It’s hard to put a price tag on the damage a DDoS attack can do. When all is said and done – and the downtime is over – emergency mitigation services are no longer needed, the backup systems are put to rest, employees are beginning to resume their regular duties, and customers are being informed that the security event has ended, the consequences of a successful attack are only beginning to be felt. The money that has already flown out the door only accounts for the direct mitigation and backup costs. There isn’t yet any accounting of the lost revenue that will stem from customer frustration and reputational damage. In short, a DDoS attack can be devastating.
It only makes sense that businesses impacted by these cyber assaults would look for any possible avenue for undoing the damage done to them. With monetary losses so easily demonstrable, and computer crimes being taken more seriously than ever, are we about to embark on an era of civil lawsuits in response to DDoS attacks?
Basic DDoS details
When it comes to the question what is DDoS, there’s the long answer, and the short answer. The long answer is that a distributed denial of service attack is a cyberattack that seeks to overwhelm targeted websites or services with junk data or malicious requests generated by a network of hijacked devices typically tens of thousands or hundreds of thousands strong in order to render the target website or service unavailable to its users.
The short answer is that a distributed denial of service attack is a crime. It’s an offense under the Computer Fraud and Abuse Act, which creates a civil cause of action for violations of several of its subsections.
The legal possibilities
Paraphrasing the Computer Fraud and Abuse Act (CFAA), a DDoS act is a criminal offense because it falls into the category of a program, transmission, code or command that causes damage to protected computers, where damage is defined as the impairment of the integrity or availability of information, data, programs or systems.
The CFAA also makes DDoS attacks a civil offense if they result in any of the following: loss aggregating at least $5000 to one or more persons during a one-year period, the potential or actual modification or impairment of medical examination, diagnosis, care or treatment of one or more individuals, physical injury to any individual, a threat to safety or public health, or damage to a computers system used either by or for a government entity dealing with the administration of justice, national security or national defense.
A DDoS attack against a business can easily accrue over $5000 in damages, and civil DDoS offenses would be even easier to prove against medical institutions and government entities. All of this begs the question: where are the DDoS lawsuits?
The practical improbabilities
Not only do DDoS attacks typically cause over $5000 in damages, they cause well over $5000 in damages. Capable of racking up expenses topping $20,000 per hour, total mitigation and remediation costs more typically land in the six or seven-figure ballpark.
This is a good starting point for damages sought in a lawsuit. Factor in revenue losses and reputational damage and a business could theoretically be looking at millions awarded in the court of law. However, the issue then becomes actually attempting to get that money – figures that even the most prolific for-profit DDoS attackers in history can’t boast. Adam Mudd, the teen behind over 1.7 million attacks made just over $500,000 USD, while the duo behind the infamous for-hire service vDOS made a little over $600,000 USD. A nice little jackpot for the young entrepreneurs who earned it, but it wouldn’t stretch far in restitution for the victims.
It’s also worth considering that because of the reputational damage caused by the perceived cybersecurity failure that allows a distributed denial of service attack to succeed, most organizations might prefer the memory of the attack simply fade rather than have it trotted out in a courtroom and in the media.
As the ability to catch and convict DDoS attackers improves, it is likely we will see some increase in the number of lawsuits being filed against perpetrators. However, these lawsuits will likely have to be punitive in nature with an end goal of making DDoS attacks and DDoS for hire services a less lucrative business. This is a worthwhile endeavor, of course, but as of now there is little chance a targeted organization could recoup the damages caused by a successful attack, and a lawsuit may only lead to further public relations problems. There are currently no after-the-fact actions that can come close to undoing the devastation of DDoS, and so it remains that leading cloud-based mitigation is a better investment than even the best attorney.