Master`s Thesis:

Your toaster as a threat to critical infrastructure: A

multidisciplinary study on DDoS attacks in the EU IoT ecosystem

Your toaster as a threat to critical infrastructure: A

multidisciplinary study on DDoS attacks in the EU IoT ecosystem

LL.M Law & Technology Master Thesis

Tilburg Law School

Tilburg Institute of Law, Technology and Society (TILT)

Tilburg University

September 2018

Sebastian-Dan Naste Supervisors:

SNR: 2005377 Dr. C. Cuijpers

Dr. A. K. Martin

„Where there is a will, there is a way. If there is a chance in a million to do something,

anything, to keep what you want from ending, do it. Pry the door open or, if need be, wedge your

foot in that door and keep it open‟.1

PREFACE

The writing of this thesis has been the toughest challenge that I faced during my academic

journey. Through many days of research and reflection I have achieved valuable knowledge of

the EU legal framework dealing with large-scale DDoS attacks launched by insecure IoT devices

against the EU critical infrastructure.

I would like to thank my Master thesis supervisor, Dr. Colette Cuijpers for her continuous

support and help throughout this programme and for her inspiring guidance during the writing

period of this thesis. I would also like to thank Dr. A. K. Martin for his advice in finalising this

dissertation.

I especially thank my partner for her endless help and support when I most needed. Lastly, I

would like to thank to my sister, mother and father, who supported me throughout the entire Law

University, each in his own way.

I hope you enjoy your reading.

Vienna,

7 September 2018

1 Pauline Kael Quotes, (Brainy Quote) <https://www.brainyquote.com/citation/quotes/pauline_kael> accessed 7

September 2018.

Table of Contents Chapter 1 ....................................................................................................................................... 1

1.1 Background ............................................................................................................................. 1

1.2 Problem statement ................................................................................................................... 3

1.3 Research question ................................................................................................................... 5

1.4 Significance of this study ........................................................................................................ 6

1.5 Limitations .............................................................................................................................. 7

1.6 Approach and methodology .................................................................................................... 8

1.7 Structure .................................................................................................................................. 9

Chapter 2 ..................................................................................................................................... 10

2.1 Chapter Outline ..................................................................................................................... 10

2.2 „Cybercrime‟ in progress ...................................................................................................... 10

2.3 An insight into DDoS, Internet of Things and Critical Infrastructure .................................. 11

2.3.1 Distributed-Denial-of-Service attacks ............................................................................. 11

2.3.1.1 Introduction ................................................................................................................. 11

2.3.1.2 Types of DDoS attacks ............................................................................................... 13

2.3.1.3 Brief history of DDoS attacks ..................................................................................... 15

2.3.1.4 What makes DDoS attacks possible? .......................................................................... 15

2.3.2 Internet of Things- IoT..................................................................................................... 21

2.3.2.1 Introduction ................................................................................................................. 21

2.3.2.2 Shaping IoT ................................................................................................................. 23

2.3.2.2.1 Security considerations and challenges ................................................................. 24

2.3.2.2.2 Reasons why IoT devices became botnet „friendly‟ .............................................. 26

2.3.2.3 „Mirai‟ – „The future‟ is already here ......................................................................... 28

2.3.3 Critical Infrastructure ....................................................................................................... 31

2.3.3.1 Introduction ................................................................................................................. 31

2.3.3.2 Why Critical Infrastructure became a tempting target for DDoS attacks? ................. 34

2.4 Conclusions ........................................................................................................................... 36

Chapter 3 ..................................................................................................................................... 36

3.1 Chapter Outline ..................................................................................................................... 37

3.2 European legal framework .................................................................................................... 37

3.2.1 The Council of Europe – Budapest Convention .............................................................. 37

3.2.2 The European Union ........................................................................................................ 41

3.2.2.1 The „Botnet‟ Directive ................................................................................................ 44

3.2.2.1.1 The Attack Chain of a DDoS attack ...................................................................... 46

3.2.2.1.1.1 Step 1 - Reconnaissance.................................................................................... 47

3.2.2.1.1.2 Step 2 – Delivery/Getting access ...................................................................... 47

3.2.2.1.1.3 Step 3 – Compromising and control ................................................................. 52

3.2.2.1.1.4 Step 4 – Action on Objectives .......................................................................... 53

3.2.2.1.1.5 Step 5 – Weaponisation .................................................................................... 54

3.2.2.1.2 Sanctions ................................................................................................................ 56

3.2.2.1.3 Conclusions ............................................................................................................ 56

3.2.2.2 Overview of the „NIS‟ Directive ................................................................................. 57

3.2.2.2.1 Scope and applicability .......................................................................................... 58

3.2.2.2.2 Obligations and security requirements................................................................... 60

3.2.2.2.3 Conclusions ............................................................................................................ 61

Chapter 4 ..................................................................................................................................... 63

4.1 Conclusions ........................................................................................................................... 63

4.2 Recommendations ................................................................................................................. 67

Abbreviations .............................................................................................................................. 71

Bibliography ................................................................................................................................ 72

1

Chapter 1

INTRODUCTION

„Technology…is a queer thing. It brings you great gifts with one hand, and it stabs you in

the back with the other‟.2

1.1 Background

During a heavy winter in 2019, the power distribution across Eastern Europe suddenly

went off, and fear spread among 290 million Eastern Europeans. Soon, due to lack of electricity,

airports shut down their traffic, banks stopped their financial operations, hospitals could no

longer receive any more patients, and in the darkest night in Europe`s history, all systems went

offline. However, what triggered this hypothetical disaster? The answer is simple: a massive

Distributed-Denial-of-Service attack (from now on DDoS attack) targeting the critical

infrastructure (e.g. power grid, airports, banking or financial systems) of a major part of Europe,

launched by a group of unidentified hackers.3

Even if this outage is at the moment just a „worst-case scenario‟, it exposes „the ubiquity

of digital technology in modern life‟4 and the energy dependence of our smart society. Computer

systems have increasingly started to be part of our lives. The technology revolution has changed

our world, and now we are living in an „information society‟,5 which has come with its

disadvantages. Such a globalised, interconnected digital life has created many crime

opportunities across countries.6 An essential theory of criminology indicates that crime will

always follow an opportunity, and unfortunately, „opportunities abound in today`s computer

reliant world‟.7 Moreover, a smart-grid embodies more data and Internet controlling systems than

2 A. Lewis, quoting C.P. Snow, New York Times, 15 March 1971, p.37

<https://timesmachine.nytimes.com/timesmachine/1971/03/15/issue.html> accessed 11 December 2016. 3 L. A. Maglaras et al., „NIS directive: The case of Greece‟ (2018) Volume 4 EAI Endorsed Transactions on

Security and Safety Volume 4, Issue 14 <http://eudl.eu/doi/10.4108/eai.15-5-2018.154769> accessed 12 July 2018. 4 Jonathan Clough, Principles of Cybercrime (2

nd Edition, Cambridge University Press, 2015) p. 3.

5 A. D. Elyakov, „The Nature of the Modern Information Society‟ (2010), Scientific and Technical Information

Processing p.60 <https://link.springer.com/content/pdf/10.3103%2FS0147688210010090.pdf.> accessed 13 August

2018. 6 David S. Wall, The Transformation of Crime in the Information Age (first published 2007, Polity Press), p. 37.

7 Lucian Vasiu, Ioana Vasiu, „Dissecting Computer Fraud: From Definitional Issues to a Taxonomy‟ (2004),

<http://ieeexplore.ieee.org/document/1265413/> accessed 11 January 2017.

2

ever, a fact that has opened the door for countless new risks and cyber attacks.8 Countries have

become more and more reliant on ICT networks to provide vital services such as

communications, energy, transport, etc.9 In brief, because people are starting to be notably

dependent on computers and smart devices, technology itself has become a fascinating target for

cybercriminals.

For example, in November 2016, hackers attacked a smart building system in Finland,

resulting in the malfunction of heat distribution, hot water and ventilation. A DDoS attack

overwhelmed the network and blocked the remote access of the administrators, forcing the

devices to restart every few minutes. The problem was fixed when a technician went to the

properties and put the hardware offline manually until the attack was over. Fortunately, in this

case, the DDoS attack broke down „just the heating‟ of two houses during a heavy Finnish

winter, but this might be just the beginning as the same smart heating systems are used in some

hospitals all over Finland.10

Unfortunately, DDoS attacks targeting critical infrastructure, are likely to have a more

significant impact than in the Finnish case. Making critical infrastructure unavailable, even for a

few hours, may have a massive economic impact, affecting the day to day running of society,

and leading towards direct and physical damage, possibly including loss of life.11

Moreover,

because the EU critical infrastructure is interconnected and interdependent, a failure in one

country could easily lead to a chain reaction in other countries, being a threat to the European

Union`s security.12

Even if the result of many successful technical research studies was to introduce new

guidance for increasing the overall cyber security and cyber resilience of the critical

infrastructures, what has been missing until now, was the legal framework that the Member

States could rely on, for imposing mandatory cyber security measures on the providers of

essential services.13

This thesis aims to investigate in which manner a DDoS attack would be

8 Maglaras et al. (n 3).

9 L. A. Maglaras et al., „Cyber security of critical infrastructures‟ (2018) Volume 4 ICT Express, The Korean

Institute of Communications and Information Sciences, p. 42-45

<https://www.sciencedirect.com/science/article/pii/S2405959517303880> accessed 10 June 2018. 10

Paul, „Update: Let`s Get Cyberphysical: Internet Attack shuts off the Heat in Finland‟ (The Security Ledger, 8

November 2016) <https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland>

accessed 19 September 2017. 11

Maglaras et al. (n 9). 12

Maglaras et al. (n 3). 13

Ibid.

3

able to inflict damage to critical infrastructure, and if there are any potential gaps in the related

legal framework.

1.2 Problem statement

The Distributed-Denial-of-Service attack is one of the most significant concerns for cyber

security experts because these attacks are „explicit attempts to disrupt legitimate users` access to

services‟.14

David S. Wall defines this type of attack as „cyber-barrages‟, which affects the

computer or network availability having an aim to „prevent legitimate users from gaining access

to networks and computer systems by bombarding‟ them with many data.15

The outcome of a

DDoS attack can be understood easier by presenting the following example of a person who is

using automated means of calling over and over again, the 911 services, just for fun. The calls

will eventually block and prevent other legitimate calls received from persons who need help.

It is not adequately documented when the first Distributed-Denial-of-Service attack took

place. The earliest apparent attack, as such, came to light in 2000 when websites like Yahoo,

Amazon and eBay were down, leading to revenue losses of up to $1.2 Billion U.S. Dollars, not

taking into account the impact on public trust and reputation.16

Seventeen years later from that incident, DDoS attacks remain in sight, much more

harmful and sophisticated than ever as a result of today`s outbreak of online connectivity. Items

like, TV‟s, refrigerators, bathroom heaters, and so on, which until recently were traditionally

offline have now incorporated internet connectivity and are called „internet of things‟ (from now

on IoT). Because of having an unlimited internet connection, users rarely switch their devices

offline, and for this reason, smart devices could be transformed in the ultimate weapon to launch

a massive DDoS attack: the IoT botnet.17

Unfortunately, in 2016, the most powerful DDoS attack in the history of the Internet

launched by such an IoT botnet (also known the Mirai botnet) brought down major websites like

14

S. T. Zargar, James Joshi, David Tipper, „A Survey of Defense Mechanisms Against Distributed Denial of Service

(DDoS) Flooding Attacks‟ (2013) IEEE <https://ieeexplore.ieee.org/document/6489876/> accessed 24 January

2018. 15

Wall (n 6), p. 61. 16

Justin Stephen, „The Changing Face of Distributed Denial of Service Mitigation‟ (2001) Sans Institute.

<https://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-direction-36857> accessed 28

November 2017. 17

Clough (n 4), p. 5.

4

the Guardian, Netflix, Twitter, Reddit, CNN and other sites from the US and Europe.18

The cyber

attack targeted the servers of a cloud-based Internet company that provides resources for cloud

and the public Internet. In this case, the attackers controlled and abused a network of vulnerable

„things‟ with Internet connection like cameras, DVR`s and refrigerators, which were poorly

secured.

Thus, to launch a successful DDoS attack and to hinder, for example, the continuous flow

of electricity from a power plant, the attacker does not even have to get access to the computer

network of the target. One of the methods is to get control of thousands of vulnerable IoT

devices by infecting them with malware that allows the attacker to command over them.

Secondly, in a coordinated and distributed way, the DDoS attack will be initiated, and the

„network of remotely controlled, well organised, and widely scattered Zombies or Botnet19

computers‟20

sends continuously, at the same time, a large volume of unwanted and illegitimate

traffic, which will flood the target with requests. The system will respond too slowly and will

either become unavailable or crash entirely.21

Consequently, with more and more vulnerable IoT

devices that are present in our lives, a DDoS attack launched by an IoT botnet is so powerful,

that it could quickly reach substantial traffic levels not seen so far.

Furthermore, a central issue of being part of an IoT botnet is the fact that the victims are

in most cases unaware because the infected devices may work completely normal, with no

warning signs. However, if the device is compromised, the consequences could be severe: the

attacker could steal the personal data of the victim which can be used for other crimes like

identity theft or blackmail, or the device could contribute to the next major DDoS against a

nuclear power plant. Unfortunately, for the targeted computer system or network, it is almost

impossible to know if the tremendous number of requests are real, coming from a legitimate user

18

Nicky Woolf, „DDoS attack that disrupted internet was largest of its kind in history, experts say‟ (The Guardian,

San Francisco, 26 October 2016) <https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-

botnet> accessed 7 December 2016. 19

An internet bot is a software application that runs automated tasks over the Internet. For more details see K.

Dunham, J. Melnick, Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet,

(Auerbach Publications, Taylor&Francis Group, 2008), p. 1. The devices controlled by the attackers are named

„bots‟ or „robots‟ because they act just like some robots executing an automatic task. 20

Zargar et al. (n 14). 21

Jelena Mirkovic, Janice Martin and Peter Reiher, „A Taxonomy of DDoS Attacks and DDoS Mechanisms‟ (2004)

SIGCOMM Computer Communication Review vol. 34 <https://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf>

accessed on 24 January 2018.

5

or not and sometimes the effects are not known until it is too late, making this type of attack

challenging to be countered.

The DDoS attacks targeting the various critical infrastructure in the EU are the most

commonly reported; therefore, they have become a top priority for the EU law enforcement.

Unfortunately, law enforcement agencies have noticed an increasing number of these attacks in

the last couple of years. The most affected sector is aviation, with more than 1000 DDoS attacks

each month.22

It is expected that following the success of the Mirai botnet, there will be an

increasing number of massive DDoS attacks originating from vulnerable IoT, causing severe

disruptions to critical infrastructure.23

However, for preventing such disruption attempts and to

increase the level of security of the critical infrastructure,24

the EU legislator has adopted various

legal tools.25

To summarise, there is a current and delicate point in question, not regarding the cyber

safety anymore but the physical safety of the Europeans. Thus, a profound relevant question

follows these findings. Are the EU countries prepared, from a legal point of view, to prevent,

stop, and find the attackers in case of a DDoS attack launched by an IoT botnet on critical

infrastructure?

1.3 Research question

This thesis aims to determine whether the legal framework of the EU Member States is

sufficient to protect its citizens in front of the vast implications of more powerful and

sophisticated DDoS attacks than ever, launched with the help of unsecured IoT on critical

infrastructure. Therefore, the central research question of this thesis reads:

„Do EU Member States have enough legal bases to protect its citizens from massive

DDoS attacks originating from a variety of unsecured IoT devices and targeting critical

infrastructure?’

The following sub-questions have to be addressed to reach an answer to the central

research question:

22

EUROPOL, IOCTA 2017, Internet Organised Crime Threat Assessment, Europol, EC3 European Cybercrime

Centre, 2017 <https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-

assessment-iocta-2017> accessed 25 January 2018 23

Ibid. 24

Maglaras et al. (n 3). 25

Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high

common level of network and information security the Union COM (2013) 48 final, 2013/0027 (COD).

6

1) What are Distributed-Denial-Of-Service attacks and what makes them possible?

2) What is the Internet of Things and why did this category of devices become a „new

environment‟ for the proliferation of massive DDoS attacks? What could be learnt

from the Mirai botnet?

3) Which are the main characteristics of the critical infrastructure and why has it

become a tempting target for DDoS attacks?

4) Which is the relevant EU legal framework regarding the fight against attacks on

critical infrastructure? How are the steps for building a botnet and launching a DDoS

attack regulated under the Botnet and NIS Directive?

5) Are there any gaps regarding the current EU legal framework in respect to DDoS

launched by IoT botnets on critical infrastructure?

1.4 Significance of this study

This thesis will provide an extensive legal analysis from an EU point of view on the

characteristics and frameworks that deal with DDoS attacks targeting critical infrastructure.

Moreover, the author will assess and discuss the possible gaps in the legal framework and what

could be improved. Unfortunately, even if such topic has tremendous interest, many legal

scholars have not discussed yet the phenomenon connecting all the three central concepts of this

thesis: DDoS, IoT botnets and critical infrastructure. However, some technical experts and

political scientists have assessed to a certain extent these topics and showed that the EU is now

struggling in front of such new challenges in cyber security.26

Thus, without much legal

literature, the author will address the main characteristics of each concept. There is a lack of

research when it comes to how building an IoT botnet, and launching a DDoS is regulated and

criminalised but also what the operators of critical infrastructure should do in the aftermath of

such an attack. Also, the thesis will touch on a more debatable topic, concerning how the IoT is

reshaping the magnitude and the effects of a DDoS attack. Therefore, the thesis will not only

address some almost non explored topics, but it will also go further from the legal analysis of

each concept towards connecting all of them and addressing differently, under the Botnet and

NIS Directives. It is true that only a few legal scholars have referred to the Internet of Things and

critical infrastructure in their work. However, the focus was, just on the IoT devices embodied in

critical infrastructure, and on the effects and legal implications of taking control of such devices.

26

Maglaras et al. (n 3).

7

On the contrary, this thesis focuses on all IoT devices that are insecure and susceptible to be part

of a botnet.

In conclusion, the author hopes that this research will help the Member States, the EU

legislator, the law enforcement agencies and all the interested parties to identify the gaps of the

legal framework, to do more research on these matters and to set up the groundwork for further

discussions and cooperation.

1.5 Limitations

Due to the limited length of this thesis, the author will not demonstrate how resilient

critical infrastructure is in front of a DDoS attack, and what effects such attacks could have on

the society. However, according to technical scholars, at the moment, it is difficult to say or

predict and more related research on this matter is needed.27

Moreover, there will not be made a

distinction between various types of DDoS because, from a legal point of view, all the attacks

have the same result in overloading the network of critical infrastructure by sending vast

volumes of network traffic.28

There are many modalities of launching a DDoS attack, but it is

assessed only the modality of using an IoT botnet due to large traffic volume that is easy to

acquire. In addition, given the limited scope of the thesis, the focus will not be on cyber attacks

that are state-sponsored targeting vulnerabilities in industrial control systems (ICS) or systems

aiming to take control of the supervisory control and data acquisition (SCADA) that are assuring

the correct working of a power plant, for instance. Such attacks are, for sure, real but they fall

under the national security territory and maybe never reported to the law enforcement.29

The

attention will be concentrated on more common attacks which do not even require access to such

an isolated computer network.30

However, even if using a botnet like the Mirai to launch a DDoS

attack to any critical European infrastructure is a real direct threat, such an attack may not be as

powerful as taking the smart grid offline, but could still be able to produce severe disruption in

the targeted country and surrounding countries.31

27

Wiliam Hurst, Nathan Shone, Quentin Monnet, „Predicting the Effects of DDoS Attacks on a Network of Critical

Infrastructures‟ (2015) Thirteenth IEEE International Conference on DASC`15, Liverpool

<https://pdfs.semanticscholar.org/cf6c/41715347b703f4bd964425160010035ab957.pdf> accessed 25 January 2017. 28

Ibid. 29

EUROPOL, IOCTA 2017 (n 22). 30

Ibid. 31

Ibid.

8

Furthermore, due to the limited technical background of the author, a brief description on

the characteristics of the three central concepts will be depleted in order to pinpoint why the IoT

became a new and essential element for the attackers in order to launch a DDoS attack.

Lastly, because in the cyber world, attribution, namely the ability to discover who is

behind the cyber attack, is almost non existing and not as robust as in the real world,32

and due to

new-fangled attacks and matters presented in this thesis, the case law is highly not relevant or

even not existing.

