8.1. Basics of the U.S. Legal System

Before addressing some of the steps to follow in initiating legal proceedings, it is helpful to understand the pathways through the U.S. legal system. Many other legal systems throughout the world are similar, but laws can and do vary significantly, even within similar systems.

There are fundamentally two distinct types of law: criminal law and civil law. Depending on the circumstances of a DDoS attack, criminal and/or civil actions may be brought.

A criminal action is brought by the government against an individual for violation of criminal statutes, but only after that individual has been charged with violation of such a statute. The types of criminal acts associated with DDoS attacks fall into two categories misdemeanor or felony, depending on the gravity of the crime. Criminal actions can be brought at the state or federal level depending on whether state or federal laws have been violated, and the location of the parties involved. Essentially, in order for the government's attorney to have a successful prosecution of a defendant, the state must prove beyond a reasonable doubt that the defendant committed the crime or crimes alleged by the government. Penalties may include monetary fines, imprisonment, or both.

Civil actions are the result of disputes between individuals for which a legal remedy may exist. These are typically matters such as breach of a contractual agreement, or breach of a duty imposed by law. In the case of DDoS attacks, causes of action may include negligently failing to secure computers used to attack someone, or negligent interference with commercial activity. There are four requirements for a suit charging negligence: (1) The injured party, the plaintiff, must show that a duty was owed by the defendant to do or not do something; (2) the plaintiff must show that the duty was breached by the defendant; (3) the plaintiff must also show that the defendant was the cause of the harm to the plaintiff; and (4) the plaintiff must have been harmed in such a way that damages may be awarded.

In a civil suit, the plaintiff (the party bringing the suit against the defendant) must prove, by a preponderance of the evidence, that the defendant is responsible for the plaintiff's injury. The court then determines an appropriate remedy, which can include the assessment of monetary damages or directing a party to perform (or refrain from performing) some action. This is known as a suit in tort (as opposed to a suit in contract).

A special type of civil action that may apply in DDoS attacks is a class action suit. A class action is usually an action brought by a representative plaintiff against a defendant or defendants on behalf of a class of plaintiffs who have the same interest in the litigation as their representative and whose rights can be more efficiently determined as a group than in a series of individual suits. In recent years, several high-profile class action suits have been brought by consumers in the United States; thus, readers may be familiar with the lawsuits brought by victims of asbestos poisoning, tobacco addiction, leaky silicone breast implants, and a particular type of intrauterine birth control device.

Since criminal actions are the responsibility of the government, a victim should report suspected crimes to the appropriate authorities^[1] and provide them with sufficient evidence of the alleged acts and the harm caused by those acts. Such evidence will allow the government's attorney to determine applicable laws and whether or not to proceed with prosecution. In order to assess the likelihood of obtaining a successful prosecution, the authorities need to know things such as the location of the victim, the type and monetary amount of damage suffered, etc.

^[1] We will not attempt to provide guidelines for when to contact legal authorities, which authorities to contact, what to present to them, etc. The reader is encouraged to have someone from their organization's incident response and/or legal teams reach out to both your state and federal law enforcement agencies and discuss the process with them, well in advance of needing to contact them in the event of a DDoS attack. This not only establishes a relationship, but also helps to understand the process and expectations in the event that law enforcement must become involved. In fact, some corporations find it useful to understand precisely the preferred facts, report formats, methods of transmitting/receiving digital data, standards for digital evidence collection and preservation, etc., so as to bring nearly "readymade" case materials to law enforcement, significantly speeding up the legal process. References provided throughout this chapter will also assist in developing your incident response capabilities to mesh better with the needs of the legal system.

It also helps to have evidence that can lead to the identity of a suspect. This is important for two reasons.

First, victims should be prepared to at least gather some samples of network attack traffic and other log information that confirms that an attack is actually taking place. It is not uncommon for a victim who suspects he is under attack, and may even believe he "knows who is attacking and why," to later learn from a consultant that the problem is actually a bug in a Web application, insufficient resources on a server, or a misconfiguration of hardware or software. It is advisable to first perform some level of capture and analysis of network traffic and server logs before contacting the authorities.

Second, both civil and criminal actions require that an individual, or group, be identified and brought into the legal process. You cannot sue, and the police cannot jail, an unknown entity. In the case of many DDoS attacks, the complexity of the "crime scene" may prevent a direct identification of a suspect. Even if a suspect can be identified, he may reside in another country, and it may be difficult, if not impossible, to bring him before the presiding judicial authority. Extradition may be an option in certain criminal cases, but not for civil actions. Furthermore, the United States does not have an extradition treaty with every foreign government. Thus, this option may not be available in every case in which the culprit is a citizen or resident of a foreign country.