Author:Urcuyo, Michael S.
  1. INTRODUCTION 300 II. BACKGROUND 302 A. What is a DDoS attack? 302 B. Why is this important to consumers and businesses? 302 C. What is the difference between a virus or worm and a DDoS 303 attack? What do hackers aim to accomplish? III. THE COMPUTER FRAUD AND ABUSE ACT 306 A. What is the CFAA? 306 B. Why is the current CFAA insufficient for DDoS Attacks? 307 C. How does the DOJ prosecute a DDoS attack under the CFAA? 308 1. What is Transmission or Access? 308 2. How is damage proven? 309 3. What Harms are required for a violation to occur? 309 a. $5,000 loss 310 b. Medical Care 311 c. Physical Injury 311 d. Threat to Public Health and Safety 311 e. Justice, National Defense, or National Security 312 f. Damage to ten or more protected computers 312 D. Who can prosecute a DDoS attack? 312 E. What are the Current Penalties? 313 1. What is considered a Misdemeanor? 313 2. What is considered a felony? 313 3. What happens when death or serious bodily injury occur? 314 F. How are juvenile offenders prosecuted? 314 1. Definition of a Juvenile 314 2. Federal Jurisdiction 314 G. What is the current statute of limitations on the CFAA? 315 IV. BACKLASH AGAINST THE COMPUTER FRAUD AND ABUSE ACT 316 A. The Aaron Swartz Controversy 316 B. Addressing the Criticism 319 V. PROPOSING A NEW STATUTE TO AMEND THE CFAA: THE FEDERAL 320 INTERNET PROTECTION ACT ("FIPA" OR "ACT") VI. CONCLUSION 329 I. INTRODUCTION

    Imagine that you are about to pay the mortgage or electric bill, but first you need to access your bank account either electronically or in person. However, you have until the end of the day to pay the bills so you try to access your money early in the day, and then again in the afternoon. You are having issues accessing the money because the bank, where your money is deposited, is having issues with their system. Now the deadline has come and gone, and you did not pay your bills and expect to be assessed late fees. Unbeknownst to you, the reason you could not access your bank account is that a hacker somewhere in a different state or country decided to take down the bank's servers throughout the day.

    This hacker did not even have to breach the bank's security system as all he had to do was flood the servers with an endless wave of fake access requests to a server--also known as a distributed denial of service--and overload the servers until the bank was unable to function. Now, you have been harmed because you were unable to access your money and face the unwelcome potential of being assessed late fees on your bills. Looking at the bigger picture, small and large businesses were not able to transact through the bank, while the bank had suffered economic harm and harm to its reputation. Thus, the flow of interstate and foreign commerce was halted.

    The Internet is plagued with cyber-attacks that target financial institutions, small businesses, large conglomerates, and the average consumer. (1) Most attacks are performed with the expectation that a breach of the network will occur, which will provide the hacker with financial information. (2) However, a breach of the network is not the only vulnerability that exists, and other methods like Distributed-Denial-of-Service attacks (hereinafter "DDoS attack") are employed. A DDoS attack occurs when a hacker or group of hackers create artificial traffic to overload a server, thereby denying other users from accessing the server or website. (3) DDoS attacks are also now targeted at financial institutions. (4) DDoS attacks are employed for varying reasons, some of which are for fun and others are performed with the expectation of making a financial gain. (5)

    While the Computer Fraud and Abuse Act ("CFAA") can be used to combat DDoS attacks, it does not provide enough deterrence for this destructive behavior. (6) This Note will seek to address this issue by proposing amendments to the CFAA that will increase deterrence. Specifically, the proposed amendment would create a registry of convicted hackers, whom will be monitored for additional violations. Part II of this Note will define and distinguish a DDoS attack from other cyber-attacks, and discuss the importance of these differences. Part III will discuss the current system for convicting a hacker for DDoS attacks under the CFAA. Part IV will discuss the Aaron Swartz controversy and address the issue of prosecutorial discretion. In Part V, the amendments will be proposed with explanations for each provision.