1.6 Approach and methodology

The thesis aims to analyse the current EU legal framework, in respect to the matters

mentioned above, by using the methodology of doctrinal legal research. The primary focus is on

the EU law because the European Union tried to tackle the problem of cybercrimes, by having

the same legal frameworks which regulate „similar conduct‟,33

when other countries do not share

the same view on cyber attacks. Therefore, in order to reach an answer for the central research

question a number of relevant primary sources have to be analysed, including, but not limited, to

the Directive (EU) 2016/1148 concerning measures for a high common level of security network

and information system across the Union (hereinafter the NIS Directive), the Directive

2013/40/EU on attacks against information systems (hereinafter the Botnet Directive) and the

Convention CET 185 on Cybercrime (hereinafter the Budapest Convention). Secondary sources,

such as opinions and recommendations of the Article 29 Data Protection Working Party which

became in May 2018 the European Data Protection Board or EDPB (from now on WP29),34

academic papers including technical and legal research, other articles and websites, EU law

enforcement reports, legal scholar and technical books, study cases, reports and news journals,

will also be consulted. Firstly, all these sources will be explored to substantiate the unique

characteristics of the implications of IoT botnets in DDoS attacks on critical infrastructure. The

32

David D. Clark, Susan Landau, „The Problem isn`t Attribution; It`s Multi-Stage Attacks‟ (2010) ACM ReArch

<https://groups.csail.mit.edu/ana/ANA%20PUBLICATIONS/The_Problem_isnt_Attribution.pdf> accessed 28

November 2017. 33

Artur Appazov, „Legal Aspects of Cybersecurity‟ (University of Copenhagen 2014). 34

The WP29 is an independent European advisory body on privacy and data protection and was established by the

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. As of May 2018 the WP29

became the European Data Protection Board (EDPB), an independent European body that contributes to the

consistent application of data protection rules in the European Union and promotes cooperation between the EU`s

data protection authorities. See more details „Article 29 Working Party‟ (European Commission, 22 November

2016) <http://ec.europa.eu/newsroom/just/item > accessed 18 October 2017 and <https://edpb.europa.eu/about-

edpb/about-edpb_en> accessed 10 September 2018.

9

second step, providing an answer to the central research question calls for a critical analysis of

the legal literature that governs all the three central concepts. Finally, all the sources identified

and listed in this research, will be assessed for providing the basis to the conclusions, final

remarks and recommendations of this thesis.

1.7 Structure

For providing concrete results and for answering the central research question and its

sub-questions, the thesis has in composition four chapters.

Chapter 1 is displaying the background of the problem that is examined in the thesis. It

introduces the research questions, the significance of the research and its limitations.

Chapter 2 introduces the unique characteristics of relevant concepts for this paper, such

as the Distributed-Denial-of-Service attacks, Internet of Things and critical infrastructure. This

chapter will further explore what makes DDoS attacks possible and which are the steps to launch

a successful attack. Moreover, it reveals why the IoT became a new way for the proliferation of

DDoS attacks and further analyses the security challenges and the Mirai botnet. The last part

identifies if such attacks are a real threat to critical infrastructure and why the latter became a

tempting target for the attackers.

Chapter 3 is focused only on the EU legal framework including the Budapest

Convention, NIS and Botnet Directives. The first part of this chapter provides a brief

introduction to the Convention, mostly the part dealing with every step that an attacker will need

to take in order to launch such attacks. The research then continues with examining the answer of

the European Union towards these emerging cyber threats against information systems. It then

passes to analysing how each phase in the DDoS attacks kill-chain is criminalised under the

Botnet Directive. It finally identifies the obligations and security requirements of critical

infrastructure operators under the NIS Directive and pinpoints possible gaps or imprecisions in

the EU legal literature.

Chapter 4 acknowledges the findings and the conclusions of the legal research done in

this thesis and attempts to issue some recommendations that could help the EU Member States to

win the cyber crime „war‟, where no one can be protected 100% against any cyber attack.

10

Chapter 2

DDoS ATTACKS, INTERNET OF THINGS AND CRITICAL

INFRASTRUCTURE

„Technology is moving so rapidly that from a security perspective, it is difficult to keep

up. Consider the evolution of cyber crime in just the past decade.‟35

2.1 Chapter Outline

Before starting the legal analysis of DDoS attacks, IoT and critical infrastructure, it is

indispensable to have a better overview regarding the links between these concepts. Firstly, the

notion of „cybercrime‟ is briefly introduced. Secondly, the scope will move to the in-depth

analysis of some essential notions and characteristics of the abovementioned concepts.

2.2 ‘Cybercrime’ in progress

Today, computer technology provides means of communication that enable people to talk

to each other at their convenience and sometimes even for free. Because of the progress of

technology, cybercrime also evolved transforming the computer into a target. The third

generation of cybercrimes, as classified by David S. Wall,36

is rising in number as a result of the

generative pattern of the Internet.37

Crime and technology have been in a stable relationship since ever,38

and even if proper

willing persons are developing advanced technology, in the same manner, individuals with

malicious intentions are searching for new ways of creating harm. Advanced forms of

cybercrime, from hacking, cracking to cyber terrorism and information warfare, are considered

threats which are affecting not only the citizens but also economies, geopolitical relations and

35

Robert S. Mueller III, Director Federal Bureau of Investigation (RSA Cyber Security Conference, San Francisco,

01 March, 2001) <https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-

outsmarting-terrorists-hackers-and-spies> accessed 18 November 2017. 36

Wall (n 6), p. 3. 37

According to Jonathan L. Zittrain, this typical feature of the Internet means that any person could have a

contribution to the Internet (i.e. an individual could create a new way of how people communicate like instant

messaging) without knowing exactly which the output change could be. See more details in Jonathan L. Zittrain, The

Future of the Internet – And How to Stop It (Yale University Press & Penguin Uk 2008) p.70

<https://dash.harvard.edu/bitstream/handle/1/4455262/Zittrain_Future%20of%20the%20Internet.pdf?sequence=1>

accessed 28 July 2018. For example, a computer virus might affect and destroy several computers; therefore this is a

bad output from a generative system. In the same manner, several persons could just plug in and install various

software due to installer setups created for this purpose. 38

Wall (n 6), p. 2.

11

democracies.39

Moreover, crimes in cyberspace create new challenges for lawmakers and law

enforcers, because the traditional law is no longer sufficient to deter such criminal conduct. The

high possibility of being convicted and sentenced to prison in case of a bank-robbery discourages

many persons from doing so. However, cyberspace is allowing criminals to engage in attacks

remotely and anonymously, which affects the chance of being identified or even captured.

Therefore, the discouragement, created by law, of committing such crimes is affected, and as a

result, cyber crimes are periodically increasing, in severity and power until they could jeopardise

the stability of countries.40

While writing this thesis, the Council of the European Union,41

adopted various measures regarding strengthening European cybersecurity. The EU Council

reaffirmed that cyber threats could undermine national security and critical infrastructures

stressing out the need of having a common response in combating this phenomenon.42

2.3 An insight into DDoS, Internet of Things and Critical

Infrastructure

2.3.1 Distributed-Denial-of-Service attacks

2.3.1.1 Introduction

Maybe one of the biggest threats to computer and network availability,43

and for sure the

„greatest security fear for IT managers‟,44

Distributed-Denial-of-Service-Attacks are an

outstanding method to overwhelm a network or computer resources.

39

Dimitris Avramopoulos, EU Commissioner for Migration, Home Affairs and Citizenship for the Press Release of

Europol „2017, The Year When Cybercrime Hit Close to Home‟. More details in

<https://www.europol.europa.eu/newsroom/news/2017-year-when-cybercrime-hit-close-to-home> accessed 22

November 2017. 40

S.W. Brenner, Cybercrime and the Law: Challenges, issues and outcomes (Northeastern University Press, 2012),

p. 1. 41

The Council of the European Union is the institution where national ministers from each EU country gather to

discuss, adopt and coordinate various policies in the entire Union. 42

The General Secretariat of the Council. „EU to beef up cybersecurity‟ (Press release, 20 November 2017)

<http://www.consilium.europa.eu/en/press/press-releases/2017/11/20/eu-to-beef-up-cybersecurity/#> accessed 22

November 2017. 43

The DDoS attacks could seriously affect the backbone availability and detach a network form the Internet,

therefore such attacks could disrupt the availability of a computer system or of a network. For more details see also

Thomas Dubendorfer, Arno Wagner, „Past and Future Internet Disasters: DDoS attacks‟ (2003) Security Protocols

and Applications seminar <http://www.insecure.in/papers/ddos_disasters.pdf> accessed 10 September 2018. 44

Usman Tariq, ManPyo Hong, Kyunk-suk Lhee, „A Comprehensive Categorization of DDoS Attack and DDoS

Defense Techniques‟ (2006) LNAI 4093 p.1025-1036 <https://link.springer.com/chapter/10.1007/11811305_112>

accessed 24 January 2018.

12

From a technical point of view, DDoS attacks are „[conquering] the target by exhausting

its resources, that can be anything related to network computing and service performance, such

as link bandwidth, TCP connection buffers, application/service buffer, CPU cycles, etc.‟.45

In other words, by launching a DDoS attack, the wrongdoer is trying to prevent the

legitimate users from accessing a computer system or/and its services. Thus, the attacker is

blocking a person from accessing various functions like e-mail, websites, online accounts and

any other operations based on the affected computer systems. When targeting the computer

network of a smart grid, a DDoS attack could block the flow of the energy to be measured by the

smart meter aggregators, which could affect the electric power availability and the demand on

the power plants.46

Susan Brenner is talking about an analogy between air strikes in time of war

and DDoS attacks, because both of the attacks are destroying the defensive or offensive

mechanisms of a system or a country, creating damage, without „entering the target of the

attack‟47

. DDoS attacks under Susan`s interpretation could be a threat just in a nonphysical

environment, but it could be argued that DDoS attacks are also able to inflict harm in a physical

environment. As an illustration, in a hypothetical scenario, a DDoS attack could disrupt the

continuous flow of energy from a power plant that would directly affect the telecommunication

system.48

Hence, a person in need of help calling 911 would be in imminent danger due to the

unavailability of this system.

Because it is easier for attackers to compromise the target`s bandwidth from many

computers rather than from a single one, the latest DDoS attacks were launched and orchestrated

by a considerable number of unsecured connected devices. Therefore, thousands of infected

devices are disrupting services by stopping and blocking the legitimate traffic from a network,

sometimes causing the system to crash entirely,49

therefore, the „denial‟ character of the attack.50

45

Q. Gu, P. Liu, „Denial of Service Attacks‟, (2007) in The Handbook of Computer Networks, Hossein Bidgoli et

al. (eds.), John Wiley & Sons, under second round revision

<https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118256107.ch29#references-section> accessed 15 August

2017. 46

Hurst et al. (n 27). 47

Brenner (n 40) p. 35. 48

Ibid. 49

„In a DDoS attack, because the aggregation of the attacking traffic can be tremendous compared to the victim`s

resource, the attack can force the victim to significantly downgrade its service performance or even stop delivering

any service’, therefore, the „denial‟ character of the attack. See more details in Gu, Liu (n 45). 50

Zargar et al. (n 14).

13

2.3.1.2 Types of DDoS attacks

Some federal agencies,51

in the USA, consider that the most common type of a DDoS

attack is the „flooding attack‟, where the perpetrator is „flooding‟ a network with requests.52

The

defence mechanisms designed to protect networks and computers against such attacks are not

able to identify correctly which the legitimate or illegitimate requests are, and thus become

inefficient.53

There are various types of DDoS attacks, but there are only three main modalities to

exploit a network and to overload it with huge traffic: SYN Flood attacks, UDP Flood attacks

and ICMP Flood attacks. Each technique abuses the way computers are connected,

communicate, and exchange information over Internet.54

51

Brenner (n 40) p. 36. 52

For example, when a person would like to access a web page, is sending a request to its server. The server can

process a limited number of requests per second; therefore, in case of a DDoS attack, the server could crash in front

of the multitudinous requests, creating the „denial of service‟ effect. 53

Usman Tariq, Yasir Malik, Bessam Abdulrrazak and M. Hong, „Collaborative Peer to Peer Defense Mechanism

for DDoS attacks‟ (2011) Procedia Computer Science 157-165 <https://www.sciencedirect.com/science/article/pii >

accessed 24 January 2018. 54

Therefore, a briefly introduction on the TCP/IP Internet protocols is needed to understand how all connected

devices can communicate to each other and to differentiate between the attack techniques. Computers and Internet

can operate just by using a „de facto‟ standard: the Transmission Control Protocol/Internet Protocol (hereinafter

TCP/IP). The TCP/IP is therefore a language that the Internet and all the connected computers can understand: „a

lingua franca‟. This protocol allows a computer system to communicate with another computer through Internet by

putting together the bits of data and sending them to the correct location. Thus, how the transfer of data actually

works? Notably, the computers have to establish a connection before any data will be exchanged. For this reason,

the „client‟ (the computer that is trying to ask information from another one is also known as „client‟) sends a

message to the „server‟ (the computer that receives the request) providing the latter with information on how to

identify it, also known as a „SYN‟ request (A „SYN‟ request comes from a „SYN‟ packet which is an abbreviation

for „synchronised – start‟. The „SYN‟ packet is originating from the „source host‟ or the person who is initiating the

communication protocol). Secondly, the „server‟ computer sends out to the „client‟ its own ID number and an

acknowledgement containing a message that the „server‟ is „awake‟ and running. Finally, the „client‟ computer will

send back an acknowledgement that is ready to receive the data; hence, the transfer can take place. It might be seen

as a redundant process but it is imperative to set up first the connection between the two computers. In the same

way, the TCP/IP protocol is based on two layers. The upper one, TCP, is responsible for transforming the data (a

photo, email, message, etc.) into small packets and sending them to the „client‟, along with the instructions on how

to rebuild correctly that data. Some experts see the TCP as a „digital shipping and receiving department‟. The lower

layer is the IP, which contains the incoming and outgoing location of the data packets. Thus, „TCP is the data. IP is

the Internet location GPS‟. For more details see Eric J. Sinrod and William P. Reilly, Cyber-Crimes: A Practical

Approach to the Application of Federal Computer Crime Laws, (16 Santa Clara High Tech. L.J. 177, 2000), p. 189-

191 <http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1258&context=chtlj> accessed 24 November

2018, Brian Foote, Don Roberts, „Lingua Franca‟, (1998) Fifth Conference on Patterns Languages and Programs

PLoP ‟98 <http://laputan.org/pub/foote/lingua.pdf > accessed 10 July 2018, Roberto Sanchez, „What is TCP/IP and

How Does It Make the Internet Work?‟ (HostingAdvice.com, 17 November 2015)

<https://www.hostingadvice.com/blog/tcpip-make-internet-work> accessed 9 August 2018.

14

The first type is the SYN Flood Attack. A computer or server can handle just a limited

number of „SYN‟ requests. Thus, the attackers are exploiting this weakness of the system by

sending more requests to the TCP than the latter could handle. In front of the multitude of

requests, the TCP tries to organise a queue with the other incoming requests. However, there is

also limited space in the queue, and when it reaches its capacity, the „SYN‟ requests are just

„turned back‟, generating the denial of service effect.55

The second type refers to the UDP Flood Attack, almost similar to the one previously

mentioned. When receiving a User Datagram Protocol (from now on UDP) request, the server

will provide information about itself including local time, echo, etc. In case of receiving a huge

number of such requests, the server will become overwhelmed, consuming all the servers`

resources and blocking the other persons who are trying to access the server under attack.56

Finally, the third type of such an attack, the ICMP Flood Attack is similar to the attacks

above. It is also known as the Internet Control Message Protocol (from now on ICMP), and by

launching this attack, the culprit is flooding the server with a large number of fake „ping‟

requests. Such ping requests are used to identify any errors in a computer network and to check if

there are any transport data problems.57

In the light of the above, the aftermath of a DDoS attack could be understood easier by

presenting the following example: a medium supermarket is visited by 1000 persons who are not

buying any product but are overwhelming the staff with questions about the products. The other

buyers will form a queue and will wait until they can enter the shop blocking other persons to

come in.58

Therefore, in the end, the server or the computer system targeted with a DDoS attack

will have too many requests and it will stop working. A DDoS attack creates a very much alike

effect like in the scenario above, but on purpose, and it may target the critical infrastructure of a

country.59

55

Sinrod, Reilly (n 54), p.192. 56

Ibid. 57

Ibid. 58

Clough (n 4), p. 44. 59

Ibid, p. 43.

15

2.3.1.3 Brief history of DDoS attacks

It is open to question when DDoS attacks aroused. Some experts claim that the first

DDoS attack emerged in 1974.60

According to other stories, from a DDoS attack timeline,61

it

seems that the tools for launching such attacks were developed „in the underground of the

Internet‟ during the summer of 1998 and the first reported DDoS attack took place in 1999.

However, it is sure that the public and governments became aware of such attacks just in

2000, specifically on 7th

February. On this day, a „15-year-old high school student from a posh

Montreal suburb‟62

also known as „Mafia boy‟, launched a massive DDoS attack on Yahoo`s

servers, consequently blocking more than half of the users, from logging into their accounts. In

the same way, the activity of other important websites such as CNN, eBay, Amazon or Dell was

paralysed just in a few moments, so it started to be like a game for the young „hacker‟ who was

asking for new possible targets on IRC chat rooms.63

Many experts, including the US president

Bill Clinton, considered this attack „an electronic Pearl Harbour‟ which served „as a wakeup

call to the fast-paced Internet industry‟. 64

2.3.1.4 What makes DDoS attacks possible?

As indicated above, the Distributed-Denial-of-Service-Attacks are a powerful way to

create significant damages with no warning signs against any target by taking advantage of the

intrinsic nature of the Internet.65

The Internet was built and designed to offer fast and cheap

means of communication with no security in mind. Although Internet is very successful in

60

The first DoS attack at the University of Illinois was claimed by Dave Dennis, a thirteen years old child, who

wanted to get control of some terminals using this method of an exploit against the channel operator. See Brian,

„Perhaps the first Denial-Of-Service Attack?‟ (Plato History, 11 February 2010)

<http://www.platohistory.org/blog/2010/02/perhaps-the-first-denial-of-service-attack.html> accessed 16 February

2017. 61

Dave Dittrich, „DDoS attack tool timeline‟ (Usenix, 22 July 2000)

<https://www.usenix.org/legacy/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/timeline.html>

accessed 29 April 2018. 62

Tu Thanh Ha, Barrie Mckenna, „The hacker who talked too much‟ (The Globe and Mail, 20 April 2000)

<https://www.theglobeandmail.com/news/national/the-hacker-who-talked-too-much> accessed 29 April 2018. 63

Michael Calce, Craig Silverman, Mafiaboy: how I cracked the Internet and why it`s still broken (1st Edition,

Viking, 2008) p. 112. 64

Brian Blomquist, „Prez holds summit to stop cyberhacks‟ (New York Post, 16 February 2000)

<https://nypost.com/2000/02/16/prez-holds-summit-to-stop-cyberhacks/> accessed 29 April 2018. 65

Michele De Donno, Nicola Dragoni, Alberto Giaretta, Angela Spognard, „Analysis of DDoS-Capable IoT

Malwares‟ (2018) Proceeding of the Federated Conference on Computer Science and Information Systems pp. 807-

816 <https://annals-csis.org/Volume_11/drp/pdf/288.pdf> accessed on 24 January 2018.

16

reaching its goal, plenty of security weaknesses provide the favourable circumstances to deploy

DDoS attacks: 66

Internet security is deeply interdependent – even if the attacked system could be well

secured, it depends on the security of the rest of the Internet if a target is vulnerable to

a DDoS attack;

Each Internet host has limited resources – no Internet hosts, networks, services, etc.

have unlimited resources. All entities have limited resources that can be depleted by a

finite number of users;

Long and many is better than short and few – when the attacks are launched in a

coordinated and distributed way, and the resources of the attackers are more advanced

than those of the victims, the attack is considered to be a success in almost all the

cases.

