For several days this summer beginning July 4, international hackers targeted and disabled a variety of Web sites in the U.S. and South Korea. The Web sites belonged to the Department of Homeland Security, Federal Aviation Administration, Federal Trade Commission, The Washington Post, New York Stock Exchange and the office of South Korea’s president, among others. Some South Korean reports named North Korea as a suspect. Whoever it was, the culprit apparently carried out the attacks using a simple technique called distributed denial of service (DDoS).
“Cyber-attacks like [the one in July] are being recognized as yet another means available to governments to cause harm to opponents,” says Michael Overly, a partner in Foley & Lardner’s IT privacy, security and information management practice. But more often, independent hackers launch these types of DDoS attacks just to cause chaos. And corporations are common victims.
DDoS attacks occur when hackers infect thousands of computers across the world–often within business networks–with a virus that turns those networks into “zombies.” The zombies send many simple requests to a targeted Web site, overloading server capacities and causing the Web site to shut down. It’s an expanded version of denial-of-service attacks, which spawn from a more limited number of computers. Neither technology is complicated, but DDoS attacks can be extremely difficult to trace back to an original source. And they’re happening more often.
In one recent example, Gawker Media, an online blog network, was brought down by DDoS for a weekend in early August.
And in late July, a Texas grand jury indicted a 25-year-old security guard for breaking into the HVAC system and planning a DDoS attack at the Dallas orthopedic health clinic where he worked. The man solicited help for the DDoS from other hackers by posting videos online. His plan shows how easy the attacks can be, and how even smaller companies are at risk.
“If the stock exchange can be hacked, if the government of South Korea can be hacked and if the Department of Defense can be hacked–no company can be absolutely secure,” Overly says.
Moreover, cyber-attacks can be quite simple to carry out, and they create several layers of risk for companies with an online presence. Those that engage in e-commerce, buying or selling products online, face the most glaring problem. Jim Butterworth, director of cybersecurity at Guidance Software, says companies with online storefronts, such as Amazon.com or eBay, are the most likely targets of DDoS attacks, and Guidance Vice President and Deputy General Counsel Patrick Zeller agrees.
“If your public-facing site is taken down, your business is going to stop,” Zeller says.
Simple but Dangerous
Beyond the loss of sales, companies that host content for their clients online–such as an e-discovery vendor or a simple Web site-hosting service–must be wary of DDoS because they likely have service agreements they must uphold. If their servers go down and consequently knock out their clients’ ability to function, Butterworth says these content hosts may face liability for breach of contract.
As bad as it might be to deal with a downed Web site, in the worst case scenario the DDoS might be an early warning sign of a bigger attack or more serious data breach. During a DDoS, the hacker bombards the company’s system with thousands upon thousands of useless pieces of information. In the midst of this, there’s the potential for a hidden motive: that the hacker is trying to slip malicious code past digital security while the system is overwhelmed with extraneous data. Such malware could lead to a data breach and stolen confidential data.
Victim and Villain
In addition to being targets of these attacks, companies also face legal liability as unwilling participants. If a company does not have adequate IT security measures, hackers can turn company computers into zombies to use in the attack. Then the company can get sued for negligence.
“It’s coming up more and more,” Zeller says. Trying to sue hackers rarely produces productive financial results, not only because they are hard to find, but also because they don’t have much money, he adds.
Consequently, attack victims look for financial liability not with the actual perpetrator but with deep-pocketed companies that inadvertently became part of the crime. Overly has seen a situation where someone stole thousands of Social Security numbers and hid them on an unsuspecting company’s network. At the very least, that type of incident would lead to some unpleasant public relations. Regardless of whether litigation ensues, disclosure of a company’s accidental complicity in an attack could impact a company’s business reputation and stock price.
Overly gives another example of a bank: Someone breaks into its network and doesn’t steal any personal consumer data. But the criminal uses that access to attack another company. In this situation, which could happen to any company with frequent customer interactions, there might be no actual damage to the bank’s customers, Overly explains, but there could be damage to its reputation.
Enemy at the Gates
However, companies can prevent hackers from using their networks in attacks. The defense starts with a concise policy that employees understand and follow and that management enforces.
“[Successful] companies boil this down to a few pages of very clearly written text,” Overly says. “Then [they] follow up on a quarterly basis by emphasizing a single point in the policy and giving examples of what the problem is and what the company is trying to address.”
Policies should bar employees from downloading applications at work, such as peer-to-peer software. The company should encourage workers to report any computer aberrations–such as a strangely slow computer or e-mails asking for personal information–to IT security immediately, even though most questions will probably end up being benign.
The legal department also should be an integral part of the cybersecurity process, especially after a company identifies an attack and law enforcement may become involved. On a more routine basis, Overly says counsel should ensure that contracts with third-party vendors guarantee appropriate security measures. Also, in-house attorneys should make sure independent validation of a company’s security setup is a priority, instead of only relying on internal IT staff.
Butterworth emphasizes that corporate executives cannot measure protecting the network in terms of merely complying with rules or checking items off a list.
Corporate cybersecurity is a never-ending process in a constantly changing environment, so in-house counsel should focus on awareness and education, as opposed to simply following minimum–and often static–standards.
“It’s about knowing what’s going on instead of trying to [do well on] some sort of report card using standards that are five to 10 years old,” Butterworth says.