    1. What is a DDoS attack?

      A DDoS attack occurs where a hacker or group of hackers employ malicious programs to infect a series of networks or individual computers, which are known as bots, and use the bots to overload a server. (7) Essentially, the hacker is creating artificial traffic to flood the targeted server to crash and deny access to other users. (8) In layman's terms, the server is a highway tollbooth and a computer accessing the server is a car passing through the tollbooth. When the hacker gathers enough cars, they can continually block access to all tollbooths by constantly barraging the tollbooths with incoming cars, or, in the case of servers, several thousand computers.

    2. Why is this important to consumers and businesses?

      DDoS attacks present a potential danger to the financial structure of America. Whether a hacker attacks a small or large website is irrelevant because disrupting the function of a website creates a costly burden for any website operator. (9) The financial losses vary on a case-by-case basis, and can affect a business in the long-term. (10) The long-term repercussions include loss of future profits because customers switch to competitors when they cannot access a website, and damage to the business's reputation. (11) Additionally, legal issues arise where the consumer is unable to access a website, which is serious in the stock market and securities industry. (12) For example, investors sued a major stock exchange in 2011 for inability to access the normal services. (13) When a website is attacked consumers cannot purchase, sell, or trade without a necessary platform in today's economy, which is costly to both consumers and businesses. (14) Therefore, the United States needs to take measures to prevent hackers from employing DDoS attacks, which have an adverse effect on interstate commerce.

      Performing a DDoS attack is relatively easy. (15) In the Russian black market, anyone can orchestrate a DDoS attack for a $1,200.00 per month fee. (16) Thus, an average layman can launch a DDoS attack with relative ease for a small fee. (17) Furthermore, defending against a DDoS attack is very hard as few safeguards exist. (18) However, these methods require a domain owner to either write specific coding that filters DDoS attacks or purchase more bandwidth for server requests to mitigate the attack. (19) Hence, because defending DDoS attacks as they occur is so very difficult, deterrence of DDoS attacks should be a great priority.

    3. What is the difference between a virus or worm and a DDoS attack? What do hackers aim to accomplish?

      A computer virus is a "small software program[] that [is] designed to spread from one computer to another and to interfere with computer operation." (20) A hacker will attach a virus to another program, such as emails or documents. (21) Email viruses replicate and attach themselves to emails, and send those emails from an infected computer's email address book. (22)

      In contrast, a worm is a software program "that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well." (23) A worm can replicate hundreds of thousand times, and interfere with a computer's normal function. (24) Worms are different from viruses because a worm does not need a hacker's guidance or need to attach itself to another program to spread. (25)

      On one hand, a virus or a worm must breach a network, or as the CFAA defines, "intentionally access[] a computer without authorization," (26) in order to spread its malicious content. (27) On the other hand, DDoS attacks do not breach a network, (28) which is why viruses and worms receive greater public attention than a DDoS attack. (29) In 2010, the media was infatuated with the Stuxnet virus, which was a worm that spread through USB sticks. (30) The Stuxnet virus targeted an Iranian nuclear plant, but was harmless for the most part. (31) Stuxnet caused minimal damage, causing centrifuges to spin fast enough to tear themselves apart. (32) Thus, worms and viruses receive more attention because of the potential data breaches and consequences.

      However, with greater proliferation of DDoS attacks, there is a greater need to defend against those attacks. (33) DDoS attacks are occurring with greater frequency for several reasons. One reason is that a DDoS attack serves to disrupt a server's function and interfere with an online service, thus allowing a hacker to hold a website or service hostage with the threat of a continuous DDoS attack. (34) On June 17th, 2014, a concentrated DDoS attack was orchestrated against an Internet firm, Code Spaces, in order to extract a ransom from the firm. (35) The hacker was able to delete most of the business's content and in the process shut down the business. (36) Unfortunately for Code Spaces, the resulting loss of data and time created a financial situation in which the company could not recover and was forced to shut down permanently. (37)

      Another reason a hacker uses a DDoS attack is that a hacker wants to make a political or social opinion known. (38) Recently, Sony's PlayStation service was subjected to a DDoS attack. (39) LizardSquad, one of the two hacker groups that claimed the DDoS attack was performed on their part, claimed to have orchestrated the attack with the intention of stopping U.S. bombings...

To continue reading