According to Mirkovic et al., there are four essential phases taking place while

assembling a successful DDoS attack:67

1. Enrolling vulnerable sources – to have many resources the attacker is automatically

scanning for vulnerable or poorly secured computer systems from the Internet to

enslave them; these systems will perform the DDoS attack, and they are not the final

target;

2. Infection and Exploitation – the attacker, is exploiting the security holes and

vulnerabilities. Therefore, the malware is planted. There are various ways to infect a

host. The attacker can use malicious software,68

such as viruses,69

bots,70

spyware,71

or

66

Christos Douligeris, Aikaterini Mitrokotsa, „DDoS attacks and defense mechanisms: classification and state-of-

the-art‟ (2003) Department of Informatics, Greece <http://citeseerx.ist.psu.edu/viewdoc/download> accessed on 24

January 2018. 67

Mirkovic et al. (n 21). 68

Malicious software or „malware‟ is software, which can be used for malicious purposes such as gathering personal

information for committing fraud, or discovering computer vulnerabilities that might be exploited, or accessing

confidential information. The main categories of malware are viruses, worms, Trojans, bots and spyware. See

Clough (n 4), p. 38-39. 69

Viruses and worms are not the same from a technical point of view, but both programs infect a computer by being

copied and then performing a programmed function such as deletion, modification of data, and installation of other

malware. The main difference between these two types of malware is that the virus needs to infect another program

in order to affect the system. The worm does not need to infect another application to become self-replicating. See

Clough (n 4), p. 40. 70

A bot is a type of malware, which infects a system and allows the attacker to control it remotely. These computers

or systems are also known as „slaves‟, „zombies‟ or „botnets‟. See Clough (n 4), p. 41. 71

Spyware is a programme, which monitors how the victim uses the computer or the system. This type of malware

can send to attacker information about what kind of websites the victim is accessing or can intercept passwords used

17

a Trojan.72

Moreover, independent and self-multiplying worms can be used to protect

the malware from being discovered and infect more hosts creating a vast attack

network formed by hundreds of thousands of computers.73

The „zombie army‟ created

is also known as a „botnet‟.74

At this stage, the owners of the infected devices typically

have no idea about the security breach or the fact that they will be part of a DDoS

attack. However, when the DDoS attack happens, it uses a minimum amount of

resources but the victims part of the botnet, might experience limited changes in the

normal performance of their devices;75

3. Communication – the attacker sends, through the command and control network,

instructions to the handlers to identify which agent is online, at what moment to

schedule an attack or how/when to upgrade the running agents;76

4. Attack phase – this is the final step where the attacker commands the commencement

of the attack,77

as well as, the target, total duration, methods for how to avoid detection

and any other needed parameters for a successful attack.78

Moreover, there are four main actors (Fig. 1)79

who need to engage in the DDoS attack:

on that websites. It can run in the back without the victims being aware, and it can send to the attacker personal and

financial information that can be used for further cybercrimes. See Clough (n 4), p. 42. 72

This type of malware is named after the legendary Trojan horse because it is innocent at a first look but containing

hidden functions and purposes. Trojans could be enclosed in software, email attachments, websites, etc. Some

Trojans can install a „back door‟ which will allow the attacker to control the infected device remotely. This

malicious software can intercept and send SMS messages, forward incoming calls, steal information from the mobile

devices, disable the anti-virus of a computer, etc. See Clough (n 4), p. 40-41. 73

Q. Gu, P. Liu (n 45). 74

A botnet is a conglomerate of advanced malicious software that has different methods and techniques using

viruses, worms, Trojan horses or rootkits to distribute itself and to penetrate a computer system to take control of it

and to provide the supreme authority to the attacker. See European Network and Information Security Agency

(ENISA), Botnets: Detection, Measurement, Disinfection & Defence, (2011) p.14

<https://www.enisa.europa.eu/publications/botnets-measurement-detection-disinfection-and-

defence/at_download/fullReport> accessed 10 June 2018. According to a Memorandum from the European

Commission, botnet indicates a network of computers that have been infected by malicious software (computer

virus). Such network of compromised computers or „zombies‟ may be activated to perform specific actions such as

attacks against information systems. These „zombies‟ can be controlled without the knowledge of the users of the

compromised computers by another computer. See <http://europa.eu/rapid/press-release_MEMO-13-661_en.htm>

accessed 19 May 2018. 75

Douligeris, Mitrokotsa (n 66). 76

De Donno et al. (n 65). 77

There are various ways how to deploy a DDoS attack. For example, the attacker can send thousands of emails or

requests to overwhelm and block a system. Other DDoS may use the IP protocol to overcome the victim`s system. A

server network can have a specific number of requests, and if there are simultaneous requests, the system forms a

queue. Because of the high number of requests, there is no place for all of them so no other requests can be received.

The legitimate requests cannot be accepted anymore by the system as it is dealing with the bogus enquiries. See

Clough (n 4), p. 44. 78

Ibid.

18

The real attacker or botmaster;

The handlers – „zombies‟ which are infected with a special malware, capable of

organising and controlling the agents;

The agents – „zombies‟ which are infected with a particular malware and which

are responsible for launching the DDoS attack by sending packets of data towards

the victim; these devices are not part of the attacker`s network to avoid the

possibility of being caught;

The victim.

Thus, involving various steps in building an IoT botnet (computer A gets control of

computer B), and then launching the DDoS attack (computer B is attacking computer C) the

design of such cyber attack is „multi-step‟ and „multi-stage‟, which is the most challenging and

complex to deter, from a technical point of view.80

Furthermore, DDoS attacks are successful

almost every time, due to the hidden source of the attack. The botmaster removes any data from

the infected devices that are launching the DDoS attack. By doing so, the attacker avoids any

attribution so any traceback by the law enforcement could be done in a very difficult way. In the

next chapter, all the four essential phases of a DDoS attack will be analysed from a legal

perspective.81

79

Douligeris, Mitrokotsa (n 66). 80

Clark, Landau (n 32). 81

Ibid.

Figure 1 – Actors of a DDoS attack

19

DDoS attacks can be classified in various ways: by the architecture model,82

by the

exploited vulnerability,83

by protocol level used during the attack,84

and by other parameters.85

The attackers, as identified by Wall,86

have various motivations for launching a DDoS attack,

such as unlawful easy commercial gain,87

criminal gain,88

the need of having respect in front of

other cyber criminals, revenge,89

or politically motivation.90

The 2017 Internet Organised Crime

Threat Assessment (IOCTA)91

reveals the fact that the reason for over one-third of DDoS attacks

is extortion of the victim. However, the communication absence between some attackers and

82

There are four types of network architectures that it is used: Agent-Handler Model, Reflector Model, IRC-Based

Model, Web-Based Model. See De Donno et al. (n 65). 83

DDoS attacks can exploit various vulnerabilities and based on the strategy used for the denial-of-service effect it

is possible to classify them in two categories: Bandwidth Depletion or Brute-Force and Resource Depletion. In case

of the Bandwidth Depletion a great amount of apparently legitimate packets are sent to the victim, in order to clog

up its communication resources (e.g., network bandwidth) and also its computational ones (e.g., CPU time, memory,

etc.) preventing them to be reached by legitimate traffic. These attacks can be further divided into Flood and

Amplification attacks. In Flood attacks, as shown in the previous paragraph, the botnet directly sends a large volume

of IP traffic to the victim machine to congest its network resources and prevent access by legitimate users, while in

Amplification attacks the agents use intermediaries‟ reflectors, exploiting the broadcast IP address feature with the

spoofed address of the victim. Resource Depletion attacks aim to preventing the victim to process legitimate

requests, by exhausting its resources. See De Donno et al. (n 65). 84

Examples of Network Level attacks are SYN Flood, UDP Flood and TCP Flood attacks. In Network Level DDoS

attacks, either Network or Transport layer protocols are used to carry out the attack, while in Application Level

DDoS attacks the victim resources (e.g., CPU, memory, disk/database, etc.) are exhausted targeting Application

layer protocols. See Douligeris, Mitrokotsa, (n 66). 85

De Donno et al. (n 65). 86

Wall (n 6) p. 62-65. 87

For example, some persons rely on the legacy of non-existent criminal groups, to launch small DDoS attacks and

scare the victims with a more ample attack if a payment as a ransom is not made. However, even if such attacks

could create minor service disruption it is unlikely that a subsequent attack to follow. Because of this fear, attackers

can hire DDoS or use DDoS tools for as much as 5 USD to initiate an attack over a business which could create

higher damages from an economical and reputational point of view. See EUROPOL, IOCTA 2017 (n 22). 88

In 2010, as part of the „Operation Payback‟, some hackers launched DDoS attacks over Visa, MasterCard and

PayPal`s websites making their services unavailable by flooding the network with a huge amount of online access

requests. Initially, „Operation Payback‟ was targeting several companies and persons of interest dealing with the

anti-piracy field, but the hackers changed their attention right after the affected companies announced that they

would not process any payments or donations towards WikiLeaks. See Lauren Turner, „Anonymous hackers jailed

for DDoS attacks on Visa, MasterCard and PayPal‟ (Independent, 24 January 2013)

<http://www.independent.co.uk/news/uk/crime/anonymous-hackers-jailed-for-ddos-attacks-on-visa-mastercard-and-

paypal> accessed 28 November 2017 and Usman Tariq, Yasir Malik, Bessam Abdulrrazak, „Defense and

Monitoring Model for Distributed Denial of Service Attacks‟ (2012) Procedia Computer Science 1052-1056

<http://www.sciencedirect.com/science/article/pii> accessed 28 November 2017. 89

In November 2010, DDoS attacks launched by unknown attackers took Myanmar offline for ten days. The

massive flood of data affected the country`s infrastructure, and it is presumed that the attacks came just before

general elections in the Southeast Asian country. See Brenner (n 40) p. 37 and Dan Goodin, „DDoS attacks take out

Asian nation‟ (The Register, 3 November 2010)

<https://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/> accessed 30 April 2018. 90

In 2008, DDoS attacks suspected to come from Russia, overwhelming the Georgian government sites and forcing

them to shut down. Websites like the Georgian President and the National Bank of Georgia became inoperable for

24 hours. See EUROPOL, IOCTA 2017 (n 22). 91

EUROPOL, IOCTA 2017 (n 22).

20

their victims could indicate that various DDoS attacks have an ideological/political nature. The

latter category along with the purely malicious attacks represents the motivations behind almost

half of the total reported number of DDoS attacks in 2016.

In conclusion, in light of the above particularities of DDoS attacks, it could be argued

that in the last couple of years, massive denial of service attacks increased in number and power

affecting the Internet.92

Moreover, a whole „malware ecosystem‟ was built to sustain DDoS

attacks launched by botnets.93

For example, an attacker could create and maintain a botnet easily

for launching DDoS attacks just by using such tools and infrastructure available in the „malware

ecosystem‟: „it`s botnets which unite all the disparate elements of cybercrime into an integrated

system, and make it possible to transfer funds from those who make a profit from mass mailings

and credit card thefts to malware writers and those who supply cybercriminal activities‟.94

Furthermore, it should not be surprising if in 2008, 15% of the online computers were part of a

botnet and a report predicted that the number of botnets was expected to grow in the upcoming

years.95

In the same year, Wenke Lee, a leading botnet researcher said that „compared with

viruses and spam, botnets are growing at a faster rate‟.96

After almost 10 years, the key findings

92

In 2014, a team of teenagers launched a DDoS attack over Sony PlayStation and Microsoft Xbox Live. With the

help of a botnet spread worldwide, compound of a large number of unsecured routers, the attackers took down the

two well known gaming networks. Moreover, the routers used to initiate the DDoS attack were not just home

systems but also infected routers with a link to commercial companies or even Universities around the world. The

reason behind using such infected devices was the fact that the botnet was scanning for new potential unprotected

hosts. For more details see Dan Goodin, „DDoS service targeting PSN and Xbox powered by home Internet routers‟

(arsTechnica, 1 September 2015) <https://arstechnica.com/security/2015/01/ddos-service-targeting-psn-and-xbox-

powered-by-home-internet-routers/> accessed 6 May 2017. Furthermore, in the same year, a researcher discovered a

botnet with approximately 450.000 unique IP addresses of infected devices. In this case, more than 25% were

hacked IoT sources such as WI-FI routers, VoIP phones, home security systems, PlayStations, DVR`s, televisions,

refrigerators and other multi-media sets. The IoT devices were configured to send hundreds of thousands of emails

being part of a massive malicious email campaign. See more details in „Your fridge is full of spam: Proof of an IoT-

Driven Attack‟ (proofpoint, January 2014) <https://www.proofpoint.com/us/threat-insight/post/Your-Fridge-is-Full-

of-SPAM> accessed 5 May 2017. Finally, in 2016, a massive DDoS attack was launched on a jewellery website

making it inaccessible for the online buyers. A botnet comprised of more than 25.000 CCTV cameras located in 105

countries initiated the attack. The cyber security analysts speculated that the attackers infected the devices through a

vulnerability that allows remote control on the recorders. See also Dan Goodin, „Large botnet of CCTV devices

knock the snot out of jewelry website‟ (arsTechnica, 28 June 2016) <https://arstechnica.com/security/2016/06/large-

botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/> accessed 6 May 2017. 93

Nart Villeneuve, „Inside a Crimeware Network‟ (Infowar Monitor, 2010)

<http://www.nartv.org/mirror/koobface.pdf> accessed 30 April 2018. 94

Vitaly Kamluk, „Inside the Massive Gumblar Attack‟ (Viewing InfoSec from the Trenches, 2009)

<http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-

gumblar> accessed 19 May 2018. 95

Emerging Cyber Threats Report for 2009, Georgia Tech Information Security Center, (2008), p. 2. 96

Ibid.

21

of Europol`s report were presenting the same picture:97

sophisticated cyber attacks such as large-

scale DDoS attacks emerged from IoT botnet are a real threat against critical European

infrastructure, and in the future we will see new variants of such botnets even more powerful,

due to the diversity of IoT devices.

2.3.2 Internet of Things- IoT

2.3.2.1 Introduction

For the past years, the interest around the IoT increased, and many experts are talking

about a revolution in our lives with new benefits towards the civil and military world.98

In the

first place, what exactly is the Internet of Things? According to Oxford English Dictionary,

which officially included in 2013 „Internet of Things‟ to their list of words,99

it is defined as „the

interconnection via the Internet of computing devices embedded in everyday objects, enabling

them to send and receive data‟.100

The WP29 defines the Internet of Things or IoT as:

An infrastructure in which billions of sensors embedded in common, everyday

devices – „things‟ as such, or things linked to other objects or individuals – are

designed to record, process, store and transfer data and, as they are associated

with unique identifiers, interact with other devices or systems using networking

capabilities. As the IoT relies on the principle of the extensive processing of data

through these sensors that are designed to communicate unobtrusively and

exchange data in a seamless way, it is closely linked to the notions of „pervasive‟

and „ubiquitous‟ computing.101

In other words, the „emerging concept‟ of IoT can be described as an expanded global

wide „ecosystem‟ of instrumented and interconnected „IoT services and IoT devices‟, such as

sensors, smart home objects, health devices, cars or industrial items,102

which will merge

97

EUROPOL, IOCTA 2017 (n 22). 98

Nicola Dragoni, Alberto Giaretta and Manuel Mazzara, „The Internet of Hackable Things‟ (2016) Proceedings of

the 5th

International Conference in Software Engineering for Defense Applications, SEDA16. 99

Jennifer Chen, „Internet of Things added to hall of fame for words, i.e., the Oxford English Dictionary‟ (Microsoft

Blog, 9 September 2013) <https://blogs.microsoft.com/firehose/2013/09/09/internet-of-things-added-to-hall-of-

fame-for-words-i-e-the-oxford-english-dictionary/> accessed 10 May 2018. 100

English Oxford Living Dictionaries <https://en.oxforddictionaries.com/definition/Internet_of_things> accessed

10 May 2018. 101

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223. 102

ENISA, Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures,

November 2017 <https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot> accessed

19 February 2018

22

physical and virtual worlds creating a smart environment.103

This „ecosystem‟ is widely bound to

the „cyber-physical‟ systems, which will enable smart-cities, smart-infrastructures and smart-

grids in order to offer better quality and functionality for the society.104

Hence, the IoT is

facilitating all the aspects of the world by building „intelligence‟ in day by day items, increasing

their effectiveness and providing automation for the majority of the critical and non-critical

industry sectors.105

At this moment, according to Ericsson, the number of IoT devices is growing steadily.106

In 2015 there were 15 billion connected devices (Fig. 2)107

, while the projection for 2020 is 28

billion connected devices,108

which will merge physical and virtual worlds creating a smart

setting. Nevertheless, the evolution of IoT devices is having a massive impact on market and

industry, changing the way we live as a society.109

However, it is not sure if this evolution is

feasible yet, but the smart objects are already communicating with our home and work

environment. According to a recent study by ENISA,110

the high speed of developing and

spreading IoT devices in our lives allows the automated use of data and creates unique sharing

and availability of data, which leads to fantastic novelty in the economic sector. On the

contrary, the same study acknowledges various „safety and security challenges‟ that have to be

addressed, „for IoT to reach its full potential‟.111

In like manner, WP29 stressed in its opinion that even if IoT provides significant

benefits for society, the manufactures of the IoT devices still need to address the numerous

security and privacy challenges.112

Unfortunately, the IoT devices are often distributed with

insufficient built-in security creating many possible risks that can affect both IoT developments

and users‟ fundamental rights like privacy, safety and security. According to the same opinion,

stakeholders from the IoT market should take into consideration when launching new models of

103

Jan Neutze, „Cybersecurity Policy for the Internet of Things‟ (2017) the 8th

Annual Internet of Things European

Summit, Brussels. 104

ENISA (n 102). 105

Ibid. 106

Ericsson Mobility Report, On the Pulse of the Networked Society, (2015) p. 10

<https://www.ericsson.com/en/mobility-report> accessed 10 May 2018. 107

Admir Tuzovic, „The Internet of Your Things Microsoft`s Vision for IoT‟ (2015). 108

Ericsson Mobility Report (n 106). 109

ENISA (n 102). 110

Ibid. 111

Ibid. 112

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223.

23

IoT, as there are risks such as data breaches, infection with various types of malware, illegal

access to a computer system without right, misuse of devices, etc. Moreover, ENISA has

pointed out that the IoT creates new legal disputes. Unfortunately, the policymakers are unable

to address and understand the security challenges around the IoT, leaving the companies to

focus on their own on the security framework of such „smart things‟.

2.3.2.2 Shaping IoT

However, before delving into the security considerations, some unique characteristics of

the IoT are provided. Despite the diversification and spread of IoT, the devices share the same

elements and characteristics in their architecture:113

The need for physical or virtual ‘thing’ – it is essential for the device to have

embedded objects, which are capable of communicating, exchanging, capturing,

storing and processing the data;

The smart decision making – per se, the IoT devices will need to analyse the

information by extracting the essential data;

Sensors: the critical building blocks of IoT ecosystem – the role of the sensors is

crucial because through them various indicators are monitored and information is

collected about networks and applications;

113

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223.

Figure 2 – IoT Devices

24

Communications – it is very crucial for the IoT device to send and receive data.

Therefore, multiple communication protocols could be used such as Bluetooth, Wi-Fi,

USB, 3G/4G, etc.; thus, it is not necessary for the IoT devices to have an active

connection to Internet in order to transfer information. However, the focus of this

thesis is just on the devices with an Internet connection.

2.3.2.2.1 Security considerations and challenges

Unfortunately, the majority of the IoT devices on the market are short of necessary

security such as complex passwords, encryption of traffic or communication and protected

firmware. Thus, cybercriminals are targeting the Internet of Things with attacks that can have

dangerous implications on privacy, data protection, even threatening public safety (i.e. a

malicious interference with the control of a car, power plant or a pacemaker).114

In the early

stages of the „IoT tsunami‟,115

the researchers already highlighted such problems and presented

what should be achieved from a technical perspective, to protect our privacy better and to secure

the IoT devices.116

Unfortunately, it is clear that the majority of the IoT manufacturers did not

listen and implement their recommendations and that there is still a lot left to do in terms of

achieving security in the IoT.

Following two of the EU Commission`s Working Documents the author considers that

the main reasons why the IoT manufacturers have not done more in achieving better security for

the IoT ecosystem are the various potential parties involved in the building and selling process of

an IoT device, actors which could all share liability including the final user; the fact that, it is still

unclear how the liability could be shared in the absence of such specific requirement (i.e. there

was no responsibility to assure the data protection or a specific level of cyber resilience for any

IoT devices from the IoT manufacturers); the issue of contractual liability, which is not

applicable as the IoT manufacturer does not need to provide any cyber resilience for the user; the

fact that many IoT software vendors are trying to exclude or minimise their civil liability by

inserting disclaimers and limitations for their liability in respect to providing the service.117

114

WIND, Security in the Internet of Things Lessons from the Past for the Connected Future, 2015,

<https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

> accessed 19 February 2018. 115

Dragoni et al. (n 98). 116

R. Roman, P. Najera and J. Lopez, „Securing the Internet of Things‟ (2011) IEEE Computer vol. 44 p. 51-58

<https://www.computer.org/csdl/mags/co/2011/09/mco2011090051.html> accessed 15 May 2018. 117

Dragoni et al. (n 98).

25

As an illustration, an HP study from 2014 revealed the shocking fact that more than 70%

of the IoT devices are vulnerable in front of a cyber attack.118

Moreover, the study presented

that among these devices, there are in average 25 vulnerabilities, which could be exploited any

time by attackers. The report showed that some simple security issues could be addressed

quickly by the manufacturer including:119

Privacy concerns – 90% of IoT devices were collecting personal data of the user such as

name, email address, home address, credit card, etc.;

Insufficient authorisation – 80% of devices were using passwords such as “1234” or

„admin‟ failing in requesting complex passwords;

Lack of encryption – 70% of tested IoT did not use any encryption for the

communications over the Internet, local networks or cloud;

It is interesting to see why the IoT manufacturers have not done more in achieving security for this ecosystem.

