8.2. Laws That May Apply to DDoS Attacks

On the criminal side, the primary federal law that applies to most DDoS-related attacks is the Computer Fraud and Abuse Act, or 18 U.S.C. §1030.^[2]

^[2] United States Code, abbreviated as U.S.C., is the complete body of constantly revised laws defined at the federal level in the United States. It is divided into titles, then subdivided further into sections/subsections. 10 U.S.C means Title 10 of the United States Code. The symbol § stands for section/subsection. Titles and sections/subsections also have common names that identify them based on the legislation that created or amended them. So the complete reference to the Computer Fraud and Abuse Act, which is Title 10, Section 1030, would be 10 U.S.C. §1030. Subsections are further identified by subordinate letters and numbers in parentheses, so subsection a and sub-subsection 3 would be identified as 10 U.S.C. §1030(a)(3). For more information on United States Code, see http://www.law.cornell.edu/uscode/.

An example of this law being applied to DoS attacks is the case of United States v. Dennis in the District of Alaska in 2001 [ws]. In 2001, a former computer systems administrator in Alaska pled guilty to one misdemeanor count for launching three e-mail based DoS attacks against a server at the U.S. District Court in New York. He was charged under 18 U.S.C. §1030(a)(5) with "interfering with a government-owned communications system."

Other DDoS-related attacks mentioned elsewhere in this book, such as the extortion attempts against online gambling sites and online business, may fall under 18 U.S.C. §1030(a)(7), which covers extortionate threats. Analysis of a Congressional Research Service report [fra] suggests such attacks may also violate

• 18 U.S.C. §1951 (extortion that affects commerce)

• 18 U.S.C. §875 (threats transmitted in interstate commerce)

• 18 U.S.C. §876 (mailing threatening communications)

• 18 U.S.C. §877 (mailing threatening communication from a foreign country)

• 18 U.S.C. §880 (receipt of the proceeds of extortion)

The act of breaking into hundreds or thousands of computers to install DDoS handlers and agents may violate 18 U.S.C. §1030(a)(3) (trespassing in a government computer). If a sniffer is used to obtain passwords as part of this activity, the attacker may have violated 18 U.S.C. §1030(a)(6) (trafficking in passwords for a government owned computer) or 18 U.S.C. §2510 (wiretap statute).

Even an attempt to violate any of the sections of 18 U.S.C. §1030 listed above is itself a violation of 18 U.S.C. §1030(b).

On the civil side, 18 U.S.C. §1030(g) creates a civil cause of action for violation of subsection (a)(5)(B), which includes any of the following:

1. Loss to one or more persons during any one-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting one or more other protected computers) aggregating at least $5,000 in value.

2. The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.

3. Physical injury to any person.

4. A threat to public health or safety.

5. Damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security.

Damages include only economic damages, and the civil action must be brought within two years of the act or when the damage was discovered.

Another civil action surrounding a DDoS attack against a business, which prevents customers from engaging in business with the victim and thus damages its business, would be "Tortious Interference with Business Relationship or Expectancy." To prove this, the plaintiff (the DDoS victim) would have to show several things, including such elements as knowledge of the business relationship between the victim and its customers, knowledge that the action (the DDoS attack) would disrupt this relationship, knowledge that the result would cause damage to the victim, proof that the defendant caused such disruption and damage, and proof that the victim has suffered a loss. (Here is where careful evidence collection and realistic incident cost estimation become very important.)

The Department of Justice Cybercrime Web site [fra] also lists these laws as applying to computer intrusion cases:

• 18 U.S.C. §1029 (fraud and related activity in connection with access devices)

• 18 U.S.C. §1362 (communication lines, stations, or systems)

• 18 U.S.C. §2510 et seq. (wire and electronic communications interception and interception of oral communications)

• 18 U.S.C. §2701 et seq. (stored wire and electronic communications and transactional records access)

• 18 U.S.C. §3121 et seq. (recording of dialing, routing, addressing, and signaling information)

This is a representative, yet not exhaustive, list of laws that may apply. Readers are urged to consult with an attorney and local/federal law enforcement agencies in their jurisdiction in order to learn more about what legal options exist in the event of a DDoS attack, and how to prepare to exercise these options when and if a DDoS attack occurs. It is also important to understand your responsibilities and potential liabilities in the event that your own systems are taken over and used to attack someone else, in which case you may be the defendant, not the plaintiff, in a civil suit.