in the United States, negligence has developed into a legal standard of three elements: First, there must be some duty owed between the plaintiff and the defendant; second, there must be a breach of that duty by the defendant; and third, the breach of duty is a proximate cause of damages that result. Therefore, one must first address whether there is a duty between the victim of a DDoS attack and the zombie computer in such an attack.

It is important to remember that the theory of negligence does not make us insurers of all around us, but rather that we act as a reasonable and prudent person would in the same circumstances. As in the physical world, we owe a duty to 'do no harm' to those around us. While the ultimate determination of 'duty' lies properly within the discretion of the courts as a matter of law, there are a number of 'duties' that have been routinely recognized by the courts.

Perhaps the duty from which we can draw the greatest inference is the duty of a landowner to maintain his land. This general duty of maintenance, which is owed to tenants and patrons, has been held to include 'the duty to take reasonable steps to secure common areas against foreseeable criminal acts of third parties that are likely to occur in the absence of such precautionary measures.'

This means a shop owner in a high-crime area owes a greater duty of security and safety to those who come to his shop, because criminal action is more likely and reasonably foreseeable. Therefore a computer system tied to the Internet owes a duty of security to others tied to the Internet because of the reasonably foreseeable criminal actions of others.

Statistics that bolster the claim that computer crime is a reasonably foreseeable event include a study by the Computer Security Institute and the San Francisco Federal Bureau of Investigation Computer Intrusion Squad, compiled in March 2001. In their study, 85 percent of respondents detected computer security breaches within the previous twelve months; 38 percent detected DDoS attacks in 2001 versus 27 percent for 2000; and 95 percent of those surveyed detected computer viruses.

With the increasing numbers of viruses, trojan horses, security breaches, and the extensive media attention given them, computer crime on the Internet almost passes beyond 'reasonably foreseeable' to 'expected.' In a 1999 Texas case, the court held that the element of 'foreseeability' would require only that the general danger, not the exact sequence of events that the produced the harm, be foreseeable.

The court went further to identify specific factors in considering 'foreseeability' to include: (1) the proximity of other crimes; (2) the recency and frequency of other crimes; (3) the similarity of other crimes; and (4) the publicity of other crimes. While this is not a ubiquitous checklist to be used as a universal standard, it does give a good reference point with which to measure whether a computer crime could be reasonably expected and foreseeable. Of course, in cyberspace, there are no physical land, tenants or licensees. However, there is still a duty to secure systems against unauthorized use, whether mandated by law or by commonsense. Because of the public nature of the recent DDoS attacks, we now have a better understanding of the interconnected nature of the Internet and the ramifications of poor security.

The Standard of Care

The requirement of a duty has been established, but in the context of information security, what rises to the level of a breach of such a duty? Assuming that a duty is found, a plaintiff must establish that a defendant's acts or omissions violated the applicable standard of care. We must then ask, 'What is the standard of care?' According to a 1971 case from the Fifth Circuit in U.S. federal court, when a practice becomes so well defined within an industry that a reasonable person is charged with knowing that is the way it is done, a standard has been established.

While information security is an industry unto itself, its standards vary widely. While both a chicken processing plant and a nuclear processing plant use information security, the risks are of two extremes. To further skew our ability to arrive at a common standard in the U.S., the courts have held that evidence of accepted customs and practices of a trade or industry does not conclusively establish the legal standard of care.

So if we are unable to arrive at a uniform standard of care for information security in general, what do we look to? Whether to implement a security measure may be weighed, in light of economical and social considerations, against the gravity and risk of harm. This works to establish the standard of care. If the defendant failed to meet this standard of care, then the duty to the plaintiff has been breached.

Over the past two decades, however, courts in the United States have been allowing for the recovery of purely economic losses. While the computer and Internet are not physically dangerous machines capable of causing physical damage, they can produce far-reaching economic damage. This is especially true as more and more of our infrastructure and financial systems are controlled by computer and attached to the Internet. Hence, we arrive at the ability to have damages as the result of action by a computer.

Proximate Cause

The final question is whether the action or inaction by the defendant to secure his computer systems is a proximate cause of the damages suffered by the plaintiff as the result of a DDoS attack by a third party. In other words, if the DDoS attack would not have occurred without the defendant's conduct, it is not a cause-in-fact. Of course, in any DDoS there are a multitude of other parties who also contributed to the attack by their failure to adequately secure their systems from becoming zombies. But this does nothing to suppress the liability of the single defendant. It merely makes other suitable parties alternatively liable. If a computer system was part of a zombie attack, it is a potential party and must prove otherwise that its computer security measures met the standard of care and due diligence required to avoid such a breach.

Finally, we must look to the totality of circumstances in any attack to determine liability. Naturally, the ultimate responsibility lies at the feet of the instigator of the attack. It is imperative these nefarious and illegitimate users of computer resources be prosecuted to the fullest and reduce such assaults through every legitimate and legal means available. However, this does not reduce the economic damages suffered by the victim. For that, we look to 'deep pockets' and their role in the attack. Typically, the 'deep pockets' will be the zombies. But the true determination of their liability is in their security. We must look to the standard of care in the information security field, in the zombie's particular industry, and the utility and risk of implementing certain security procedures that could have prevented the attack.

Could this attack have been prevented by the implementation of certain security measures, policies or procedures? Was there a technological 'silver bullet' that was available, inexpensive, and that the defendant knew or should have known about? Would a firewall or intrusion detection system have made a difference? Did the attack exploit a well-known and documented weakness that the defendant zombie should have corrected? In the United States, each of these questions will be raised and considered by a jury to arrive at the answer of liability. Each of these questions should be asked and answered by every company on the Internet worldwide before such an attack even transpires.

It is highly probable, at least here in the U.S., that those who allow their computer systems, because of weak security, to become jumping off points for attacks on other systems will be liable to those that are the victims of such attacks. However, it is incumbent upon all who wish to become part of the global Internet community to exercise reasonable care in such an uncertain environment. Ensuring the security of one's own computer systems and networks inherently increases the security of all other systems on the Internet.

Dorsey Morrow, CISSP, is a licensed attorney and general counsel to (ISC)² (www.isc2.org). A more detailed article with legal citations on the above subject is available from dmorrow@isc2.org.

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?