Firstly, the IoT is high in complexity, and it created sophisticated interdependencies between products and service

producers; moreover, there are many actors involved: from product manufacturers, sensor manufacturers, software

producers to final users, which all could have a share of liability. There is uncertainty in who should be responsible

for guaranteeing the safety of a product, who should be responsible for ensuring security for the full life cycle of a

product and how should liabilities be shared between the abovementioned actors when a product is not working

correctly, causing damage. Secondly, under the current EU legal framework, the products and services are not

treated in the same manner. In other words, supplying data through an IoT device is treated as a service. Therefore it

falls outside the scope of product liability and any safety frameworks. Thus, in the situation where damage or harm

is inflicted by providing erroneous data or failure to provide any data, liability becomes unclear, and any claims will

be difficult to enforce. Thirdly, the majority of the IoT devices are open to software updates and patches after they

are released on the market. However, such updates could change the behaviour and functionality of an IoT device

because a 3rd party has produced some parts of the IoT system. It is true that such security patches will close any

entry points for the hackers but could also affect some features of the IoT device. Finally, a software provider in

order to be liable has to fail to comply with the contractual obligations such as supplying security updates or

applications for a certain period. However, such liability could be limited in some cases where the users do not

install the latest available updates. Unfortunately, such a contractual relationship between the user and the IoT

manufacturer, to provide cyber security resilience or any updates for the devices, is almost always absent. However,

the courts could tend to impose tort liabilities on the IoT vendors for the damage or harm which could be caused to

third parties in case of a cyber attack. Furthermore, it is difficult to apply the product liability rules in case of cyber

attacks because some notions as „defect‟, „level of security‟ that users are expecting to have or the „impact of

patches‟ are difficult to define. For more details, see Commission Staff Working Document Advancing the Internet

of Things in Europe, accompanying the document Communication from the Commission to the European

Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions –

Digitising European Industry Reaping the full benefits of a Digital Single Market, COM(2016) 180 final, Brussels

2016 and Commission Staff Working Document Liability for emerging digital technologies, accompanying the

document Communication from the Commission to the European Parliament, the European Council, the Council,

the European Economic and Social Committee and the Committee of the Regions – Artificial intelligence for

Europe, COM(2018) 137 final, Brussels 2018. 118

„HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable of Attack‟ (Hewlett-Packard

Development Company, 2014) <http://www8.hp.com/ca/en/hp-news/press-release.html?id=1744676> accessed 10

May 2018. 119

Ibid.

26

Insecure interface – 60 % of IoT devices did not use encryption or any protection not

even when downloading patches or software updates made such data transmission

possible to be intercepted and modified.

According to another report, the majority of the manufacturers do not build the IoT with

security in mind, and moreover, cyber security is not their primary focus when developing such

devices.120

With this in mind, it is clear that the IoT manufacturers adopted some practices which

are oriented towards profit rather than cyber security, an opinion shared also by Dragoni et al.,121

a critical situation that will lead to even more dangerous cyber attacks with the help of IoT

botnets.

2.3.2.2.2 Reasons why IoT devices became botnet ‘friendly’

However, in the light of the above specifications, why are IoT devices the ideal way to

build a botnet? To answer this question, Kolias et al. provide five particular reasons why IoT

became a new environment for the proliferation of the latest major DDoS attacks:122

High availability of the IoT devices – unlike computer systems, which are sometimes

turned-off and thus disconnected from the Internet, the majority of IoT devices (i.e.

routers and webcams) are online 24/7;123

120

The report highlighted some shocking findings:

a) Only 49% of organisations update remotely and regularly their products;

b) Only 48% of manufactures focus on security by design (i.e. securing their devices from the beginning of the

development phase);

c) Only 36% of companies are trying to change and adopt security by design process;

d) Only 28% of companies are hiring hackers to identify the vulnerabilities in IoT;

e) Only 20% of manufactures are hiring IoT experts to improve the security skills.

For more details in this case see „Securing the Internet of Things Opportunity: Putting Cybersecurity at the Heart of

the IoT‟ (Capgemini Consulting, 2015) <https://www.capgemini.com/consulting/resources/security-in-the-internet-

of-things/> accessed 10 May 2018. 121

Dragoni et al. (n 98). For example, some experts pointed out that various issues with the liability of the

manufacturers could quickly be addressed by identifying and introducing policies dealing with adequate obligatory

checks done by the IoT vendors over safety and performance of the IoT devices. Moreover, the IoT manufacturers

could easily connect with the users and provide valuable information related to safety and security of the IoT device.

Such information could also include a step by step guide in respect to the correct installation and setup of the IoT

device, reminders regarding the secure use of such devices, updates and security patches, etc. The challenge stands

now in the hands of policymakers on how to ensure that such safety practices are flexible enough to lead the way

towards enhancing the IoT security. However, until this milestone is reached the security challenges could be

addressed by adopting the „Trusted IoT label‟ that gives information regarding the various levels of security and

privacy of the IoT devices. See more details in OECD publishing, „Consumer Product Safety in the Internet of

Things‟ (2018) OECD Digital Economy Paper <https://www.oecd-ilibrary.org/science-and-technology/consumer-

product-safety-in-the-internet-of-things_7c45fa66-en> accessed 9 September 2018. 122

Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, Jeffrey Voas „DDoS in the IoT: Mirai and Other

Botnets‟ (2017) IEEE Computer Society

<https://www.researchgate.net/publication/318288727_DDoS_in_the_IoT_Mirai_and_other_botnets> accessed 15

February 2018

27

Ineffective security – when rushing to deliver IoT devices, manufacturers often

disregard the security of the devices in favour to a more user-friendly interface; the

WP29 detailed that IoT brings security risks which are in a permanent „fight‟ with the

efficiency of such devices.124

As above mentioned, most of the IoT devices do not use

any encrypted communications because the manufacturers decided that applying such

secured way of transmitting data will have an impact on the low powered batteries

incorporated in IoT.125

Therefore, the IoT producers cannot balance the protection of

highly essential principles in cybercrime such as confidentiality, integrity and

availability of the data with the optimisation of the functionality of the smart devices;

Fair support and maintenance – the smart devices are not receiving enough firmware

updates, because of the irregularity of the security framework on the market; similarly,

the users or network admins do not check the setup of the devices unless they stop

working correctly;

Large attack traffic – the traffic that such IoT devices generate is similar to that of

computer systems;

Minimally user interaction – unlike computer systems, where there is an interactive

user interface, in case of IoT it is more complicated to find out about a malware

infection; thus, even when the user knows about the malware, the easiest and shortest

way of dealing with the infection is to replace the device.

Same default passwords - the author would like to add one more and maybe the most

crucial reason why the IoT devices became ideal for launching DDoS attacks: re-using

default passwords and credentials for entire categories of IoT devices by the

manufactures. Even if in the opinion of some researchers this reason would be part of

„ineffective security‟ because it is of utmost importance it could be considered per

se;126

As we can see in the table below, IoT DDoS capable botnets are growing in popularity, as

four new IoT botnet families were born just in 2016 when, until 2008 we had nearly two

123

De Donno et al. (n 65). 124

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223. 125

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223. 126

For more details see <arbornetworks.com/stakes> accessed 12 August 2018.

28

0

1

2

3

4

5

2008 2009 2010 2011 2012 2013 2014 2015 2016

IoT DDoS capable botnets - Year Progression

categories of such IoT malware, and before this year they have not even existed.127

Thus, the IoT

„ecosystem‟ has created new opportunities for cybercriminals in building massive IoT botnets

and launching DDoS attacks with short but high impact on critical infrastructure. For these

reasons, there is a high risk for any unprotected IoT device to be part of a botnet, which could

launch a massive DDoS attack, as predicted by Europol in the previous years.128

2.3.2.3 ‘Mirai’ – ‘The future’ is already here

‘The Mirai botnet and its variants and imitators are a wake-up call to the industry to

better secure Internet of Things devices or risk exposing the Internet infrastructure to

increasingly disruptive distributed denial-of-service-attacks.’129

The „Mirai‟ botnet, or in Japanese „the future‟, came to light in August 2016 and was

used to launch the most powerful DDoS attacks in history.130

In September 2016, the most

significant cyber attack ever seen or registered by Internet until then, with over 620 Gigabits of

traffic per second, hit the blog of security researcher Brian Krebs and brought it offline.

Simultaneous, the French cloud computing company OVH was hit with an even bigger DDoS

attack launched by the Mirai botnet, reaching 1.1 Tbps.131

Furthermore, the creator of the Mirai

127

De Donno et al. (n 65). 128

EUROPOL, IOCTA 2017 (n 22). 129

Kolias et al. (n 122). 130

Ibid. 131

Dan Goodin, „Record-breaking DDoS reportedly delivered by >145k hacked cameras‟ (arsTECHNICA, 29

September 2016) <https://arstechnica.com/information-technology/2016/09/botnet-of-145k-cameras-reportedly-

deliver-internets-biggest-ddos-ever/> accessed 1 May 2018.

29

botnet uploaded its source code on the Internet,132

and subsequently, a group of hackers started to

rent the massive botnet consisting of more than 400.000 infected devices.133

Unfortunately, one month later, unknown attackers, using the same botnet „bombarded‟

Dyn (a domain service provider)134

with DDoS attacks, which generated 1.2Tbps135136

of

traffic.137

The attacks completely took offline for 2 hours many popular websites,138

like Twitter,

Airbnb, GitHub, Pinterest, Reddit, Paypal, Spotify, SoundCloud, The Guardian, Amazon, CNN,

Yelp, Netflix and many more from the US and Europe.139

These attacks were atypical by the

magnitude of the traffic, but also because, the traffic was coming from peer-to-peer connected

devices.140

The enormous traffic was generated by „a vast army‟141

of hacked devices from all

over the world including IoT devices such as IP cameras, routers and DVRs. Mirai botnet‟s focus

was on such IoT devices because they were protected by default username and password.

The Mirai attack process was very straightforward, as shown in (Fig. 3).142

The botnet first

scanned for various IP addresses on the Internet, mainly trying to locate and detect which ones

belong to an IoT device. Secondly, the botnet launched a brute force attack (an attack in which

the hacker or the botnet itself is trying to figure out the credentials of the target) on the IoT

132

GitHub, „Leaked Mirai Source Code for Research/IoC Development Purposes‟ (GitHub)

<https://github.com/jgamblin/Mirai-Source-Code> accessed 1 May 2018. 133

Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November

2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>

accessed 1 May 2018. 134

Dyn is an important part of the Internet infrastructure, because when a person visits a website that uses Dyn`s

domain service provider servers, Dyn is helping the person`s browser or app to find the system to connect to. When

Dyn is offline and not working, the software cannot find the website that the person is looking for. For more details,

see <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1 May 2018. 135

Tera Bits Per Second=1000 Giga Bits Per Second. 136

Vincent Weafer and the others, „McAfee Labs Threats Report April 2017‟ (Intel Security McAfee Labs, April

2017) <https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017.pdf> accessed 6 May 2017. 137

1.2 Tbps are generated every second by 172 Tweets, 17 Instagram uploaded photos, 30 Tumblr posts, 60 Skype

calls, 1400 Google searches, 1560 YouTube videos viewed and 60.000 Emails sent including spam. In general the

Internet traffic is around 44 terabytes per second. See more details at the Internet Live Stats

<https://news.ycombinator.com/item?id=12769751>. 138

EUROPOL, IOCTA 2017 (n 22). 139

Libby Plummer, „Was massive hack that floored Amazon, Twitter and Reddit practice for election day?

Wikileaks supporters and hackers say attack was revenge for shutting down Assange – but many fear it`s just a

warm-up‟ (DailyMail Online, 24 October 2016) <http://www.dailymail.co.uk/sciencetech/article-

3859500/Widespread-internet-havoc-major-attack-takes-websites-offline-Spotify-Twitter-sites-suffer-outages.html>

accessed 6 May 2017. 140

Brian Krebs, „KrebsOnSecurity Hit With Record DDoS‟ (KrebsonSecurity, 21 September 2016)

<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/> accessed 6 May 2017. 141

Chris Williams, „Today the web was broken by countless hacked devices – your 60-second summary‟

(TheRegister, 21 October 2016) <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1

May 2018. 142

Weafer (n 136).

30

devices, using a list of instructions with a broad range of common factory usernames and

passwords, in order to identify the poorly secured IoT devices.143

After successfully hijacking the

IoT devices, the botnet sent the IP address and default credentials to the control server and

alternatively to a scanning receiver. Afterwards, the loading server downloaded the Mirai bot to

the IoT device. Once the compromised IoT devices are successfully infected with this malware,

the process is repeated. Thus, each infected IoT device will start searching for other vulnerable

devices, transforming them into a massive „zombie‟ IoT army. The Mirai botnet was so powerful

that it could even kill other small bots or to terminate the communication between IoT devices

and their ports giving the attacker full and independent access.

Furthermore, after the release of Mirai‟s code and after affecting so many devices, the

general expectation was that the main actors would develop effective defence and detection

mechanisms. However, precisely the opposite happened: a tremendous number of Mirai

variations continues to spread online using the same methods and inflicting damage even two

143

The following combinations of default username and password were used in the brute-force credential attack:

admin, root, 888888, admin1234, (none), 111111, 1234, 12345, 54321, 123456, user, 0, system, pass, 1111, etc.

Figure 3 –Mirai Botnet Attack Process

31

years after the initial attack. Surprisingly, the IoT manufactures are not paying enough attention

in applying at least any general security guidelines in protecting the IoT environment.144

Such

guidelines will be discussed later on after analysing the legal literature.

Under those circumstances, in February 2017, a new Mirai botnet variant launched a 54-

hour long DDoS attack against a US college.145

Another botnet called „Hajime‟ is scanning the

Internet for unsecured IoT devices at the moment, but this time, instead of inflicting malware, it

is protecting the IoT devices in front of botnets like Mirai, by dealing with the sources of

vulnerability. For this reason, the researchers are speculating that such atypical behaviour of a

botnet comes from a „white hat‟146

hacker.147

2.3.3 Critical Infrastructure

2.3.3.1 Introduction

In the light of the above paragraph, it seems that sophisticated distributed-denial-of-

service attacks are a real threat. Thus, they remain a top priority for the EU law enforcement with

more and more critical infrastructure being vulnerable in front of such DDoS attacks. Moreover,

due to the high availability of the Mirai code, Europol is expecting a growth of large-scale DDoS

attacks oriented towards critical infrastructure.148

Firstly, what exactly means „critical infrastructure‟? Unfortunately, there is no common

and accepted definition.149

However, the author will try to define „critical infrastructure‟ by

following the definitions used by the EU legal framework and legal literature. Therefore, the

Council Directive on the identification and designation of European critical infrastructures and

the assessment of the need to improve their protection stipulates that „critical infrastructure‟ is:

„An asset, system or part thereof located in Member States which is essential for

the maintenance of vital societal functions, health, safety, security, economic or

144

Kolias et al. (n 122). 145

Dima Bekerman, „New Mirai Variant Launches 54 Hour DDoS Attack against US College‟ (ImpervaIncapsula

Blog, 29 March 2017) <https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html> accessed 1 May

2018. 146

A „whitehat‟ or ethical hacker, is a person with very high specialization and with a belief in the ethics of freedom

of access to public information. These hackers are testing systems and improving the security of the computer

systems. See for example, Wall (n 6), p. 55. 147

Phil Muncaster, „Mirai-Busting Hajime Worm Could be Work of White Hat‟ (infosecurity, 20 April 2017)

<https://www.infosecurity-magazine.com/news/mirai-busting-hajime-worm-could/> accessed 1 May 2018. 148

EUROPOL, IOCTA 2017 (n 22). 149

Luca Montanari, Leonardo Querzoni „Critical Infrastructure Protection: Threats, Attacks and Countermeasures‟

(TENACE Project, Universita degli Studi di Roma “La Sapienza”, 2014), p.5

<http://www.dis.uniroma1.it/~tenace/download/deliverable/Report_tenace.pdf> accessed 10 June 2018.

32

social well-being of people, and the disruption or destruction of which would

have a significant impact in a Member State as a result of the failure to maintain

those functions.‟150

According to the same Directive, „European critical infrastructure‟ means:

„Critical infrastructure located in Member States the disruption or destruction of

which would have a significant impact on at least two Member States. The

significance of the impact shall be assessed in terms of cross-cutting criteria. This

includes effects resulting from cross-sector dependenices on other types of

infrastructure.‟151

To put it differently, it is a complicated process to identify a critical European

infrastructure, which counts on possible damage that could be triggered by the downfall of such

critical infrastructure.152

However, Montanari and Querzoni followed the Directive`s approach

and established three inter-sectoral evaluation criteria for identifying any critical infrastructure:

the likely number of victims in case of an attack (i.e. fatalities or injuries);

the probable economic effects in case of an attack (i.e. financial losses, damage towards

the products and services which could also affect the environment);

the possible consequences on the population in case of an attack (i.e. physical damage

creating turmoil in society, impact on public confidence, loss of vital public services);

Unfortunately, the above-mentioned Directive only focus per se, on the energy and

transport services, without including other sectors such as the information and communication

technology sector.153

The Directive provides, as guidance for the Member States, a list of critical

infrastructure sectors and sub-sectors: energy (electricity, oil, gas) and transport (road transport,

rail transport, air transport, inland waterways transport, ocean and short-sea shipping and ports).

However, before adopting this Directive, there was an EU proposal for including also other

critical infrastructure sectors like information, communication, technologies (ICT), water, food,

health, financial, chemical industry, space and research facilities.154

The author believes that the

Directive should also cover these sectors and it does not need any motivation behind.155

150

Article 2 (a) of Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of

European critical infrastructures and the assessment of the need to improve their protection [2008] OJ L345/75. 151

Article 2 (b) of Council Directive 2008/114/EC. 152

Montanari, Querzoni (n 149), p. 6. 153

Recital 5 of Council Directive 2008/114/EC. 154

Proposal for a Directive of the Council on the identification and designation of European critical infrastructures

and the assessment of the need to improve their protection COM/2006/0787. 155

For example, abusing the financial system of a country would lead to a considerable danger for the entire society,

because banking and financial services are the core of any economy in modern world; water and food sector go hand

33

Nonetheless, the EU legislator follows the definition of critical infrastructure from the

previously mentioned Directive, and makes the Botnet Directive more explicit by including in its

definition examples of critical infrastructure such as „power plants, transports networks or

government networks’.156

Furthermore, the head of the European Reference Network for Critical

Infrastructure defines critical infrastructure as „infrastructures which in our society depends on in

daily life. So it is not only transport and only energy, it is also IT and there are many other

sectors which could be included in that’.157

The author shares this approach because nowadays

the backbone of our society is based on a secured Internet and moreover on secured information

systems. The disruption or improper functioning of such critical infrastructure would have direct

consequences on all the EU citizens and moreover, on many organisations which provide goods

and services to the population.158

Moreover, as part of the EU Cybersecurity strategy,159

in 2016 the European Parliament

adopted the NIS Directive. The author suggests that the NIS Directive is the first step in

achieving EU-wide cybersecurity legislation and an improvement in the EU legal framework

because it gives the mandate to the Member States to supervise the cybersecurity of critical

infrastructure operators such as:160

energy (electricity, oil, gas), transport (air transport, rail

transport, water transport, road transport), banking, financial market infrastructures, health

(healthcare providers including hospitals and private clinics), water (drinking water supply and

distribution) and digital infrastructure (IXP161

s, DNS162

service providers and TLD163

name

in hand and are strategically connected – if there is not enough water for watering the fields than the food production

may suffer; the energy sector is also critical, sometimes relying on the water sector. For more details also see

Montanari, Querzoni (n 149), p. 7. 156

Recital 4 of Botnet Directive. 157

Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU

Research & Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-

under-daily-attack-erncip-head-georg-peter_en.html> accessed 19 May 2018. 158

ENISA, Stocktaking, Analysis and Recommendations on the Protection of CIIs, 2016

<https://www.enisa.europa.eu/publications/stocktaking-analysis-and-recommendations-on-the-protection-of-

ciis/at_download/fullReport> accessed 12 May 2018. 159

European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportuinity‟

(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>

accessed 12 May 2018. 160

Annex II of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning

measures for a high common level of security of network and information systems across the Union [2016] OJ

L194/1 hereinafter the NIS Directive. 161

Article 4 (13) of NIS Directive provides that internet exchange point or IXP means a network facility which

enables the interconnection of more than two independent autonomous systems, primarily for the purpose of

facilitating the exchange of internet traffic.

34

registries). NIS Directive provides in Article 5 guidance for the Member States to identify the

operators of essential services by applying three criteria:164

(1) The entity provides a service which is essential for the maintenance of critical

societal/economic activities;

(2) The provision of that service depends on network and information systems;

(3) An incident would have significant disruptive effects on the provision of that service.

Thus, by corroborating the criteria mentioned above with Article 2 (a) of Council

Directive 2008/114/EC of 8 December 2008, it results that critical infrastructure is similar to the

essential services (from now on CIs) and the operators of such services are the operators of

critical infrastructure. Moreover, Article 1 (4) of the NIS Directive stipulates that the latter is

applicable „without prejudice‟ to Council Directive 2008/114/EC.

In other words, the author believes that critical infrastructure is that infrastructure whose

improper working, even for a short period, may influence negatively the economy and well-

being of the society, leading to economic losses and exposing individual persons, groups or

things as such, to safety and security risks and the provision of its service is dependent on

network and information systems,165

opinion also strengthened by the NIS Directive.

2.3.3.2 Why Critical Infrastructure became a tempting target

for DDoS attacks?

The operators of essential services from a lot of EU countries had to adapt to the

increasing need for all kind of services coming from the society. Thus, they had to implement

infrastructure technology166

and made the CIs be increasingly electronically managed relying on

ICT networks to provide its products and services.167

Moreover, in the past years, for the reason of improving the performance level, the

operators of essential services integrated in their network, Internet monitoring and controlling

162

Article 4 (14) NIS Directive provides that domain name system or DNS means a hierarchical distributed naming

system in a network which refers queries for domain names; i.e. a DNS serves like a phone book which translates

hostnames into IP addresses. 163

Article 4 (16) of NIS Directive provides that top-level domain name registry or TLD means an entity which

administrates and operates the registration of internet domain names under a specific top-level domain. 164

Article 5 of NIS Directive. 165

Montanari, Querzoni (n 149), p.5. 166

Hurst et al. (n 27). 167

Montanari, Querzoni (n 149), p. 23.

