DoS Attacks – Is there yet an Adequate Recourse?
November 14, 2008
Much has been said about the recent implementation of changes to the Computer Misuse Act 1990, with many blogging on the changes. See here for example.
Much of the attention has surrounded the need to implement legislation to plug the gap where Denial of Service (DoS) attacks were not adequately covered by the legislation. In short, a DoS attack is where a system is flooded with information requests to the point where the system cannot cope with the requests and is rendered unavailable. Read more here.
Under the old law, the question remained whether or not a DoS attack is “unauthorised access” within the definition of the Computer Misuse Act 1990. The changes to the law now define “doing anything without authorisation with intent to impair…the operation of a computer” in order to cover DoS attacks. The changes have increased the maximum jail sentence penalty to up to 10 years.
Whilst the changes are viewed as being long overdue, there are inherent practical problems enforcing the legislation – which the reforms fail to address.
An aggrieved party will have to consider:
- Firstly whether or not the suspected attacker is in the relevant jurisdiction.
- Secondly, how to locate a police force willing to devote the necessary impetus and resources to pursue a prosecution.
- Thirdly, proving the identity of the suspect – proving beyond reasonable doubt that the particular IP address and the offence itself can be linked to the suspect. Was the offender’s computer system in fact compromised by a third party?
- Fourthly, dealing with the potential adverse publicity generated in revealing that your organisation’s Computer systems are vulnerable to attack.
- Fifthly, and as a consequence of the publicity of the vulnerability of an organisation’s computer system, the potential scrutiny by the Information Commissioner’s Office for failure to maintain adequate security measures in line with the 7th principle of the Data Protection Directive.