Technology: Beware the Cyberattacker
|by Ronald N. Weikers and Kevin P. Cronin
Winter 2003, Vol. 65, No. 4
Trespass and burglary used to involve purely physical acts, such as rattling doorknobs, lifting windows and leaving a home bare of valuables. Today, however, our increasingly networked world offers an entirely new landscape for these old crimes. The tools of crime, too, have changed: culprits now use "port sweeps," wireless "wardriving" and electronic "snooping" and "sniffing" to detect vulnerable computer systems over the Internet or through the airwaves, often leaving no clues.
Although data, the target of these intrusions, is intangible, the perceptible damage hackers can cause to security and privacy is of a magnitude unthinkable just a few years ago. To combat this problem, companiesand, to a lesser degree, individualshave begun to use a variety of technical safeguards. Lawmakers, too, are concerned about security and privacy issues and have enacted several major data security and privacy laws and regulations in recent years.
Technology's Hidden Cost
Although "cybersecurity" can significantly hike the expense of installing and maintaining computer systems, the cost of ignoring security and privacy vulnerabilities may be much higher. Cyberattacksoften using "malware," malicious software, such as worms and virusescause billions of dollars in damage each year. U.S. businesses have spent an estimated $40 billion in remediating cyberattacks in just the past three years. Historically, government agencies were the most common targets of hacking, but today corporations are becoming more frequent victims. The following is a sampling of cyberattacks that have occurred during the past decade:
- 1994 New York: Russian computer expert, using a personal computer and stolen passwords and IDs, penetrated Citibank's cash management system and illegally transferred more than $10 million to bank accounts in California, Finland, Germany, the Netherlands, Switzerland and Israel.
- 1996 Connecticut: After being laid off, a former network administrator wrote six lines of software that destroyed his employer's manufacturing system programs. The event led to more than $10 million in losses and $2 million in reprogramming costs, and ultimately caused eighty layoffs.
- 1996 Nationwide: Hackers tapped into WebCom, a large Internet service provider, wiping out more than 3,000 sites for forty hours. Many of the sites were those of retailers trying to capitalize on the Christmas rush.
- 1999 Worldwide: The "Melissa" virus was the first virus to spread by e-mail through Outlook address books, causing an estimated $1.2 billion in damage.
- 2000 Nationwide: The first "Distributed Denial of Service" (DDoS) attacks were launched, shutting down major commercial Web sites, including Yahoo!, Amazon.com, CNN and e-Bay, and causing more than $1 billion in damage.
- 2000 Worldwide: The "Love Bug" worm spread faster than any worm in history, causing an estimated $8.7 billion in damage to forty million computers.
- 2001 Worldwide: The "Code Red" worm infected more than 250,000 servers within hours of its activation.
- 2002 Worldwide: The "Klez" and "Bug-bear" worms broke through anti-virus protections, gathering data from hard drives and logging users' keystrokes.
- 2002 Worldwide: In October, unknown hackers launched a massive DDoS attack against the Internet's thirteen domain name root serverswhich are critical for directing data flow between other Internet serverscausing nine to crash and the Internet to slow down throughout the world.
These attacks may prophesy more numerous and more damaging attacks in the future. The federal government and all fifty states have enacted criminal and civil legislation prohibiting unauthorized access, malware distribution, DDoS attacks and other forms of hacking. These laws generally cast traditional legal concepts, such as trespass and conversion, in terms of modern technology. Also, a number of statutes and regulations require companies to implement preventive security and privacy measures, particularly in the financial and health care industries, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate personal data. Federal Security Laws
The Computer Fraud and Abuse Act (CFAA) is the broadest tool for combating computer crime. The CFAA imposes criminal penalties on hackers who improperly access, improperly attempt to access, or damage computers. The 1996 amendments expanded the scope of the CFAA to cover "protected computers" used in interstate commerce, which include virtually any computer connected to the Internet. Fines may be levied against violators, and the 2001 amendments under the USA Patriot Act impose prison sentences of up to twenty years.