35

systems,168

based on advanced technologies such as wireless components,169

leading an

increasing number of access points in the critical networks which so far were closed, and not

accessible from the Internet.170

Furthermore, considering far-reaching geographic spreading and

reliance on computerisation, the operators of CIs had to use remote access which requires an

Internet connection.171

Thereupon, several sectors of critical infrastructure became physically

interconnected and cyber interdependent, by using physical links among them to communicate

and send information.172

For example, an offline power plant got connected to the smart grid,

which allows now to control the smart distribution of the service; or the emergency services

which rely on the telecommunications network infrastructure to transmit and receive

information.

Consequently, relying on computer systems and the Internet in almost all critical

infrastructure sectors has opened the door for cybercriminals and new digital threats alongside

traditional threats. According to Georg Peter, banks,173

railway networks,174

power plants and

telephone networks,175

are daily under attack by cyber criminals, and it is expected that the

168

Ibid. 169

Hurst et al. (n 27). 170

Ibid. 171

Ibid. 172

Montanari, Querzoni (n 149), p. 24. 173

In January 2018, the most important Dutch banks ABN Amro, ING, Rabobank and the Dutch Taxation Authority

were hit by a coordinated DDoS attack. The attack on the banks was blocking the customers to access and use the

mobile or online banking for several hours while the attack on the Tax Agency was preventing the taxpayers to

complete the tax-related documents. Moreover, the website of ABN Amro bank was offline for a long period

causing accessibility problems for its customers. The Ministry of Justice in the Netherland said that is known in

Europe that Dutch banks improved their cybersecurity in the past years, but such advanced attacks could still create

massive outages. See J.P Buntix, „Major DDoS Attack Against ABN Amro Causes Major Outage‟ (Fintechist, 17

January 2018) <http://www.fintechist.com/new-cyberattack-cripples-services-abn-amro/> accessed 19 May 2018,

Pierluigi Paganini „Three Dutch banks and Tax Agency under DDoS attacks…is it a Russian job?‟ (security affairs,

30 January 2018) <https://securityaffairs.co/wordpress/68428/hacking/dutch-banks-ddos.html> accessed 19 May

2018, and Janene Pieters „Russian Servers Linked to DDoS Attack on Netherlands Financial Network: Report‟

(NLTimes, 29 January 2018) <https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-

financial-network-report> accessed 19 May 2018. 174

One of the most recent attacks occurred on 15 May 2018 when a massive DDoS attack hit the Danish state rail

operator. In their attempt to bring the DSB‟s system entirely down, the attackers were able to block the ticketing

system and to prevent the customers from buying tickets. To create more damage, the attackers also took offline the

telephone infrastructure and the internal email system. Therefore the company was able to communicate with the

passengers just through social media. For more details see Pierluigi Paganini „Massive DDoS attack hit the Danish

state rail operator DSB‟ (security affairs, 15 May 2018) <https://securityaffairs.co/wordpress/72530/hacking/rail-

operator-dsb-ddos.html> accessed 19 May 2018. 175

In 2016, a DDoS attack with more than 500 Gbps of traffic was launched against the Internet infrastructure of

Liberia. However, just one of the four main telecom providers in Liberia was affected and managed to mitigate the

attack successfully. Some experts held that this attack was launched against the telecommunication infrastructure of

Liberia because the Internet cable between Africa and Europe which was supposed to be the initial target, provides

36

number of such attacks will increase in the next period.176

Thus, due to interconnectivity and

interdependency, a powerful DDoS attack could create a domino outage having a severe impact

on the wellbeing of society.

2.4 Conclusions

This chapter revealed that the IoT brings not only fantastic advantages for the society but

their vulnerabilities combined with the unique characteristics lead to the proliferation of new

large-scale DDoS attacks, which can be a danger for critical infrastructure and in some cases to

create physical harm. Furthermore, because the society has ignored the signals triggered by the

researchers on these matters, in 2016 the Internet was hit with the most significant DDoS attack

in the history launched by the Mirai botnet. The latter, representing the synergy between DDoS

and IoT had in composition more than 400.000 IoT devices, which were infected by a malware

that was guessing their default credentials. The analysis of these issues revealed that such huge

botnets are just the beginning and there is a high probability of launching even more powerful

DDoS attacks against critical infrastructure than ever. Therefore, further assessment of the EU

legal framework is needed, to appreciate how each step of building an IoT botnet and then

launching DDoS attacks is criminalised. For this purpose, Chapter 3 will explore which is the

relevant EU legal framework that deals with DDoS attacks, which are the cyber security

requirements for the operators of critical infrastructure in case of any cyber attacks and if there

are any regulatory gaps.

Internet for more than nine African countries. Also see James Scott, Drew Spaniel, Rise of the Machines – The Dyn

attack was just a practice run (Institute for Critical Infrastructure Technology, 2016) p. 19. 176

Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU

Research & Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-

under-daily-attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.

37

Chapter 3

The relevant EU legal framework; is there something missing?

„Security flaws in these things could mean people dying and property being destroyed.‟177

3.1 Chapter Outline

In a constant never-ending back-and-forth dance, the adage „codes we live by, laws we

follow, and computers that move too fast to care‟178

perfectly describes the regulatory gap on a

global level deployed by new technology and ecosystems including IoT. When talking about

massive DDoS launched by huge IoT botnets, it is interesting to study if such gaps exist in the

legal literature. However, the legislation should counter these constantly growing risks even

when technology advances or not.179

Fighting against cybercrime, thus against DDoS attacks

needs globally coordinated action from the EU organisations regarding harmonised conventions,

guidelines and recommendations.180

As some of these instruments are already in place in the EU,

this chapter focuses on outlining the European Union`s legal framework regarding the fight

against attacks on critical infrastructure.

3.2 European legal framework

3.2.1 The Council of Europe – Budapest Convention

Before analysing the most recent legal developments in fighting against DDoS attacks

from the EU‟s perspective, the author will briefly introduce the Budapest Convention.181

After

many years of preparatory work, the Council of Europe adopted the Convention to cope with the

177

Bruce Schneier, „Regulation of the Internet of Things‟ (Schneier on Security, 10 November 2016)

<https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html> accessed 22 May 2018. 178

Vivek Wadhwa „Laws and Ethics Can`t Keep Pace with Technology‟ (MIT Technology Review, 15 April 2014)

<https://www.technologyreview.com/s/526401/laws-and-ethics-cant-keep-pace-with-technology/> accessed 13 June

2018. 179

Laviero Buono, „Gearing up the fight against Cybercrime in the European Union: a new set of rules and the

establishment of the European Cybercrime Centre (EC3)‟ (2012) New Journal of European Criminal Law, Vol. 3

<https://www.europol.europa.eu/sites/default/files/documents/njecl-2012-buono.pdf> accessed 20 June 2018. 180

Stein Schjolberg, „The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva‟

(2008) Cybercrime Law <http://www.cybercrimelaw.net/documents/cybercrime_history.pdf> accessed 20 May

2018. 181

Convention on Cybercrime, ETS No. 185, hereinafter Budapest Convention. See

https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185.

38

jurisdictional issues, caused by the evolution of the Internet.182

This international instrument was

opened for signature on 23rd

November 2001 and entered into force on July 1st 2004.

183 This is a

historic achievement because the Convention represents the first multilateral binding tool in the

fight against cybercrime. The agreement was initially signed by 30 countries including Non-

Members of the Council of Europe like Canada, Japan, South Africa and the US.184

At the time

of writing this thesis, just two Member States of the EU had not ratified the Convention yet:

Sweden and Ireland whereas Greece has ratified it in 2017. However, the European Union

recognised several times the importance of this international tool, encouraging all the Member

States and third countries which have not ratified the Convention to do so.185

Thus, the Convention was the first step to achieve a „common criminal policy‟ to fight

against computer-related crimes, by adjusting national legislation, by increasing law enforcement

capabilities and supporting international cooperation.186

On these matters, the Convention

mentions nine crimes grouped in four different categories of computer-related offences as it

follows:187

Offences against the confidentiality, integrity and availability of computer data and

systems – illegal access, illegal interception, data interference, system interference and

misuse of devices;

Computer-related offences – computer-related forgery and computer-related fraud;

Content-related offences – offences related to child pornography;

Offences related to infringements of copyright and related rights – copyright

infringement and related rights.

182

Amalie M. Weber, „The Council of Europe`s Convention on Cybercrime‟ (2003) Berkeley Technology Law

Journal, Volume 18 <https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1416&context=btlj> accessed

19 May 2018. 183

Art 36 of Budapest Convention. 184

Budapest Convention, see <https://www.coe.int/en/web/conventions/full-list/-

/conventions/treaty/185/signatures?p_auth=2BXHZHFQ> accessed 12 August 2018. 185

Communication from the Commission to the European Parliament, the Council and the Committee of the

Regions - Towards a general policy on the fight against cyber crime, COM(2007) 267 final, Brussels 2007. 186

Archick Kristin, „Cybercrime: The Council of Europe Convention‟ (2002) CRS Report for Congress,

Congressional Research Service, The Library of Congress

<https://digital.library.unt.edu/ark%3A/67531/metacrs2394/> accessed 10 June 2018. 187

Explanatory Report to the Budapest Convention.

39

The Budapest Convention grants „great latitude with respect to the legislative approach’

to signatories to the Convention.188

In other words, by outlining all the above-mentioned criminal

offences, the Convention is helping the states involved to adopt the necessary laws and

procedures to better fight against cybercrime.189

The Convention introduces procedural law

provisions which require the states to „establish domestic procedures for detecting, investigating,

and prosecuting computer crimes, and collecting electronic evidence of any criminal offense’.190

Such legislative measures include expedited preservation of stored computer data and traffic

data, search and seizure of computer system data or computer-stored data, and real-time

collection or interception of computer data.191

Furthermore, the Budapest Convention provides

new principles for adequate and swift international cooperation laying down conditions for

extradition and mutual assistance between parties. Under these principles, the law enforcement

agency from one country can collect computer data evidence from another country,192

or could

receive such data without a prior request.193

To make possible such transborder cooperation and

assistance, Article 35, deems parties to create a „24/7 Network‟ by designating „a point of

contact available on a twenty-four hour, seven-day-a-week basis‟.194

Moreover, this Convention „uses technology-neutral language so that substantive

criminal law offences may be applied to both current and future technologies involved‟.195

Therefore, this instrument is capable of adapting to new forms of criminal activities including

botnets or DDoS attacks. Nevertheless, some authors argue that the Convention does not cover

all the forms of cybercrime such as identity theft, sexual „grooming‟, spam or cyberterrorism.196

However, the focus of this thesis will be on DDoS attacks launched by IoT botnets on critical

188

Nicole M., Eun A. Jo, Soesanto S., „Cybersecurity in the European Union and Beyond: Exploring the Threats and

Policy Responses‟ (2015) European Parliament, p. 52

<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536470/IPOL_STU(2015)536470_EN.pdf> accessed

10 May 2018. 189

Ibid. 190

Kristin (n 186). 191

Articles 16-21 of Budapest Convention. 192

Kristin (n 186). 193

Nicole et al. (n 188). 194

Article 35 of Budapest Convention. 195

Explanatory Report to the Budapest Convention. 196

Jonathan Clough, „A World of Difference: The Budapest Convention of Cybercrime and the Challenges of

Harmonisation (2014), Monash U. L. Rev 698

<https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf> accessed 11 June 2018.

40

infrastructure, offences against the confidentiality, integrity and availability of computer data and

systems, which are covered by Title 1 under the relevant articles from the Convention.197

As presented in the previous chapter, a DDoS attack is launched by a multitude of

unprotected IoT devices with the scope of making a computer system unavailable to the users by

overloading the computer target or network with requests, denying the access of the user. Thus,

because such behaviour requires going through various steps until launching a successful DDoS

attack, the Budapest Convention Committee (T-CY) issued various Guidance Notes, to facilitate

the use and the implementation of the Convention in respect to these matters.198

Therefore, the

DDoS attacks launched by IoT botnets and directed towards critical infrastructure can be

criminalised under the following articles from the Budapest Convention:199

Article 2 - Illegal access – as showed in Chapter 2, the conception of an IoT botnet

requires the attacker to exploit the vulnerabilities of the devices in order to plant

malware. Afterwards, the botnet could be used to infect and illegally access other IoT

devices;200

Article 4 – Data Interference – when creating a botnet, the data from an infected

device is always damaged, deleted, deteriorated or suppressed because the attacker

197

Article 2 of Budapest Convention provides: Illegal access as

…the access to the whole or any part of a computer system without right. A Party may require that the offence be

committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in

relation to a computer system that is connected to another computer system.

Article 4 – Data interference:

…the damaging, deletion, deterioration, alteration or suppression of computer data without right. A Party may

reserve the right to require that the conduct described in paragraph 1 result in serious harm.

Article 5 – System interference:

… the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging,

deleting, deteriorating, altering or suppressing computer data.

Article 6 – Misuse of devices:

…the production, sale, procurement for use, import, distribution, or otherwise making available of:

i. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the

offences established in accordance with Articles 2 through 5;

ii. a computer password, access code, or similar data by which the whole or any part of a computer system is capable

of being accessed, with intent that it be used for the purpose of committing any of the offences established in

Articles 2 through 5; and the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used

for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law

that a number of such items be possessed before criminal liability attaches. 198

Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th

Plenary of the T-

CY (4-5 June 2013), T-CY (2013)10E Rev. 199

Ibid. 200

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev.

41

sends the attack instructions to the „enslaved‟ IoT devices. Moreover, also the data

from the critical infrastructure information systems is damaged;201

Article 5 – System Interference – the aim of any DDoS attack is exactly to severely

hamper the functioning of the computer system from a critical infrastructure;

Article 6 – Misuse of devices – the definition from this article covers all the botnets

because they are created in such a way as to commit the offences mentioned above.

Furthermore, any software that is used to create such botnets also falls under this

article. Moreover, it prohibits the production, sale, and procurement for use, import,

distribution, or otherwise making available as well as the possession of botnets or

programmes used for their creation or functioning;202

Article 13 – Sanctions – DDoS attacks could have serious implications in many ways

on individuals and public sector institutions specifically when targeting critical

infrastructures such as banking, airports or hospitals. The governments should

consider such attacks when they cause serious harm; therefore the Parties should

ensure that according to Article 13 of the Convention, such offences „are punishable

by effective, proportionate and dissuasive sanctions, which include the deprivation of

liberty‟.203

Under the same article, the Parties could consider aggravating

circumstances, for example when a botnet affects a high number of IoT devices and

when DDoS attacks cause „considerable damage, including deaths or physical

injuries, or damage to critical infrastructure‟.204

3.2.2 The European Union

To prevent such attacks without geographical borders, new instruments that can assure

mutual legal assistance need to be implemented by the EU Member States.205

In the early 2000‟s,

the European Union already had in composition 15 countries but avoided to come up with its

201

Cybercrime Convention Committee, T-CY Guidance Note #6 Critical information infrastructure attacks adopted

by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)11E Rev. 202

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 203

Article 13 of Budapest Convention. 204

Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th

Plenary of the T-

CY (4-5 June 2013), T-CY (2013)10E Rev. 205

Laviero Buono, „Fighting cybercrime between legal challenges and practical difficulties: EU and national

approaches‟ (2016) Academy of European Law <https://link.springer.com/article/10.1007/s12027-016-0432-5>

accessed 10 July 2018.

42

solutions addressing cybercrime. However, in January 2001 the Commission issued a

Communication to the Council and the EU Parliament, on „creating a safer information society

by improving the security of information infrastructures and combating computer-related

crime‟.206

In this first „soft law‟ instrument aimed specifically to tackle cybercrime,207

the EU

acknowledges the existence of vulnerabilities in information infrastructures that could lead to

cyber criminal activities, including denial of service attacks. Moreover, the Commission

indicates that an approximation of laws and sanctions is needed along the Member States for an

effective fight against cybercrime and notes that there is a demand for complementing the EU

legal framework with substantive criminal law in respect to computer-related crimes.208

In 2002, after the waiting for the CoE negotiations to end, the Commission proposed a

Framework Decision on Attacks Against Information Systems with the aim to harmonize the

Member States‟ criminal legislation regarding cybercrime, to improve the cooperation between

judicial and other competent authorities (the police and other LEAs)209

and to cover the

significant regulatory gaps in respect to these matters.210

The Decision entered into force in 2005

and was closely following the Budapest Convention, but its applicability was not so broad as the

latter.211

For example, the Decision was applicable just to the EU Member States, and it did not

touch any of the rules regarding investigative measures.212

However, with this Decision, the EU

complemented the work of the CoE, by supporting a common legal approach throughout the

EU.213

Unfortunately, within this decision, the Commission has not taken into consideration

botnets and large-scale attacks against critical infrastructure. Only, in 2007, the EU started to

move its attention to such issues, just right after the Estonian cyber attack occurred in the same

206

Communication from the Commission to The Council, The European Parliament, The Economic and Social

Committee and The Committee of the Regions: Creating a Safer Information Society by Improving the Security of

Information Infrastructures and Combating Computer-Related Crime, COM (2000) 890, Brussels 2001. 207

Buono (n 205). 208

COM (2000) 890 (n 206). 209

Erik Wennerstrom, „EU-legislation and Cybercrime A Decade of European Legal Developments‟ (2010)

Stockholm Institute for Scandinavian Law <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733634>

accessed 11 December 2017. 210

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, [2005]

OJ L 69/67. 211

Wennerstrom (n 209). 212

Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)

<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018. 213

Stein (n 180).

43

year.214

This attack made clear that without an effective fight against cybercrime, including

adequate protection of critical infrastructure, the Member States could not avoid the possible

disruptions caused by cyber attacks, including DDoS. Thus, fighting against cybercrime became

a top priority on the EU security agenda.215

Moreover, because cyber crime started to be treated

as a serious crime,216

it was included in 2009 in Article 83(1) of the Treaty On The Functioning

of the European Union or TFEU,217

in the same category of „serious crimes with a cross-border

dimension‟ as other top crimes: terrorism, human trafficking, sexual exploitation, organised

crime, corruption, illicit arms trafficking, etc.218

Furthermore, in 2010 the European Commission

built on the previously mentioned provision, and one of its five main objectives was to „raise

levels of security for citizens and businesses in cyberspace‟.219

Finally, the culminating moment

of all these legal and policy initiatives was setting up the European Cybercrime Centre also

known as EC3 in 2012.220

214

In 2007, Estonia took a decision to remove a Soviet-era memorial and soon street riots in the centre of Tallinn had

broken out. The decision had an enormous opposition from Russian Government and many other Russian and

international media. The memorial was a bronze statue of a soldier in natural sizes. Unfortunately, the statue

represented a place for commemorating the Soviet era loses but soon it became a space for national extremists,

which were provocative and hostile towards the Estonian country. The riots from the offline world moved in

cyberspace where unidentified attackers „took down‟ various webpages of the Estonian government‟s institutions

and private sector businesses, attacks that lasted until the end of May 2007. The first phase of the attack was

relatively an „emotional response‟ to the situation, because the attackers were launching coordinated ping commands

over the targets. The Estonian authorities quickly and easily mitigated these attacks. However, on the second phase,

attacks that are more sophisticated were affecting the Estonian information infrastructure. The hackers launched

sophisticated and coordinated DDoS attacks using a huge botnet and making unavailable banking and government

services. For additional information about this case see Enek T., Kadri K., Liss V. „International Cyber Incidents

Legal Considerations‟ (2010) Cooperative Cyber Defence Centre of Excellence CCDCOE <

https://ccdcoe.org/publications/books/legalconsiderations.pdf> accessed 22 August 2017. 215

Laviero Buono, „The Key Features of the EU Cybercrime Directive 2013; The newly adopted European

framework for legislative measures on attacks against information systems‟ (2013) Computer Law Review

International

<https://www.researchgate.net/publication/314498695_The_Key_Features_of_the_EU_Cybercrime_Directive_2013

_The_newly_adopted_European_framework_for_legislative_measures_on_attacks_against_information_systems>

accessed 17 May 2018. 216

Ibid. 217

Consolidated version of the Treaty On European Union and The Treaty On The Functioning of The European

Union, [2010] OJ C 83/1. 218

Buono (n 215). 219

COM (2010) 0673, Communication from the Commission to the European Parliament and the Council, The EU

Internal Security Strategy in Action: Five Steps towards a more secure Europe. 220

Buono (n 215). The European Cybercrime Centre (EC3) is established within Europol in the Hague and

represents the European Union`s focal point in the fight against Cybercrime. The EC3 is focus on major categories

of cybercrime, such as fighting online fraud, online child sexual abuse and cyber-attacks affecting critical

infrastructure and information systems in the EU. For more details, see Buono (n 179).

