Distributed Attacks = Distributed Liability?

It happens. Every day, everywhere, to home users, businesses, and public bodies alike. Servers, hosted CMS installations, PCs, smartphones, printers, IoT, or other networked devices are infected by malware. Sometimes to extort money (or bitcoins) from the user of the device and sometimes to use the device to attack someone else and – again – extort money

From a legal point or view, there is usually no doubt that the originators of such attacks would be liable under criminal law. If they were ever caught, that is. The question that is by far more relevant to users and businesses in countries with an effective legal system and capabilities to combat cyber crime is whether those users and businesses could themselves be held liable for their “contribution” to a cyber-attack on someone else. Sounds far-fetched? Not as much as you might think!

International harmonization

Fifty countries across all continents have ratified the Council of Europe “Convention on Cybercrime” to date, as a result of which they are obliged to enact domestic law making attacks using data and digital devices criminal offences (Articles 2 to 10). But this international treaty goes further, also covering the aiding or abetting of such attacks (Article 11) as well as the establishment of corporate liability (Article 12) under criminal, civil, and administrative law

As one of those fifty countries, Germany also enacted such laws, which not only outlaw the cybercrimes themselves, but also influence corporate compliance requirements regarding IT security. At the moment, Germany even seems to be spearheading efforts to push IT security as an economic and political goal in its own right, no longer a mere adjunct to data protection. So let’s take a closer look…

Ransom payments

When faced with important files encrypted by ransomware or threatened with large scale attacks on the denial-of-service level, some businesses regard the ransom payment as the lesser evil to implementing effective countermeasures. However, such assessments often overlook the fact that the payment itself generally constitutes a criminal offence under German criminal law. It is classified as supporting a criminal organization; punishable by imprisonment of up to five years or a fine. Given that most attacks are carried out by organized groups rather than single individuals, and that no life or limb is threatened by the cyber-attack, a business’s sole defense in a court of law would be that the financial contribution was too small to be significant. However, this determination is placed entirely within the discretion of the court, with only very limited grounds for appeal. Therefore, ransom payments of more than a few hundred Euros may have rather unforeseen consequences.

Zombies for denial-of-service attacks

Business IT is neither always perfect nor fully secure. But that fact would not necessarily suffice as a viable defense against criminal, administrative, or civil liability, if devices in the company network were found being used as zombies in a DDoS attack. First of all, as soon as the company (IT Department) becomes aware of zombies within their network, such devices must be rendered harmless immediately to avoid liability; both criminal liability for aiding in computer sabotage, and civil, if the injured party were to claim damages.

But secondly, and this is where it gets really interesting, businesses may be liable even without knowing that any of their devices being used in a cyber-attack. Even setting aside the “critical infrastructures” in the European NIS Directive and the rare cases of a possible criminal liability of the CIO for criminal omission of security measures, there is room for administrative and civil liability, especially now that the German IT Security Act is in force. If the compromised system is intended for use by the public, e. g. a webserver, businesses must take all commercially reasonable measures to prevent any unauthorized access in order to avoid administrative fines of up to 50,000 Euros.

Countermeasures against attack required

As if this were not enough, the German IT Security Act also prescribes that all IT-based services intended for use by the public, anything from a simple website, must be protected against disruptions, even by external attacks, using commercially reasonable measures. And even though failure to take such measures would not invoke administrative fines, there may still be consequences for businesses that have actually been attacked. Given that the IT Security Act is still young, it has not yet been subject to any reported court decisions, but it will be interesting to see whether the courts are inclined to regard such statutory IT-compliance rules as market conduct rules. Such a classification by the courts would permit both competitors and consumer protection agencies to enforce the implementation of necessary IT-security measures with injunctions and court orders against businesses whose website has fallen prey to attack, because no or insufficient defensive measures against such an attack were taken.

Businesses to ensure IT-security compliance

This brief overview shows that IT security is becoming a more and more serious aspect of overall compliance. Businesses can no longer rely on some anonymous criminals far away being given sole responsibility. Businesses whose systems are compromised are not anonymous, and therefore may be the easiest target for legislators that intend to advance the overall security of IT systems and networks.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author's own and do not reflect the view of the publisher, eco – Association of the Internet Industry.