8.13. Current Trends in International Cyber Law

A recent subject of discussion regarding liability of owners of the hosts that are compromised and used for DDoS attack is a pair of laws in Italy regarding civil and criminal negligence. To see how they apply, a hypothetical scenario will be used.

Let us say that A is the victim of a DDoS attack, and this attack can be traced to one or more computers owned by B. If a post-mortem analysis of B's computer is performed, and it shows that B has not applied the "minimum security measures," then A has a civil cause of action against B and can bring suit in Italian civil court for an article called "damage refund" under the Italian civil code. (This is similar to what was discussed in Section 8.9.)

What is more, there is a law in Italy (196/2003) called the "Privacy Law." This law requires that the appropriate/minimum security measures for information security are mandatory if an information system stores sensitive, personal, and judiciary-related data. If an incident occurs, and the owner of the information system is found not to be compliant with the law, they may be levied a penalty of 50,000 euros and three years in jail. This means that if A is attacked using a compromised host owned by B, and B's compromised machine contains sensitive data, and a post-mortem analysis (even conducted by the police) demonstrates that the minimum security measures were not applied, then B may be brought in front of the court for violation of both laws.

This privacy law is new, so as of publication of this book there was no case law to cite. Italian Web sites that store personal information will have a privacy statement mentioning law 196/2003.

As discussed in Section 8.2, the primary law in the United States that may apply to DDoS attacks is the Computer Fraud and Abuse Act. The example cited, United States v. Dennis, prosecuted a DoS attack under 18 U.S.C. §1030(a)(5), "interfering with a government-owned communications system." This law clearly applies to government-owned systems, and other "protected computers." A very good explanation of its application to date, and some proposed changes to the way that the terms unauthorized and access are interpreted, can be found in a 2003 New York University Law Review article by Orin S. Kerr [Ker03].

A similar law to the CFAA in the United Kingdom is the Computer Misuse Act (CMA). During the early part of 2004, a group called the All Party Internet Group (APIG)^[8] held an inquiry into the CMA [api04]. Their inquiry notes the same cases of DDoS-related extortion attempts cited in Chapter 3, and the efforts of the British High Tech Crimes Unit to investigate them. They also cite the same case of a DoS attack involving the Port of Houston. Further, they point out the same issue of the two phases of DDoS attacks, stating:

^[8] APIG is made up of parliamentarians from the House of Commons and House of Lords, and provides a discussion forum for Internet-related issues for the purpose of informing debate in Parliament.

In general, where a DDoS attack takes place then an offense will have been committed because many machines will have been taken over by the attacker and special software installed to implement the attack. Even when a system is attacked by a single machine, an offense will sometime be committed because the contents of the system will be altered.

Their recommendation is the creation of a new offense of "impairing access to data."

An even more interesting recommendation made by APIG is founded on the same evidence discussed earlier in this chapter of limited resources on the part of law enforcement, and the impression of some victims that there is no effective law enforcement response option available to them in all but the largest cases. This situation creates a negative value in their opinion of laws that are on the books, but provide no realistic deterrent due to very low prosecution rates. Their recommendation is to build on an ancient right, preserved under s6(1) of the Prosecution of Offenses Act of 1985, for individuals to bring private prosecution. They explain that the first step is for the individual making the claim to "lay an information" before a magistrate, who then decides whether or not to issue a summons. If he does, a criminal trial will ensue.

To implement this recommendation, they suggest following the recommendations of another group, EURIM (the European Information Society Group). In a

EURIMIPPR e-crime study working paper titled, "Working Paper 4: Roles and Procedures for Investigation" [eur04] recommends several things:

• Creation of joint private industry/law enforcement crime units, and establishment of guidelines for the creation, governance, and operation of such units.

• Develop guidelines with industry for handling requests from private investigation teams for supporting services for which only law enforcement are authorized.

• Develop a scheme for the exchange of investigative and forensics experience, best practices, and tools within communities.

• Investigate with representatives of law enforcement, industry, and other interested parties the possibility of investigators and others in industry with appropriate skills and experience being accredited to work to the same legal and operational standards and guidelines as law enforcement when involved in e-crime investigations.

The effect of these two bodies of recommendations would be to (1) make criminal the act of denying access to data and information systems; (2) create a cadre of trained computer security professionals in private industry who have special, but limited, authority to investigate these crimes (perhaps closely involved with law enforcement); and (3) to permit these private security service companies to bring private prosecutions under the CMA (with the right reserved by the Director of Public Prosecutions to take over, decline to provide evidence, or withdraw the case).

Relating the APIG proposal back to the United States, this proposal includes components that are similar to those put forward in the United States in a 1998 law review article by Stevan D. Mitchell and Elizabeth A. Banker entitled, "Private Intrusion Response" [MB98]. This paper came out of work during the Clinton administration by the President's Commission on Critical Infrastructure Protection (PCCIP), in the Critical Infrastructure Assurance Office (CIAO) [pcc97, itCD97].

It will likely take some time and much needed debate before the issues brought up in these proposals are resolved. Similarly, it will take time before there is enough case law under new statutes to determine if a positive effect has been achieved on reducing cybercrime in general, or the use of DDoS as a means of engaging in other criminal activities.