44

3.2.2.1 The ‘Botnet’ Directive

Finally, even if for the past fifteen years the EU legislator has made significant steps

towards an adequate legal framework to address the challenges posed by cybercrime,221

it was on

July 2013, when for a better response to these emerging cyber threats against information

systems, the European Union adopted the Directive on attacks against information systems

(hereinafter Botnet Directive) and replaced the previous Council Framework Decision.222

The

primary purpose of this Directive was to harmonize the criminal law in the EU, in respect to

cyber attacks, by establishing minimum rules regarding how to define the criminal offences, how

to set relevant sanctions, to improve cooperation between the primary stakeholders including

LEAs, police, other EU bodies and agencies as well as to create an effective prevention

mechanism.223

Various elements of the Framework Decision were kept in the Botnet Directive by the

legislator, without any significant additions. In other words, the primary definitions of the

cybercrimes included in the Framework Decision (illegal access to information systems, illegal

system interference, and illegal data interference),224

rules about jurisdiction, the liability of legal

persons and the exchange of information through the 24hours/7days network are maintained in

the Directive. Moreover, the Directive follows the Budapest Convention as „the main legal

framework of reference for combating cybercrime‟ and builds on this legal instrument.225

For this

reason, the Directive criminalises the illegal interception of computer data and outlaws the tools

used for committing such offences.226

These new elements are added in the EU legal framework,

but most Member States have already implemented in their national framework such provisions

from the Convention.227

221

Buono (n 215). 222

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against

information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L218/8 hereinafter

Botnet Directive. 223

Recitals 1 and 2 of Botnet Directive. 224

No longer in force, Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against

information systems [2005] OJ L 69/67. 225

Recital 15 of Botnet Directive. 226

European Commission Memo, „Questions and Answers: Directive on attacks against information systems‟

(European Commission Press Release Database, 4 July 2013) <http://europa.eu/rapid/press-release_MEMO-13-

661_en.htm> accessed 30 June 2018. 227

Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)

<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.

45

Important as well, some parts of the Botnet Directive are entirely new. The Directive

takes into consideration new methods and tools for committing cybercrimes,228

like the creation

and the use of botnets to launch a „large-scale cyber attack‟.229

Furthermore, the Directive

introduces aggravating circumstances and more severe penalties where:

„A cyber attack is conducted on a large scale, affecting a significant number of

information systems, including where it is intended to create a botnet, or where a

cyber attack causes serious damage, including where it is carried out through a

botnet. It is also appropriate to provide for more severe penalties where an attack

is conducted against a critical infrastructure of the Member States or of the

Union.‟230

On the negative side, there are some challenges for the Member States to implement

these new elements of the Directive. For example, it is questionable how the Member States will

categorise a cyber attack as a large-scale attack; or how the Member States will understand what

a „significant number of information systems‟ and „serious damage‟ in the attacks against critical

infrastructure is.231

However, in the explanatory memorandum of the proposal, it is mentioned

that large-scale attacks could be launched either by using various tools, which affect a significant

number of computers or the attacks produce extensive losses in respect of personal data,

financial costs or disrupted computers. The same document acknowledges that it is difficult to

indicate what a „big botnet‟ is, regarding size, but until 2010, the moment when the proposal was

drafted, the biggest botnet had in composition between 40.000 and 100.000 infected devices for

24 hours.232

However, as it has been noted in the previous chapter, the latest major IoT botnet

„Mirai‟ infected and controlled more than 400.000 compromised devices.233

In the next years,

jurisprudence and more research on these points should offer some real guidance in this

respect.234

228

Proposal for a Directive of the European Parliament and of the Council on attacks against information systems

and repealing Council Framework Decision 2005/222/JHA, COM (2010) 517 final, 2010/0263 (COD), hereafter

Proposal for Botnet Directive. 229

Recital 5 of Botnet Directive. 230

Recital 13 of Botnet Directive. 231

Article 9 of Botnet Directive. 232

Proposal for Botnet Diective. 233

Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November

2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>

accessed 1 May 2018. 234

Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)

<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.

46

On the positive side, the Directive aims to enhance the cooperation and the efforts of the

Member States, in the fight against large-scale cyber attacks, which could be a potential threat to

society and it provides the States with new legal „weapons‟ to stand against this phenomenon.

In conclusion, the Botnet Directive takes into account large-scale attacks against the

critical infrastructures of a country, attacks that could create significant disruption and

destruction. The increasing number of such attacks is linked with the development of new

sophisticated tools of committing cybercrimes, such as the creation and the use of „botnets‟. The

author will further analyse in the next paragraph, how the creation of an IoT botnet and then

launching a DDoS towards a critical infrastructure, covers various stages of a criminal act, where

each act alone could be a threat and how the Botnet Directive criminalises these acts.235

3.2.2.1.1 The Attack Chain of a DDoS attack

As shown in the previous chapter, there are four essential phases taking place while

assembling a successful DDoS attack.236

Expanding on these phases, the „intrusion kill chain‟

proposed by Lockheed Martin paper,237

is used to describe a process for cyber intrusions, where

„an adversary engages a specific target to further malicious intent‟.238

Thus, the kill chain steps are depicted in (fig. 4)239

, and the methodology is also shared by

ENISA, in the Threat Landscape Report for 2018 and by other experts.240

However, according to

235

Recital 5 of Botnet Directive. 236

Mirkovic et al. (n 21). 237

Eric M. Hutchnis et al., „Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary

Campaigns and Intrusion Kill Chains‟ (2011) Proceeding of the 6th

International Conference on Information Warfare

and Security, Washington D.C <https://lockheedmartin.com/content/dam/lockheed-

martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf> accessed 19 July 2018. 238

Bryan Harris, Eli Konikoff, Phillip Peterson, „Breaking the DDoS Attack Chain‟ (2013) Institute for Software

Research, Carnegie Mellon University <https://www.cmu.edu/mits/files/breaking-the-ddos-attack-chain.pdf>

accessed 18 July 2018. 239

ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018

<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4

July 2018.

Figure 4 –The attack chain of a DDoS attack

47

the author of this thesis, a complete legal analysis of a DDoS attack launched by an IoT botnet

can be based upon five main steps as it follows: reconnaissance, delivery (getting access),

compromising and control, action on objectives and weaponisation.

3.2.2.1.1.1 Step 1 - Reconnaissance

The main characteristic of a DDoS attack is the distributed aspect, which requires access

and control on a large number of devices.241

Therefore, an attacker will have to build an IoT

botnet, by starting to scan for vulnerable or poorly secured IoT devices. At this step, the attacker

uses various ways to scan for random public IP addresses of the future botnet victims.

Sometimes the scanning phase is done directly by the bots, like in the Mirai botnet, or the

attacker uses a special search engine (Shodan or Censys)242

to find potential vulnerable IoT

devices.243

However, because these activities are deployed all over the public Internet, for the

owner of an IoT device, it could be technically difficult to detect or even limit such actions.244

Moreover, these actions are legal because the attacker is gathering information from an open-

source and this search is often seen as legitimate „web-based research‟.245

Therefore, the Botnet

Directive does not criminalise this very first process, and unfortunately, there is little the victim

can do.

3.2.2.1.1.2 Step 2 – Delivery/Getting access

In general, most of the IoT devices come out of the factory`s doors with their telnet,246

and web interface protected just by default passwords to allow the buyers to access their devices.

240

Irving Lachow, „Active Cyber Defense: A Framework for Policymakers‟ (2013) Center for a New American

Security <https://www.cnas.org/publications/reports/active-cyber-defense-a-framework-for-policymakers> accessed

15 July 2018. 241

Harris et al. (n 238). 242

If Google allows a person to search online for specific and loads of amount of data, Shodan works the same but

for the Internet of Things. The search engine helps the person to search for specific types of IoT like webcams,

routers, and servers with an active online connection to the Internet. The results of the search will contain

information about the device like the IP address, information about the software, what options the service supports

and sometimes the default username and password of the user. See also <https://www.shodan.io> accessed 5 July

2018. 243

Kishore Angrishi, „Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets‟ (2017)

arXiv <https://arxiv.org/pdf/1702.03681.pdf> accessed 18 December 2017. 244

Agnes Kasper, „Legal Aspects of CyberSecurity in Emerging Technologies: Smart Grids and Big Data, European

Answers to Security Breaches and “Common” Cyber crime‟ in T. Kerikmae (ed.), Regulating eTechnologies in the

European Union, (Springer, 2014), p. 202. 245

Lachow (n 240). 246

If the IP (Internet Protocol) makes possible to connect all the computer systems the TELNET protocol makes it

possible to use them. This Protocol offers the possibility for the user to connect and log on from his computer to any

other hosts that are online in the user‟s network. This protocol allows the user to have a remote log on capability.

48

Unfortunately, the users forget to change the passwords and „leave the door, and the windows

opened‟ for IoT malware.247

Even if there are many possibilities to compromise the security of

an IoT device, the author of the thesis, will focus on the brute-force password guessing attacks. It

seems that, until now, this method was the best for getting access to a large number of IoT

devices.248

Compromising a device through this uncomplicated way, it is very simple and does not

require much knowledge. The hacker or the botnet itself is trying to guess a valid combination

between a username, password or any other protective measures.249

Even if the system is

operating on a fully updated patch, a weak password is usually identified as „Achilles heel‟.250

Moreover, a weak password is the first point of access for attackers.251

On top of that, an attacker, or the bot itself, after scanning for compromised IoT devices,

could also find details regarding the default password of a smart „thing‟ like in fig. 5 even

without a brute-force attack.252

Likewise, the attackers could easily obtain valuable information

See more in T. Harjunen, A. Sarkka, „Classic TCP/IP applications: TELNET, FTP, SMTP, NNTP and SNMP‟

(1998) <https://www.netlab.tkk.fi/opetus/s38130/s98/tcpapp/TCP_appl.pdf> accessed 10 July 2018. 247

Al-Alami, Haneen & Hadi, Ali & Al-Bahadili, H., „Vulnerability Scanning of IoT Devices in Jordan Using

Shodan‟ (Information Technology Renewable Energy Processes and Systems (2017) IT-DREPS, University of Petra

<https://www.researchgate.net/publication/321588682_Vulnerability_Scanning_of_IoT_Devices_in_Jordan_using_

Shodan> accessed 10 July 2018. 248

A brute-force password guessing attack is an automatic way used to gather user information (such as username,

password, pin, etc.). In other words, the computational power is used to crack a password and to guess the username.

Such programs will try all the possible combinations for an account to unlock it. A research from 2012 showed that

any eight characters Windows password could be cracked in less than six hours. See also Dan Goodin, „25-GPU

cluster cracks every standard Windows password in <6 hours‟ (arsTECHNICA, 12 October 2012)

<https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-

password-in-6-hours/> accessed 9 July 2018. There are various types of brute-force attacks like hybrid (dictionary

attack), reverse or credential stuffing. In building the Mirai botnet, the attackers used the so-called „Dictionary

Attack‟, which sometimes is faster than the normal brute-force attack. This attack involves using a common list of

usernames and passwords to gain access to a particular device or network. The dictionary attack is trying to match

the most occurring passwords with the most frequent usernames like admin, root, 888888, admin1234, (none),

111111, 1234, 12345, 54321, 123456, user, 0, system, pass, 1111. See also Aimee O`Driscoll, „What a brute force

attack is (with examples) and how you can protect against one‟ (comparitech, 9 May 2018)

<https://www.comparitech.com/blog/information-security/brute-force-attack/#gref> accessed 9 July 2018 and M.

Raza, M. Iqbal, M. Sharif and W. Haider, „A Survey of Password Attacks and Comparative Analysis on Methods for

Secure Authentification‟ (2012) Comsats Institute of Information Technology

<https://www.researchgate.net/profile/Mudassar_Raza2/> accessed 10 July 2018. 249

Bryan Sullivan, „Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot‟

(2007) SPI Dynamics <https://www.researchgate.net/publication/2> accessed 8 July 2018. 250

Jim Owens, Jeanna Matthews, „A Study of Passwords and Methods Used in Brute-Force SSH Attacks‟ (2008)

Clarkson University <http://people.clarkson.edu/~owensjp/pubs/leet08.pdf> accessed 5 July 2018. 251

Angrishi (n 243). 252

After one legit search on Shodan.io the author was able to identify 68.519 of IoT using default password and

username like the example provided. The hackers could access these results in order to take control over them or by

researchers. See also <https://www.shodan.io/search?query=default+password> accessed 5 July 2017.

49

about default passwords and open ports of such products, from their product manuals, which are

often available online.253

After finding the correct credentials, the bot will log on to the new

vulnerable IoT devices and will download the malware as we will see in the next paragraph.254

Compromising an IoT device in this second step, by finding a way to access it and then to

control it, is covered by the Botnet Directive in Article 3 (illegal access to information systems).

In other words, Article 3 of the Botnet Directive stipulates that the illegal access to information

systems is punishable for at least two years of imprisonment and considered a criminal offence

where committed by infringing a security measure.255

The question that arises now is, if an IoT

device is seen as information or computer system as it is defined by Article 2 of the Directive:

„A device or group of inter-connected or related devices, one or more of which,

pursuant to a programme, automatically processes computer data, as well as

computer data stored, processed, retrieved or transmitted by that device or group

of devices for the purposes of its or their operation, use, protection and

maintenance.‟256

According to the CoE‟s guidance note on the notion of „computer system‟ and

corroborating with the explanatory report of the Budapest Convention, it is clear that an

„information system‟ should include any device which is processing the data automatically, and

253

Al-Alami et al., (n 247). 254

The bot will send the default credentials along with other device features including the IP address, towards the

reporting server. Next, the botmaster will deliver an infection command to the loader containing all the details of the

victim. The loaders are used for the dissemination of executables which are targeting various platforms and which

are communicating directly with the victims. In other words, a loader is the way used to log on into the vulnerable

IoT. The attackers use the loaders to log on to the new vulnerable IoT devices and instructs the IoT on how to

download and install the malware. The communication between the IoT malware and the devices is established

through the telnet connection. See also Angrishi (n 243). 255

Article 3 and 9 of Botnet Directive. 256

Article 2(a) of Botnet Directive.

Figure 5 – Default Password Results from Shodan.io

50

consists of two essential parts: hardware and software.257

The author agrees that this definition

also includes all the IoT devices because, as shown in the previous chapter, for such device to

work it is crucial to have the capability of sending and receiving data.

Moreover, going back to Article 3 of the Botnet Directive, it states that the intrusion to

the whole or just to a part of an information system should be committed intentionally and

without right, regardless of the communication method used.258

The legislator does not define

what „access‟ is. However, considering the explanatory report of the Budapest Convention, it

could be seen as „entering of another computer system, where it is connected via a public

telecommunication network, or to a computer system on the same network, such as a LAN (local

area network) or Intranet within an organisation‟.259

Equally important, „intentionally‟ means

that the attacker gained illegal access with criminal intent; therefore, the Directive is not

applicable when the above-mentioned objective criteria are met, but the person acted without any

bad intent. The legislator has implemented this requirement because it is easier for a person to

access a restricted area accidentally on a computer network than accessing a restricted area from

a building without the intent of trespassing.260

In the same way, the Directive takes into consideration as the threshold for

criminalisation,261

if the access was „without right‟ which is defined by the legislator as the

„access… not authorised by the owner or by another right holder of the system or of part of it, or

not permitted under national law‟.262

This prerequisite was introduced because the legislator

wanted to exclude all the possibilities of being under criminal liability, in the case of any person

who got a mandate from the owner of an information system, to test the strength of the security

of such systems.263

It is just natural that such experts have to simulate DDoS attacks on the

computer systems by using the same tools as cybercriminals. Therefore, this provision does not

257

Cybercrime Convention Committee, T-CY Guidance Note #1 On the notion of “computer system” adopted by

the 8th

Plenary of the T-CY (5 December 2012), T-CY (2012) 21. 258

Kasper (n 244). 259

Explanatory Report of the Budapest Convention. 260

Paul De Hert et al., „Fighting cybercrime in the two Europes. The added value of the EU framework decision and

the council of Europe Convention‟ (2006) Revue internationale de droit penal

<https://www.researchgate.net/publication/251058766_Fighting_cybercrime_in_the_two_Europes_The_added_valu

e_of_the_EU_framework_decision_and_the_Council_of_Europe_convention> accessed 27 June 2018. 261

Paul De Hert et al. (n 260). 262

Article 2(d) of Botnet Directive. 263

Recital 17 of Botnet Directive.

51

cover access by the authorised users, and the attacker needs to have a malicious intention to gain

illegal access.264

Also, Article 3 excludes all the offences of illegal access to an information system, which

are minor cases. Recital 11 of the Directive provides some guidance for the Member States when

a case could be considered minor:

„A case may be considered minor, for example, where the damage caused by the

offence and/or the risk to public or private interests, such as to the integrity of a

computer system or to computer data, or to the integrity, rights or other interests

of a person, is insignificant or is of such a nature that the imposition of a criminal

penalty within the legal threshold or the imposition of criminal liability is not

necessary.‟265

Finally, a person would be punishable for illegal access to a computer just if that person

has infringed the security measures of the device. Unfortunately, the Directive is not defining

what „security measures‟ means even if this qualifying element constitutes an essential

prerequisite for criminalising such behaviour.266

It is questionable if, some active defence

techniques, which are not per se considered security measures - but used to prevent and detect

the reconnaissance phase of the DDoS attack,267

are seen as security measures within the

meaning of Article 3.268

In conclusion, by creating a botnet, the attacker will always need illegal access to

computer systems.269

Therefore, at this step, the behaviour of the attacker when compromising an

IoT device is considered unlawful under Article 3 of the Botnet Directive and punishable with

imprisonment of at least two years.270

By doing so, the attacker has the intention to pass the

security measure, which in this case is the password of the IoT device and access is obtained

without right. Therefore all the elements of illegal access to information systems are met.

264

Pedro Miguel F. Freitas and Nuno Goncalves, „Illegal access to information systems and the Directive

2013/40/EU‟ (2015) International Review of Law, Computers & Technology

<https://dl.acm.org/citation.cfm?id=2767890> accessed 10 June 2018. 265

Recital 11 of Botnet Directive. 266

Miguel et al. (n 264). 267

Kasper (n 244). 268

For example „honey pots‟ are computer systems, which are set up by the „good guys‟ in order to attract the

attackers to penetrate the system to study their attack methods and the tools used or to send them fake data. See

more in Kasper (n 244). 269

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 270

Article 9 of Botnet Directive.

52

3.2.2.1.1.3 Step 3 – Compromising and control

After getting access to the IoT devices, the attacker needs to control them somehow, in

order to launch the DDoS attack. Therefore, to transform the IoT devices into a „zombie‟

network, the attacker instructs them to download malware from a distribution server. Just after

downloading and installing the malware, the IoT device is reconfigured to come under control

and to communicate with the command and control server.271

Furthermore, the bot malware is

fixing the vulnerabilities of the IoT devices, by making sure that no other malware could use the

same method to compromise the devices. At this moment, the malware remains in a latent

condition,272

and for this reason, the owner of the infected IoT device does not know about the

malware infection.273

Under those circumstances, this step is considered as altering the integrity of the

computer data,274

behaviour that is directly linked to the „Illegal data interference‟ covered by

Article 5 of the Botnet Directive, which reads:

„Member States shall take the necessary measures to ensure that deleting,

damaging, deteriorating, altering or suppressing computer data on an information

system, or rendering such data inaccessible, intentionally and without right, is

punishable as a criminal offence, at least for cases which are not minor.‟275

The Directive aims to provide IoT data and any other computer data, the same level of

protection as the material objects have in front of any intentional imposed damage.276

The

definition maintains the key elements of „intention‟, „information system‟, „without right‟ and

„minor cases‟, elements presented above. However, some keywords are not addressed at all by

the Directive, and the author suggests that the interpretation of the missing expressions might be

done by following the Explanatory Report of the Budapest Convention. For this reason, if

„deteriorating‟ and „damaging‟ the data are linked to the alteration of the integrity element,

„deletion‟ could be seen as identical to destroying and making something indistinguishable.277

„Suppressing‟ computer data means „any action that prevents or terminates the availability of the

data to the person who has access to the computer or the data carrier on which it was stored‟

271

Angrishi (n 243). 272

Ibid. 273

Douligeris, Mitrokotsa, (n 66). 274

Kasper (n 244). 275

Article 5 of Botnet Directive. 276

Explanatory Report to the Budapest Convetion. 277

Clough, (n 4) p. 123.

53

whereas „altering‟ means modifying the existing data.278

Therefore, it is clear that executing any

malware on the IoT will lead to an alteration of the integrity of the data.279

In conclusion, by taking control of IoT devices to build a botnet, the botmaster will

always alter the data and may delete, damage, deteriorate or suppress the IoT data. For this

behaviour, the attacker could face imprisonment of at least two years.280

Moreover, botnets

themselves delete, damage, deteriorate, alter, suppress, or render IoT data inaccessible.281

The

author needs to mention that also the DDoS attacks per se, when launched against critical

infrastructure, have the power to alter the integrity of the data from the affected computer

system.282

3.2.2.1.1.4 Step 4 – Action on Objectives

This is the final step where the attacker is launching the DDoS attack by simply

instructing through the command and control server, all the IoT bots to start an attack against

critical infrastructure.283

As the author has shown before, the main objective of a DDoS attack is

to seriously hinder the functioning and availability of the targeted computer system,284

which

might have a significant effect on the operator of the critical infrastructure.285

Article 4 of the

Botnet Directive declares that making a computer system unavailable is unlawful and obliges the

Member States to:

„Take the necessary measures to ensure that seriously hindering or interrupting the

functioning of an information system by inputting computer data, by transmitting,

damaging, deleting, deteriorating, altering or suppressing such data, or by

rendering such data inaccessible, intentionally and without right, is punishable as

a criminal offence, at least for cases which are not minor.‟286

This Article aims to protect the interest of the users, which are lawfully using the

computer systems in front of an intentional „hindering‟ that could affect their proper

278

Explanatory Report to the Convention on Cybercrime, ETS No. 185. 279

Clough, (n 4), p. 112. 280

Article 9 of Botnet Directive. 281

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 282

Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th

Plenary of the T-

CY (4-5 June 2013), T-CY (2013)10E Rev. 283

Kolias et al. (n 122). 284

Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th

Plenary of the T-

CY (4-5 June 2013), T-CY (2013)10E Rev 285

Kasper (n 244). 286

Article 4 of Botnet Directive.

