Security in Cyberspace: Combatting Distributed Denial of Service Attacks
32 Pages Posted: 28 Sep 2004
The poor state of cyber security is now attracting broad attention outside the community of computer security experts. This is a welcome development since it is clear that cyber attacks impose heavy costs and that the rate of attack is increasing. There are reasons to believe that insufficient social resources are devoted to ensuring cyber security for various reasons including the existence of positive externalities associated with investments in cyber security.
This paper selects one cyber security problem for close analysis, namely that of distributed denial of service attacks ("DDOS"). This paper focuses on DDOS attacks because they are quite interesting from the legal perspective. The positive externality problem of cyber security investment is posed fairly clearly in this context, and the many types of parties implicated in some way in a DDOS attack offer numerous possible objects of legal or regulatory pressure. Most commentary on DDOS attacks focuses on the roles of software developers who release insecure code the weaknesses of which are later exploited to launch DDOS attacks, and computer users who fail to take basic steps to secure their machines. Having reviewed the reasons for this state of affairs, and explored the possibility of applying legal pressure to the various types of parties involved in a DDOS attack, the paper concludes that it is likely most efficient to address the problem by focusing on software insecurity.
One way in which to encourage improvement in software security is to impose liability in negligence for software that falls below a reasonable standard of security. The victim of a DDOS attack would be a good plaintiff in such an action. The victim may suffer the kind of concentrated loss that provides a sufficient incentive to sue. Furthermore, the victim of a DDOS attack is not open to charges of contributory negligence in the way that an end-user who failed to install patches would be.
A negligence claim brought by the victim of a DDOS attack against the manufacturer of insecure software that is later exploited to launch an attack is a complex one that raises important issues of policy at various stages of the negligence inquiry: duty of care, standard of care and proximate cause. The proposed tort claim must address the traditional reluctance of courts to award damages in negligence for pure economic loss. It must also establish that there is a sufficiently close relationship between software manufacturer and DDOS victim that will justify a finding of a duty to protect the plaintiff against the deliberate harmful conduct of third parties - a ground of negligence that is recognized, inter alia, within the landlord-tenant relationship. The inquiry into whether a duty of care should exist in this context offers the opportunity to raise the current debate over whether the metaphor of physical space is an appropriate one for legal reasoning about cyberspace. Is a quasi-monopolist vendor of key Internet-related software an "architect" or "landlord" in cyberspace?
Keywords: Cyberspace, security, software, product liability, negligence, denial of service, Internet
Suggested Citation: Suggested Citation