Beware of business system attacks - 2nd November 2006

The explosion of internet traffic has caused an increasingly prevalent problem, namely denial of service (DoS) attacks, when a deliberate attempt is made to stop a computer from performing, by creating a large volume of spurious traffic. These attacks are reckoned to number 4,000 plus each week and are many and varied.

At the lower end of the scale, their effect may be imperceptible. At the upper end, networks can be disabled for long periods. One recent case involved an attack on the Port of Houston’s computer system, resulting in widespread disruption to the port’s activities.

In the UK, DoS attacks are an offence under the Computer Misuse Act 1990. The CMA applies to anyone based overseas who attacks UK-based machines and also those in the UK who target foreign machines. Devices covered include mobile phones, PDAs and palm tops, and network devices such as routers.

You may have read of a recent computer misuse case where a disgruntled ex-employee bombarded the insurer Domestic and General Group with around 5 million hoax e-mails. This caused servers at the company’s UK and overseas offices to crash. The former employee was traced, successfully prosecuted and received a two-month curfew together with an electronic tag (he was only 16 at the time of the offence).

This was the first successful prosecution of a DoS offence under the CMA. It followed a successful appeal by the prosecution, following an earlier ruling of “no case to answer” on the basis that the insurer’s systems were automatically set up to receive e-mails. But the Court clearly felt the volume of e-mails sent was more than could ever constitute an acceptable level of (innocuous) traffic accessing the site.

This successful prosecution shows the 1990 Computer Misuse Act has stood the test of time since it was first drafted. Obviously for most businesses, prevention against a DoS attack should be the first priority but there may be some comfort in knowing that a successful criminal prosecution, followed by a possible case for civil damages may be the answer in the ongoing fight against cyber crime.