54

functioning.287

Unfortunately, the legislator has not mentioned what „illegal interference‟ is.

However, some authors argue that such interference is also known as „tampering‟ or „computer

sabotage‟,288

and broad enough to encompass the „disruption of information systems‟ caused by

DDoS attacks, where the access to the computer system is restricted.289

Following the

Explanatory Report of the Budapest Convention, „hindering‟ means any action that will interfere

with the good functioning of a computer system. The „hindering‟ needs to be „serious‟ and must

take place by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing

computer data. It is not clear where the threshold for „serious‟ stands. However, sending much

data to a target in such a way that it is significantly creating problems for the owner or for the

operator to use that system, or is blocking the possibility to communicate with other systems, is

qualified as serious illegal system interference.290

Accordingly, in the opinion of the author, a DDoS attack launched by an IoT botnet will

qualify „easily‟ as serious and such conduct would be punishable under Article 4 of the

Directive. On the other hand, the botnet per se may hinder the functioning of the infected IoT but

not necessarily,291

because when taking part in a DDoS attack, each IoT device uses just a

fraction of the available resources, thus, the users may experience a limited change regarding

performance.292

In this case, we cannot talk about system interference as defined by the Article

mentioned above.

3.2.2.1.1.5 Step 5 – Weaponisation

Aside from the offences of illegal access, illegal system and data interference, the Botnet

Directive also outlaws the weaponisation step of a DDoS attack.293

Because the commission of

such offences frequently requires the possession of some means of attack (in our case without a

large botnet a DDoS attack could not have the impact expected), the legislator provides a

separate and independent legal basis to outlaw, the availability on the black market of such

„hacker tools‟.294

For this reason, the „production, sale, procurement for use, import, distribution

287

Explanatory Report to the Convention on Cybercrime, ETS No. 185. 288

Ibid. 289

De Hert et al. (n 260). 290

Explanatory Report to the Convention on Cybercrime, ETS No. 185. 291

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 292

Douligeris, Mitrokotsa, (n 66). 293

Kasper (n 244). 294

Explanatory Report to the Budapest Convention.

55

or otherwise making available‟ of any devices or tools such as computer programs, passwords or

access codes, which are specially designed or adapted for committing the crimes mentioned

above are criminalised by Article 7 of the Directive.295

In this case, „distribution‟ means forwarding the data to others whereas „making

available‟ refers to one placing online the devices for the availability and use of others. When

talking about „computer program‟ or „tools‟, the legislator took into consideration any programs

particularly designed for illegal access, illegal system and data interference.296

However, the

terms are not defined, but in J. Clough‟s opinion, it includes both software and hardware.297

In

particular, such „tools‟ could encompass malicious software or virus programs, including those

able to create botnets.298

For clarity purposes, in the future, the legislator could specify exactly

what kind of tools fall under the definition of Article 7 and what a „computer program‟ is, in

order to avoid ambiguity.299

In this case, according to CoE, all botnets are considered tools as

defined in Article 7 because they are created, designed and used for committing various offences.

Furthermore, any program that is used by the attacker for creating and operating a botnet falls

under the definition.300

Because the Directive refers just to devices designed exclusively for committing the

above cybercrimes, in practice, there are some challenges.301

For example, there are some

frictions between a DDoS attack launched by a botnet created for legitimate use to test the

capacity of a computer system, and the illegitimate use of that botnet.302

As a result, it is not

enough to demonstrate that such a tool may be used for committing offences, but it is important

to show the intention and the design behind the device used for illegal purposes. To sum up,

under the Botnet Directive just the possession of an IoT botnet is not an offence if lacking the

criminal intent element.303

However, selling an IoT botnet or making it available online for the

use of other persons is punishable as a criminal offence.

295

Article 7 of Botnet Directive. 296

Explanatory Report to the Budapest Convention. 297

Clough, (n 4) p. 134. 298

Recital 16 of Botnet Directive. 299

Clough, (n 4) p. 135. 300

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 301

Explanatory Report to the Budapest Convention. 302

Clough, (n 4) p. 135. 303

Ibid.

56

3.2.2.1.2 Sanctions

As we have seen, botnets might serve the criminal purpose of launching a DDoS attack

against critical infrastructure, which could have a serious impact on the society. With this in

mind, the behaviour just mentioned should be punishable by „effective, proportionate and

dissuasive criminal penalties‟.304

As a rule, Article 9 requires for illegal access, illegal system

and data interference and making available the tools for committing these offences, a punishment

with imprisonment of at least two years.305

Also, incitement, aiding, abetting for all the offences

and attempt to commit illegal system and data interference are punished like a criminal

offence.306

The EU legislator introduced penalties for some aggravating circumstances. In other

words, by corroborating Article 9 and Recital 13 of the Directive, it results in a penalty of „at

least three years‟ of imprisonment in the case of a cyber attack conducted on a „large scale‟ and

which „is affecting a significant number of computer systems‟, including where it is „intended to

create a botnet‟. The same Article mentions a maximum punishment of „at least five years‟ of

imprisonment, when a „cyber attack is causing serious damage‟, including when it „is carried

through a botnet‟ or „against a critical infrastructure‟.307

3.2.2.1.3 Conclusions

As the author presented above, all the steps and phases of a DDoS attack against critical

infrastructure could fall within the scope of the Botnet Directive.308

Moreover, such behaviour is

sanctioned with severe penalties, but still, large DDoS attacks are possible because the botmaster

cannot be sometimes identified. The measures proposed by the Botnet Directive are preventive

or responsive, and other phases of a cyber incident like detection, assessment, recovery or

communication are not covered at all.309

For example, the assessment phase of cyber incident

management is not supported by any legal or technical means. This was also the case with the

communication phase of a DDoS attack until the NIS Directive was adopted. By carrying out a

security risk assessment, the operator of critical infrastructure would become aware of the

304

Article 9 of Botnet Directive. 305

Ibid. 306

Article 8 of Botnet Directive. 307

Article 9 of Botnet Directive. 308

Kasper (n 244). 309

Ibid.

57

„strengths, weaknesses and vulnerabilities‟310

of critical infrastructure.311

For this reason, even

the best security measures that are protecting the critical infrastructure could not be effective in

front of a DDoS attack.312

In conclusion, by introducing some minimum-security requirements for critical

infrastructure, the communication of the most dangerous cyber attacks that occurred, could be

achieved. Therefore, the author will continue the legal analysis of the implications of the NIS

Directive on critical infrastructure.

3.2.2.2 Overview of the ‘NIS’ Directive

As the author has shown in the previous chapter, the NIS Directive entered into force in

August 2016 and was adopted by the EU Parliament to strengthen the EU Cybersecurity

strategy.313

The main aim of the Directive is to achieve a „high common level of security of

network and information systems‟ in the EU.314

It could be argued that, by the time of the

adoption of the NIS Directive, there were already in place enough research studies on new

methods or frameworks, which could improve and increase the cybersecurity level of CIs.

However, one important element was missing before 2016, and that is the legal tool through

which the Member States could extend required security measures to a broader set of private

entities, including the operators of CIs,315

and to make the notification regarding any security

incident mandatory.316

The legislator also shares this view in Recital 4 of the Directive, which

urges that the Member States should „have minimum capabilities and a strategy ensuring a high

level of security of network and information system in their territory‟. Also, the Directive intends

to promote a European culture of risk management and that the most serious cyber incidents

suffered by the operators of essential services and digital service providers are reported to the

relevant authority. In other words, the NIS Directive builds on the EU`s readiness for cyber

310

For example, Sun Tzu a Chinese general and philosopher said that „If you know the enemy and know yourself,

you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained

you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle‟. 311

Kasper (n 244). 312

Ibid. 313

European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportuinity‟

(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>

accessed 12 May 2018. 314

Article 1 of NIS Directive. 315

Janine S. Hiller, Roberta S. Russell, „The challenge and imperative of private sector cybersecurity: An

international comparison‟ (2013) Virginia Tech, Computer Law & Security Review 29 236-245

<https://www.sciencedirect.com/science/article/pii/S0267364913000575> accessed 19 July 2018. 316

Maglaras et al. (n 3).

58

attacks, being aware that safety and security of the essential services are indispensable for

society.317

3.2.2.2.1 Scope and applicability

The Directive was not applicable immediately after coming into force, but the Member

States had 21 months to implement the NIS Directive into national law.318

Seven main

milestones have to be adopted or implemented by the Member States:319

1. To adopt a national strategy on the security of network and information systems;320

2. To designate one or more national competent authorities on NIS; to designate a single

national point of contact on NIS;321

to designate one or more CSIRTs (Computer

security incident response teams);322

3. To create a cooperation group to support and facilitate strategic cooperation among the

Member States and to exchange information;323

4. To create a Computer security incident response teams network to contribute to the

development of confidence and promote swift and effective cooperation;324

5. To establish security requirements and incident notification for operators of essential

services;325

6. To establish security requirements and incident notification for digital service

providers;326

7. To identify by 9 November 2018 all the operators of essential services which are

located on their territory.327

The Directive became applicable on 10th

May 2018,328

and it covers „operators of

essential services‟ and „digital service providers‟.329

The NIS Directive does not apply to sectors

317

Richard Piggin, „NIS Directive and the Security of Critical Services‟ (2018) ITNOW, 60. 44-44. 10.1093

<https://academic.oup.com/itnow/article-abstract/60/1/44/4858516?redirectedFrom=fulltext> accessed 10 May

2018. 318

M.-T. Holzleitner, J. Reichl, „European provisions for cyber security in the smart grid – an overview of the NIS-

directive‟ (2017) Elektrotechnik & Informationstechnik, 134/1: 14–18. DOI 10.1007/s00502-017-0473-7

<https://link.springer.com/article/10.1007%2Fs00502-017-0473-7> accessed 10 July 2018. 319

Ibid. 320

Article 7(1) of NIS Directive. 321

Article 8(1) and (3) of NIS Directive. 322

Article 9(1) of NIS Directive. 323

Article 11(1) of NIS Directive. 324

Article 12(1) of NIS Directive. 325

Article 14 of NIS Directive. 326

Article 16 of NIS Directive. 327

Article 5(1) NIS Directive.

59

that are regulated by other legal tools, with minimum equivalent provisions to those in the

Directive.330

As before mentioned, the focus of the thesis is on „operators of essential services‟

similar to „operators of critical infrastructure‟, which includes sectors like energy, healthcare,

water, transport and key digital services.331

The author will not insist on what an operator of

essential services is, because this matter was already discussed in the previous chapter. However,

the author needs to mention that, for avoiding any disproportionate financial and administrative

burden, the legislator excluded the micro and small enterprises (hereafter: SMEs), which provide

a digital service as indicated by the NIS Directive.332

In the author‟s view, such exclusion is not

the best decision taken, because, for example, some SMEs could be in the future part of a „smart

grid‟, without having to align to the security protocols from the NIS provisions. Therefore, the

attackers could find an easy way to get into the systems of CIs if the national authorities will not

implement some minimum-security features that each legal person, irrespective of its size, has to

follow to be connected to a grid.333

Thus, the network and information systems play an essential role in the functioning of

any critical infrastructure, and their reliability and security are necessary for assuring that.334

According to Article 4(1) of the NIS Directive, „network and information system‟ is defined as

„an electronic communications network‟. „Network and information system‟ also means „any

device or group of interconnected or related devices, one or more of which, pursuant to a

program, performs automatic processing of digital data; or digital data stored, processed,

retrieved or transmitted by elements covered under points (a) and (b) for their operation, use,

protection and maintenance‟.335

Such systems could be affected by a DDoS attack, stopping their

proper functioning and negatively affecting the society. Henceforth, concerning all the possible

328

Article 25 of NIS Directive. 329

Article 1(2)(d) of NIS Directive. 330

Holzleitner, Reichl (n 318). It could be argued that maybe the legislator is preparing for updating some

regulations for other critical specific sectors like the Energy sector, which is the second most important to be

affected by the NIS Directive requirements, after the banking and finance sector. Or, for example, in the UK, the

financial and civil nuclear sectors are already regulated by tools which are providing at least the same provisions to

those in the NIS Directive. See also Piggin (n 317). 331

Piggin (n 317). 332

Recital 53 and Article 16(11) of NIS Directive. 333

Holzleitner, Reichl (n 318). 334

Ibid. 335

Article 4(1) of NIS Directive.

60

threats, it is mandatory for the operators of critical infrastructures to adopt proper security

measures to secure network and information systems.336

3.2.2.2.2 Obligations and security requirements

One of the main elements of the NIS Directive is the security requirements and

compulsory incident notification of cyber incidents.337

Article 14 and 16 of the Directive deals

with these matters covering both entities, operators of essential services and digital service

providers, but with less strict provisions for the latter.338

As the focus of this thesis is on critical

infrastructure, the author will further consider just Article 14 of the NIS Directive.339

Thus, under this article, the operators of essential services will have to:

Take security measures, including technical and organisational, which will be

appropriate and proportionate to „manage the risks posed to the security of network

and information systems which they use in their operation‟340

and to „guarantee a level

of security appropriate to the risk‟;341

Take „appropriate measures to prevent and minimise the impact of incidents affecting

the security of the network and information systems… with a view to ensuring the

continuity of those services‟;342

Notify the competent authorities when an incident that could have „significant impact

on the continuity of the essential services they provide‟ occurred;343

Provide information upon request of the competent authorities about network and

information system security policies;344

Undergo a security audit by the competent authority or a qualified third-party auditor,

and share the results with the competent authority.345

Some terms used by the legislator require further attention for clarity purposes. Article 4

of the NIS Directive defines „risk‟ as „any reasonably identifiable circumstance or event having a

336

Holzleitner, Reichl (n 318). 337

Ibid. 338

Ibid. 339

Ibid. 340

Article 14(1) of NIS Directive. 341

Hiller, Russell (n 315). 342

Article 14(2) of NIS Directive. 343

Article 14(3) of NIS Directive. 344

Article 15(2)(a) of NIS Directive. 345

Article 15(2)(b) of NIS Directive.

61

potential adverse effect on the security of network and information systems‟.346

Unfortunately,

the legislator has not defined what „appropriate and proportionate technical and organisational

measures‟ means. By corroborating Article 14(1) with Recital 49, the author interprets

„appropriate, proportionate technical and organisational‟ measures as security measures that by

„having regard to the state of the art‟ of existing technology, would „ensure a level of security

commensurate with the degree of risk posed to the security of the digital services they

provide‟.347

Further, the Directive guides the Member States to determine the „significance‟ of a

possible impact of an incident and the following criteria are given:348

a) the number of the users affected by the disruption of the essential service;

b) the duration of the incident;

c) the geographical spread about the area affected by the incident.

To continue, in the case of a significant impact of an incident, the competent authority or

CSIRT shall inform all the affected Member States and „preserve the security and commercial

interests of the operator of essential services, as well as the confidentiality of the information

provided in its notification‟.349

As the author explained above, the competent authorities from the

involved Member States will have to cooperate and exchange information regarding the incident.

In some circumstances, for public awareness and for preventing such incidents to happen again,

the competent authority or the CSIRT would have to inform the public about the incident.350

Finally, under the NIS Directive, Member States are required to lay down rules on

penalties and to ensure that such penalties are implemented against the operators of CIs, which

fail to comply with the provisions of the Directive.351

3.2.2.2.3 Conclusions

By securing the critical infrastructures of each EU country, the NIS Directive aims to

build an overall level of cybersecurity throughout the European Union.352

However, even if the

NIS Directive brings new provisions for an improved level of harmonisation across the Member

346

Article 4(9) of NIS Directive. 347

Article 14(1) and Recital 49 of NIS Directive. 348

Article 14(4) of NIS Directive. 349

Article 14(5) of NIS Directive. 350

Article 14(6) of NIS Directive. 351

Article 21 of NIS Directive. 352

Maglaras et al. (n 3).

62

States in respect to the security of network and information systems, it is still questionable how

the Member States will implement such provisions. For example, further research will need to

answer the next important questions: How each country will decide what a significant impact is

for a smart grid? Which is the threshold for the significant impact of an incident and when is it

justified to inform the public – in case of a major DDoS attack, a blackout or a technical failure?

Is there any difference between „significant impact‟ as required for the incident to be in case of

operators of essential services and „substantial impact‟ as required for the incident to be in case

of digital service providers? Moreover, what will happen in case of a DDoS, which will have a

significant impact on a smart grid affecting the continuity of essential services of another

country? How could „state of the art of technology‟ be achieved by the operators of CIs? And,

finally, what is the role of public awareness and when is it necessary to avoid an incident?353

For the future, the Member States should introduce new provisions dealing particularly

with the provisions from the NIS Directive and should adopt new national cyber security laws

covering large cyber attacks against CIs and address all the problems discussed above.354

353

Holzleitner, Reichl (n 318). 354

Ibid.

63

Chapter 4

Conclusions and future work

„So now, when we face a choice between adding features and resolving security issues,

we need to choose security.‟355

4.1 Conclusions

Chapter 2 revealed that there are various types of DDoS with the same aim: flooding the

target with requests until it becomes unresponsive. The distributed power of the DDoS attack is

one of its main characteristics. Thus, the attacker needs to have many devices under control.

However, it is challenging for the law enforcement agencies to deter or investigate such „multi-

step‟ and „multi-stage‟ attacks which have increased in number and power during the last years.

Furthermore, on the positive side,356

the Internet of Things is the latest Internet revolution

with the primary mission to interconnect an entire variety of „traditionally dumb devices‟.357

All

the data processed by these „things‟, brings new remarkable solutions for smart cities, smart

health, smart monitoring, to deal with significant societal issues, improving our daily life.358

On the negative side, because the majority of the IoT devices are developed with no

security in mind, in the last years many „poorly designed and badly protected‟ IoT devices were

launched on the market.359

The lack of any basic cyber security attention triggered new security

challenges for critical infrastructure and society, in general. The IoT „ecosystem‟ became ideal

for launching new large-scale DDoS for a couple of reasons: the majority of the devices have

unlimited access to the Internet; when launching a new model of an IoT device the security part

is not the primary concern of the manufacturers; the IoT devices do not receive any firmware

updates that could increase their security or do not even have this feature; and finally, the IoT

devices are protected with default credentials set up by the manufacturers for entire categories of

devices.

355

Bill Gates, „Bill Gates: Trustworthy Computing‟ (wired, 17 January 2002) <https://www.wired.com/2002/01/bill-

gates-trustworthy-computing/> accessed 12 September 2018. 356

Dragoni et al. (n 98). 357

Ibid. 358

Elisa Bertino, Kim-Kwang Raymond Choo, Dimitirios Georgakopolous and Surya Nepal „Internet of Things

(IoT): Smart and Secure Service Delivery‟ (2016) ACM Trans. Internet Technol. 16

<https://dl.acm.org/citation.cfm?id=3013520> accessed 16 July 2018. 359

De Donno et al. (n 65).

64

Thus, the IoT created the means and the possibilities for the proliferation of powerful and

sophisticated DDoS attacks. Moreover, the IoT not only „encouraged‟ the deploying of such

attacks, but also, rushed the evolution and diversity of the DDoS attacks.360

Identically, Europol

mentioned that the European critical infrastructure is more vulnerable than ever in front of such

sophisticated DDoS attacks launched by IoT botnets.361

However, the defining moment occurred

in 2016, when the Mirai botnet, representing the outstanding synergy between the DDoS attacks

and the IoT, blasted the Internet with the most powerful DDoS attack ever seen. A surprising fact

is how Mirai set up and controlled such a vast network of unsecured „things‟. The botnet was

able to infect the IoT devices by using a small dictionary of default usernames and passwords,

relying on the „non-security behaviour‟ of the IoT users and vendors (i.e. the attackers expected

that users will still use the default credentials of the devices provided by the IoT vendors).

The analysis of these issues revealed the fact that unfortunately, Mirai is the first chapter

of a long story that has just begun. The risks IoT devices bring to the Internet were highlighted

by the impact of DDoS attacks launched by the Mirai botnet.362

It is generally accepted that this

cyber threat problem is growing and the future will bring new security risks for critical

infrastructure, with the possibility of harming human life.363

Furthermore, as shown in the

previous chapters, CIs rely on computer systems and Internet connection in almost all sectors to

provide its services. Therefore, critical infrastructure suffers from the same attack vectors as

traditional IT systems,364

because such online connectivity created many numbers of access

points in the network.