The Electronic Communications Privacy Act (ECPA) expands coverage of the Federal Wiretap Statutes by prohibiting interception of wire and electronic communications, and prohibiting unauthorized alteration or access, or preventing access, to wire or electronic communications while in electronic storage. One of the primary purposes of the ECPA was to extend to electronic communications the same protection against unauthorized interceptions that wiretap laws had been providing for oral and wire communications via common carrier transmissions. In addition to criminal sanctions, the ECPA provides a private cause of action, with minimum statutory damages of $1,000 per violation. A variety of other federal laws prohibit behavior related to hacking. These statutes include the Federal Wire Fraud Statutes, the No Electronic Theft Act, the National Stolen Property Act, the Economic Espionage Act, the Computer Security Act, the Copyright Act, the Lanham Act and the Digital Millennium Copyright Act.
State Security Laws
Reflecting this federal push for increased security legislation, all fifty states have enacted some form of legislation that prohibits unauthorized access or interruption of a computer system, as well as theft, destruction, copying, examination, use or misuse of data. Depending on the damage caused, the degree of mens rea and the means utilized in committing the crime, penalties may include fines of tens of thousands of dollars and decades of imprisonment.
In Pennsylvania, hackers face up to seven years' imprisonment and $15,000 in fines for intentionally spreading viruses or unlawfully accessing or damaging computer systems or data. New Jersey, New York and Delaware hackers face similarly harsh penalties. Because technical measures are not perfectly effective against cyberattacks, it is likely that criminal penalties will begin to have a deterrent effect once prosecutions become publicized.
Hackers typically act independently of any organization that authorizes, or can afford to compensate victims of, their conduct. There have been several documented instances of institutional hacking, but those are rare exceptions to the rule. Thus, if hackers can be found, they are usually judgment proof.
As such, in the future it is highly likely that victims of cyberattacks will seek compensation from corporations that are lax in their security measures, enabling hackers to launch attacks from their vulnerable systems, even if the defendants are victims themselves. Plaintiffs will proceed under traditional negligence concepts, arguing that companies have a duty to protect themselves and others from hacking, given that security technology is prevalent and inexpensive relative to the damage that can result. In other words, "upstream" victims have a duty to protect "downstream" victims based on a reasonableness standard, or based on standards set by new security and privacy rules and regulations, such as GLBA and HIPAA. Plaintiffs may also assert various contract theories where the parties are engaged in business together. They may also allege that owners of servers connected to the Internet implicitly agree to provide a certain level of security.
At least one such complaint has already been filed. Apparently, one Web hosting company's negligent security enabled a hacker to use its server as a platform to launch a DDoS attack against another Web hosting company, taking 90,000 Web sites offline in the process. The case settled prior to trial.
If a deep pocket cannot be found, victims will seek first-party coverage from insurers for damage to their own systems. Upstream victims may also seek coverage under their third-party liability policies for damage to downstream victims.
Current property policies generally exclude damage to computer systems and data losses. Where cyberattacks are not specifically excluded, courts have almost uniformly held that losses of data and software are not covered by property policies, because they are not "tangible" losses. A number of insurers do offer e-commerce or Internet insurance for precisely these types of claims. Premiums, however, have recently skyrocketed, and insurers are becoming so savvy that they are charging even higher premiums for those types of systems that they deem to be more vulnerable, based on statistical analyses of intrusions.
While cyberattacks and digital privacy intrusions can be analogized to more traditional civil and criminal law violations, the technology they employ is totally new, making their perpetrators more elusive, and the damage they cause often more widespread. As we become more dependent upon data and networks to operate our businesses, government, national defense and other critical functions, the risks posed by hacking, malware and cyberattacks escalate. As such, practitioners must inform themselves about data security and privacy compliance, and about remedies for cyberattacks.