DDoS and the law.

DDoS and the law.

A distributed denial of service (DDoS) is where a computer cannot correctly function due to an intentional act which incapacitates the channels (ports in IT parlance) which a computer depends on to communicate with the outside world. The Mens Rea and the Actus rea are thus summed up. The DDoS usually comprises a number of infected computers (a botnet) acting in concert against the target: thereby flooding any attempt to block IP addresses. A physical world analogy would be if one could not leave one's house due to someone using a tennis ball machine to throw items at the doors and windows, trapping the occupant and not allowing anyone else to enter. This thus would be illegal in the analogue, so how is this dealt with in the digital and why does this occur?

The good news being, a DDoS is unlikely to be targeted at single users. There are other easier ways to target individual coupled with the real IT issues which are more likely to be the problem (mis-blocked ports, firewall settings etc.). However, to paraphrase the Sutton rule on illicit money, commercial enterprises are vulnerability to this type of attack. Not only is there is need under normal circumstances to be in operation 24/7, in seasonal sales times such as Christmas there is additional pressure to respond to any outage. If a business is unable to respond to user requests, then that sale's opportunity is likely gone. Thus even if there is no associated damage or corrupted, which could occurred in a Virus or Trojan based attack, loss of good will and customers would cripple a business. Thus what are means to deal with this under law and enforcement?

The Police have some measure of discretion of enforcement of legal matters. There would be difference between if the matter was minor and only effecting one person to the other extreme of a serious issue or effecting a group. However while Police have being more tech-savvy with an increasing online present (Anderson's "The Internet Police") due to the potential global nature of any DDoS attack, they are unlikely to be of intimidate assistance during an attack. Thus an IT department which has planned and drilled for this outage is a key requirement to handle such attacks.

Once the immediate DDoS is over what are the legal avenues to explore. In statute due to the evolving nature of IT the various acts which deal with computer crime are written as broadly as possible so as not to become obsolete which the common law filling any lacunas. Thus as the key effect of a DDoS is to deny the user proper use of his computer, then a Criminal Damage Act which covers actually impairing, threatening to or controlling items which damage property would be relevant. There might be more specific actions which is found in the UK's Computer Misuse Act under sections mentioning degradation of the target's PC functionality. All of these come under the remit of the steps which are required to be taken under the Council of Europe's Cybercrimes convention. Thus as per section 5 this provides a push to enact relevant laws which can deal with DDoS :

"

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offenses under its domestic law, when committed intentionally, the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.

" - Article 5 –System interference 

An example of a course case involving DDoS would be the UK's DPP vLennon. Here the defendant was convicted for email-bombing (a type of DDoS attack) his former employees, blocking their IT system. Finally, the extortion element of such could be followed up in any civil or criminal actions.