Over the last week, details have become available to explain how an attack against a well-known domain name service (DNS) provider occurred. What about the potential legal risks? We will attempt to provide insights into mitigating the legal risks for the various companies involved, including the companies that may have unwittingly provided the mechanism through which the attacks were conducted.
The Mechanics of The Recent Distributed Denial of Service Attacks
Recently, Dyn, a Manchester, New Hampshire-based provider of domain name services, experienced service outages as a result of what appeared to be well coordinated attack. Dyn provides domain name services used to direct users to a website after typing in a human readable domain name, for example, google.com. On October 21st, 2016, many websites including: Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times, were reported inaccessible by users. Dyn was attacked using a vector that is often referred to as a Distributed Denial of Service (DDoS) attack. A DDoS attack essentially involves sending a resource, such as a publically facing website too many communication requests at one time such that the service is denied to legitimate would-be users of the resource.
The term distributed comes from the nature in which the attack is usually conducted. An attacker does not usually possess a single resource with the necessary bandwidth or communication “pipe” to overwhelm providers such as Dyn. Instead, the attacker creates a network of smaller resources, distributed throughout a network such as the Internet, and directs the network of devices to attack the chosen target. In the recent attack, the perpetrators appear to have used, at least in part, a network of consumer devices from the Internet of Things (IoT), a term used to describe so-called “smart” devices that can communicate with each other. Attackers exploited an open vector within these devices such that they were able to control them and utilize them as part of a DDoS attack network to direct unwanted traffic to Dyn.
Identification of Cyber Security Attack Risk
A given cyber security attack will have different effects on the ability of an entity to function based on the aspects of the infrastructure being targeted. Identifying cyber security risk involves two parts. First, the entity needs to understand how the various components that make up its information technology infrastructure function in relation to each other to provide services to the entity itself and other external actors. Second, an evaluation of the exposed aspects of the components needs to be conducted, keeping in mind how the components function as a whole.
For example, with Dyn, a certain portion of the architecture that played a role in providing domain name services was likely exposed in a publically facing manner. A known risk of such public facing exposure is a DDoS attack.
The devices that were harnessed to provide the malicious DDoS traffic, appear to have contained components that were publically addressable via an identified mechanism through the Internet. Furthermore, the devices were susceptible to accepting malicious instructions causing undesired operation, in this case, their unwitting use as part of a bot net for a DDoS attack on Dyn.
For the various websites affected, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times, most likely components of their information architecture that dealt with processing DNS information were rendered unable to function, probably at least in part because their DNS provider ceased to operate.
Proactive Mitigation of Cyber Security Risk
Effective mitigation of cyber security risk will involve understanding how the obligations of the entity to others, such as its customers, as well as the obligations of those that provide services to the entity, interact with the cyber security risks identified via the previous section’s methods. This process is greatly facilitated by experienced counsel that have dealt with these issues before.
For example, Dyn faced a risk of being unable to provide effective DNS services to its customers, which if identified in advance could have been accounted for via a provision in the Service Level Agreement (SLA) terms in the relevant agreement. Upon agreeing to these terms, potential customers could either choose to accept the business risk of downtime, perhaps mitigating the risk via insurance, or have sought a suitable agreement with another vendor, whereby the vendor would provide a failover mechanism should the primary vendor, here Dyn, became unavailable.
Companies with other business models such as those that sold the Internet of Things devices that were harnessed as part of the DDoS attack against Dyn face their own risks, including complying with regulations and using ordinary care in the creation, testing, and selling, of these devices. In some situations, it may be possible for such device manufactures to transfer the risk to their customers via a contractual provision. In many cases, insurance is likely to also play a major risk mitigation role. Future litigation will likely give us greater insight to the standard of case such device manufactures owe their customers as well as third parties.