Therefore, in order to appreciate how each step in the DDoS „kill chain‟ is criminalised

an assessment of the EU legal framework is needed. For this purpose, Chapter 3 assessed which

is the relevant European legal framework that deals with massive DDoS attacks, which are the

cyber security requirements for the operators of critical infrastructure in the aftermath of a DDoS

attack and if there are any regulatory gaps. This chapter has unveiled that the European Union

has started since 2001 to come up with legal solutions based on the Budapest Convention,

including both „soft‟ and „hard‟ law in respect to cybercrimes. Therefore, the European

Commission has proposed the Framework Decision on Attacks against Information Systems,

360

Bertino et al. (n 184). 361

EUROPOL, IOCTA 2017 (n 22). 362

Kolias et al. (n 122). 363

Bertino et al. (n 184). 364

Maglaras et al. (n 3).

65

which entered into force in 2005. However, this legal tool was excluding botnets and large-scale

attacks against critical infrastructure. Triggered by the Estonian cyber attack, the fight against

cyber crime became a top priority for the EU. Thus, among various policy and legal steps to win

this battle, the Botnet Directive replaced the Framework Decision, and it was finally making

explicit reference to large-scale attacks against critical infrastructure.365

The Botnet Directive set

minimum rules in all Member States and raised the level of penalties.366

Equally important, this

Directive outlaws the creation and the use of botnets when launching massive cyber attacks and

it has introduced aggravating circumstances for such behaviour. Although the Botnet Directive

brought new easy to implement elements for the Member States, there are still some challenges

on what a large-scale cyber attack is and what severe damage represents.

Moving on to the legal implications of the „intrusion kill chain‟, this chapter presented

that there are five main steps taking place while building an IoT botnet and then launching a

DDoS attack as it follows: reconnaissance, delivery (getting access), compromising and control,

action on objectives and weaponisation. All the steps, except reconnaissance are criminalised

under the Botnet Directive with various penalties.

Thus, from a legal point of view, the Member States have enough basis to deter such

behaviour. However, when dealing with DDoS attacks, the main aspect should be prevention and

mitigation.367

Furthermore, these attacks succeed because the attacker is taking various

cautionary measures of hiding each step in the „kill chain‟ and without attribution, the tools used

by the police to trace back these „multi-stage‟ attacks are limited in their effectiveness.368

Therefore, further research is needed on attribution when considering „multi-step‟ and „multi-

stage‟ attacks.369

To continue the fight against cyber crime and to boost the overall level of cybersecurity

in Europe, the EU legislator has adopted the NIS Directive, which imposes new obligations for

the operators of critical infrastructure, requirements that were missing from the Botnet

Directive.370

It is very well received that such operators will have to undergo cybersecurity tests

to discover any risks posed to the security of network and information systems, which they

365

Buono (n 215). 366

Ibid. 367

Clark, Landau (n 32). 368

Ibid. 369

Ibid. 370

Maglaras et al. (n 3).

66

use.371

In other words, by implementing „appropriate and proportionate technical and

organisational measures‟, the operators of CIs could not only simulate a DDoS attack and find

out the outcome of such attack but could also address any vulnerabilities found in the network

and information systems. However, policy and technical tools influence the regulation of

detection of malicious activity in critical infrastructures. For instance, considering the banking or

financial market infrastructures as defined by the NIS Directive, it could be seen that the

legislator has implemented „supportive and complementary legal measures‟ such as money

laundering or terrorist financing prevention regulation. Concerning other sectors, the Smart Grid

Coordination Group was mandated by the EU Commission to address various standards for the

smart grids and provided some guidance on how such standards could have an important role for

active cyber defence measures like the use of „honeypots‟ or other techniques for understanding

the attacker`s behaviour.372

However, it is true that the Member States need to adopt appropriate

legal tools for various sectors and establish cross-sector-based competent institutions,373

for the

protection of confidentiality, integrity and availability of the data. Thus, it is not clear yet how

they will implement the provisions from the NIS Directive into national laws. However, the NIS

Directive introduced new provisions for achieving an improved level of harmonisation across

Europe in respect to security of network and information systems,374

but in reality, we are far

away from completely „shielding Europe from external threats‟.375

To sum up, one of the main visible features of the fight against DDoS attacks is the

prevention of such attacks and mitigating the risks and danger when it occurs.376

The operators of

CIs could achieve this by complying with the NIS requirements. Significantly, much

responsibility for deploying DDoS remains with the owners of the unprotected IoT devices, who

fail to follow some basic security guidelines.377

However, the responsibility should also be

shared with the IoT manufacturers who deployed IoT devices with weak security. Moreover, the

manufacturers are in the position of issuing patch updates that would easily fix these issues.378

More research is needed from a legal point of view on how responsibility for the DDoS attacks

371

Article 14 of NIS Directive. 372

Kasper (n 244). 373

Holzleitner, Reichl (n 318). 374

Holzleitner, Reichl (n 318). 375

Maglaras et al. (n 3). 376

Clark, Landau (n 32). 377

Kolias et al. (n 122). 378

Ibid.

67

could be shared between various stakeholders and how any liability limitations inserted in the

terms of service of IoT and software vendors would be upheld in case of possible litigation.379

However, without much prevention and attribution, the future DDoS attacks will only succeed.

All in all, such major DDoS attacks could still affect any type of critical infrastructure in the

future, which is not protected enough because in today`s cyber crime „game‟ no one can be

100% protected against any cyber attack.

4.2 Recommendations

Therefore, what are the recommendations that the EU Member States or the EU legislator

should follow? How can we mitigate, the impact of massive DDoS attacks? How could we solve

this security and privacy disaster?380

In order to answer these questions, the first step is to assess

which is the nature of the problem. Therefore, the next question is if this situation is

technological? Are we missing the so needed technology to protect the IoT devices? The author

shares the opinion of other scholars, which regarding the issue of massive IoT botnets, we do not

need security solutions or technological innovation.381

Firstly, the priority should be in this case the „cyber‟ education, because what is missing

is a developed and effective security „mind-set‟, a culture of awareness and understanding of the

cyber risks, in our daily life.382

Sometimes we should not rely just on a computer algorithm, but

people should also intervene. For example, all the described vulnerabilities of the IoT devices are

possible just because of their manufacturer‟s and users‟ approach. In other words, some IoT

users do not even know that their devices also have configurable interfaces regarding security,

like a computer.383

Thus, by following some basic security practices, it would have been possible

to protect the IoT devices in front of the Mirai botnet. Unfortunately, the main issue in this case

379

The European Commission made a case study analysis on the case where the IoT devices are targeted with cyber

attacks. For example, taking the Mirai botnet, because there are many actors involved, the liability should be shared

between various parties: the attackers` group who programmed the malware; the users who failed to change the

default password of the devices; the software vendor, which launched the IoT devices with an unprotected interface.

Moreover, it is clear that the attacker should be liable in the first instance, but as shown above, such DDoS are often

anonymous and sometimes impossible for the victim to identify the botmaster behind and obtain any legal

compensation from him. However, it is questionable if such liability limitations would stand in front of the Court,

thus much research is still needed on this topic. See more details in Commission Staff Working Document Liability

for emerging digital technologies, accompanying the document Communication from the Commission to the

European Parliament, the European Council, the Council, the European Economic and Social Committee and the

Committee of the Regions – Artificial intelligence for Europe, COM(2018) 137 final, Brussels 2018. 380

Dragoni et al. (n 98). 381

Ibid. 382

Ibid. 383

Schneier (n 177).

68

was not the lack of technological innovation.384

Therefore, the world already has the technology

that could fix the most security vulnerabilities, but the lack of basic security culture is

stronger.385

Secondly, the EU should „regulate responsibly‟ and fix the market failure by helping the

IoT manufacturers with enough economic incentives, sufficient to prioritise the security „by

design‟ and „by default‟ for the IoT devices.386

According to some scholars, the EU could

enforce minimum security standards for the IoT manufacturers and vendors, even in the cases

where the users do not care about cyber security.387

For example, the legislator could impose a

„trusted IoT label‟,388

an idea already discussed by the EU Commission.389

Such „trusted IoT

label‟ would provide high standards for the protection of privacy, personal data and security,

aimed at the IoT users by granting clear information about the levels of privacy and security of

an IoT device and demonstrating compliance with the EU`s legal requirements.390

Such an idea

would also improve innovation and competitiveness on the IoT market.391

384

Dragoni et al. (n 98). 385

Ibid. 386

In other words, the technical reason behind why the IoT devices are still insecure is complicated. The IoT devices

are developed low-cost without many teams with security knowledge. The IoT manufacturers are not willing to give

extra money for the additional costs that security „by design‟ or „by default‟ would require. Unfortunately, neither

the IoT vendor nor the buyer cares about resolving the vulnerabilities. See also Schneier (n 177). 387

Schneier (n 177). For example the EU Commission could implement technical recommendations in respect to

privacy and cyber security including a set of guidelines for the IoT software developers so that any new launched

software will be compliant with the privacy regulations and guidance for the same developers to implement privacy

„by design‟. See also Achilleas Kemos, „Everything connected: security and privacy in the Internet of Things‟

(European Commission – DG Connect) <

https://docbox.etsi.org/Workshop/2016/201605_EuropeanApproachDigitalMarket/S02_POLICY_SESSION/KEMO

S_DG%20Connect.pdf> accessed 13 September 2018. 388

A valuable starting point could be the IoT Trust Framework released by the Online Trust Alliance. Such

framework has four key areas including security principles, user access and credentials, privacy, disclosure and

transparency, notifications and related best practices. For example, the security principles could be applicable to any

IoT device or sensor. Furthermore, the IoT manufacturers could be obliged to encrypt all the passwords and user

names and to integrate mechanisms to prevent the brute-force attack. For more details see Test-Achats, „Which

generic security and privacy principles to ensure a Trusted IoT environment? The consumer view‟ (Competence

Center Products & Services) <https://ec.europa.eu/information_society/newsroom/image/document/2017-

11/generic_security_and_privacy_principles_to_ensure_a_trusted_iot_environment_the_consumer_view_by_test-

aankooptest-achats_0B8C19DD-E2B3-A0B3-4234275F9238BC24_43661.pdf> accessed 13 September 2018. 389

Arthur van der Wees, „In IoT We Trust: Technology, Interoperability, Security, Privacy & Usability in the

Hyper-Connected World‟ (EU Commission, 16 August 2016) <https://ec.europa.eu/digital-single-

market/en/blog/iot-we-trust-technology-interoperability-security-privacy-usability-hyper-connected-world>

accessed 13 September 2018. 390

European Commission, „Digital Single Market – Digitising European Industry Questions & Answers‟ (European

Commission Press Release, 19 April 2016) <http://europa.eu/rapid/press-release_MEMO-16-1409_en.htm>

accessed 13 September 2018. 391

Van der Wees (n 388).

69

Thirdly, the EU should find a way to hold the IoT manufacturers accountable. However,

even if for now, it is not sure if a regulatory intervention is appropriate and necessary in this

respect,392

other solutions could be taken into consideration. For example, a first step from the

EU might be to refuse to engage anymore with any IoT manufacturers, IoT software vendors, or

other involved actors, which cannot demonstrate that they are following the principles of security

„by design‟ and „by default‟. The media could also play an important role, by informing the

population about the IoT threats and about simplified cyber-hygiene and cyber-resilience

advice.393

Finally, in addressing the security weaknesses, the IoT manufacturers should launch a

detailed risk analysis following the best security practices, to identify the cyber threats for their

products. Moreover, the manufacturers should apply the principle of „security by design‟, right

from the initial phase of designing any IoT device. Following ENISA`s methodology some

technical measures for the main stakeholders involved are provided:394

to sign the code of the IoT device to ensure its security and the fact that no malicious

software has been tampered;

to implement run-time protection and monitoring to be sure that the malicious attacks

are unable to overwrite the code;

to control the installation of software on the IoT devices and to prevent any

unauthenticated software or files of being loaded onto it;

to enable security by default by deactivating any unused or not secure functionalities

and by enabling all the security features by default;

to have hard passwords to crack for all the IoT devices;

to check that the default passwords and usernames are changed during the initial

installation;

to ensure that only the necessary ports are opened and running;

392

Commission Staff Working Document Liability for emerging digital technologies, accompanying the document

Communication from the Commission to the European Parliament, the European Council, the Council, the European

Economic and Social Committee and the Committee of the Regions – Artificial intelligence for Europe, COM(2018)

137 final, Brussels 2018. 393

James Scott, Drew Spaniel, Rise of the Machines – The Dyn attack was just a practice run (Institute for Critical

Infrastructure Technology, 2016) p. 52. 394

IoT experts, software developers and manufacturers, IT/Security solutions architects, etc. For more details see

ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018

<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4

July 2018.

70

to implement regular monitoring to check the device behaviour and to detect any

malware.

71

Abbreviations

CIs Critical Infrastructures

CoE the Council of Europe

CPU central processing unit

CSIRT Computer Security Incident Response Team

DDoS distributed denial of service (attack)

DNS Domain Name System

DVR digital video recorder

EC3 European Cybercrime Centre

EPDB European Data Protection Board

EU European Union

Gbps Giga Bits per Second

GPS global positioning system

ICMP Internet Control Message Protocol

ICS industrial control systems

ICT information and communications technology

IoT Internet of Things

IP Internet Protocol

IRC Internet Relay Chat

IXP Internet Exchange Point

LEA Law Enforcement Agency

NIS network and information systems

OECD Organisation for Economic Co-operation and Development

SCADA supervisory control and data acquisition

SME Small and Medium Enterprises

SYN synchronise

Tbps Tera Bits per Second

TCP Transmission Control Protocol

TFEU Treaty on the Functioning of the European Union

TLD Top Level Domain

UDP User Datagram Protocol

WP29 Article 29 Data Protection Working Party

72

Bibliography

Books

Agnes Kasper, „Legal Aspects of CyberSecurity in Emerging Technologies: Smart Grids and Big Data, European

Answers to Security Breaches and “Common” Cyber crime‟ in T. Kerikmae (ed.), Regulating eTechnologies in the

European Union, (Springer, 2014).

David S. Wall, The Transformation of Crime in the Information Age (first published 2007, Polity Press).

James Scott, Drew Spaniel, Rise of the Machines – The Dyn attack was just a practice run (Institute for Critical

Infrastructure Technology, 2016).

Jonathan Clough, Principles of Cybercrime (2nd

Edition, Cambridge University Press, 2015).

K. Dunham, J. Melnick, Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet,

(Auerbach Publications, Taylor&Francis Group, 2008).

Michael Calce, Craig Silverman, Mafiaboy: how I cracked the Internet and why it`s still broken (1st Edition, Viking,

2008).

S.W. Brenner, Cybercrime and the Law: Challenges, issues and outcomes (Northeastern University Press, 2012).

E-books and PDFs

A. D. Elyakov, „The Nature of the Modern Information Society‟ (2010), Scientific and Technical Information

Processing <https://link.springer.com/content/pdf/10.3103%2FS0147688210010090.pdf.> accessed 13 August

2018.

Online Journals

Amalie M. Weber, „The Council of Europe`s Convention on Cybercrime‟ (2003) Berkeley Technology Law Journal,

Volume 18 <https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1416&context=btlj> accessed 19 May

2018.

Archick Kristin, „Cybercrime: The Council of Europe Convention‟ (2002) CRS Report for Congress, Congressional

Research Service, The Library of Congress <https://digital.library.unt.edu/ark%3A/67531/metacrs2394/> accessed

10 June 2018.

Bryan Harris, Eli Konikoff, Phillip Peterson, „Breaking the DDoS Attack Chain‟ (2013) Institute for Software

Research, Carnegie Mellon University <https://www.cmu.edu/mits/files/breaking-the-ddos-attack-chain.pdf>

accessed 18 July 2018.

Christos Douligeris, Aikaterini Mitrokotsa, „DDoS attacks and defense mechanisms: classification and state-of-the-

art‟ (2003) Department of Informatics, Greece <http://citeseerx.ist.psu.edu/viewdoc/download> accessed 24 January

2018.

David D. Clark, Susan Landau, „The Problem isn`t Attribution; It`s Multi-Stage Attacks‟ (2010) ACM ReArch

<https://groups.csail.mit.edu/ana/ANA%20PUBLICATIONS/The_Problem_isnt_Attribution.pdf> accessed 28

November 2017.

73

Enek T., Kadri K., Liss V. „International Cyber Incidents Legal Considerations‟ (2010) Cooperative Cyber Defence

Centre of Excellence CCDCOE < https://ccdcoe.org/publications/books/legalconsiderations.pdf> accessed 22

August 2017.

Eric J. Sinrod and William P. Reilly, Cyber-Crimes: A Practical Approach to the Application of Federal Computer

Crime Laws, (16 Santa Clara High Tech. L.J. 177, 2000), p. 189-191

<http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1258&context=chtlj> accessed 24 November 2018.

Irving Lachow, „Active Cyber Defense: A Framework for Policymakers‟ (2013) Center for a New American

Security <https://www.cnas.org/publications/reports/active-cyber-defense-a-framework-for-policymakers> accessed

15 July 2018.

Jelena Mirkovic, Janice Martin and Peter Reiher, „A Taxonomy of DDoS Attacks and DDoS Mechanisms‟ (2004)

SIGCOMM Computer Communication Review vol. 34 <https://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf>

Jonathan Clough, „A World of Difference: The Budapest Convention of Cybercrime and the Challenges of

Harmonisation (2014), Monash U. L. Rev 698

<https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf> accessed 11 June 2018.

Jonathan L. Zittrain, The Future of the Internet – And How to Stop It (Yale University Press & Penguin Uk 2008)

<https://dash.harvard.edu/bitstream/handle/1/4455262/Zittrain_Future%20of%20the%20Internet.pdf?sequence=1>

accessed 28 July 2018.

Justin Stephen, „The Changing Face of Distributed Denial of Service Mitigation‟ (2001) Sans Institute.

<https://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-direction-36857> accessed 28

November 2017.

Kishore Angrishi, „Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets‟ (2017) arXiv

<https://arxiv.org/pdf/1702.03681.pdf> accessed 18 December 2017.

L. A. Maglaras et al., „Cyber security of critical infrastructures‟ (2018) Volume 4 ICT Express, The Korean Institute

of Communications and Information Sciences, p. 42-45

<https://www.sciencedirect.com/science/article/pii/S2405959517303880> accessed 10 June 2018.

L. A. Maglaras et al., „NIS directive: The case of Greece‟ (2018) Volume 4 EAI Endorsed Transactions on Security

and Safety Volume 4, Issue 14 <http://eudl.eu/doi/10.4108/eai.15-5-2018.154769> accessed 12 July 2018.

Laviero Buono, „Fighting cybercrime between legal challenges and practical difficulties: EU and national

approaches‟ (2016) Academy of European Law <https://link.springer.com/article/10.1007/s12027-016-0432-5>

accessed 10 July 2018.

Laviero Buono, „Gearing up the fight against Cybercrime in the European Union: a new set of rules and the

establishment of the European Cybercrime Centre (EC3)‟ (2012) New Journal of European Criminal Law, Vol. 3

<https://www.europol.europa.eu/sites/default/files/documents/njecl-2012-buono.pdf> accessed 20 June 2018.

Laviero Buono, „The Key Features of the EU Cybercrime Directive 2013; The newly adopted European framework

for legislative measures on attacks against information systems‟ (2013) Computer Law Review International

<https://www.researchgate.net/publication/314498695_The_Key_Features_of_the_EU_Cybercrime_Directive_2013

_The_newly_adopted_European_framework_for_legislative_measures_on_attacks_against_information_systems>

accessed 17 May 2018.

M. Raza, M. Iqbal, M. Sharif and W. Haider, „A Survey of Password Attacks and Comparative Analysis on Methods

for Secure Authentification‟ (2012) Comsats Institute of Information Technology

<https://www.researchgate.net/profile/Mudassar_Raza2/> accessed 10 July 2018.

74

M.-T. Holzleitner, J. Reichl, „European provisions for cyber security in the smart grid – an overview of the NIS-

directive‟ (2017) Elektrotechnik & Informationstechnik, 134/1: 14–18. DOI 10.1007/s00502-017-0473-7

<https://link.springer.com/article/10.1007%2Fs00502-017-0473-7> accessed 10 July 2018.

Paul De Hert et al., „Fighting cybercrime in the two Europes. The added value of the EU framework decision and

the council of Europe Convention‟ (2006) Revue internationale de droit penal

<https://www.researchgate.net/publication/251058766_Fighting_cybercrime_in_the_two_Europes_The_added_valu

e_of_the_EU_framework_decision_and_the_Council_of_Europe_convention> accessed 27 June 2018.

Richard Piggin, „NIS Directive and the Security of Critical Services‟ (2018) ITNOW, 60. 44-44. 10.1093

<https://academic.oup.com/itnow/article-abstract/60/1/44/4858516?redirectedFrom=fulltext> accessed 10 May

2018.

T. Harjunen, A. Sarkka, „Classic TCP/IP applications: TELNET, FTP, SMTP, NNTP and SNMP‟ (1998)

<https://www.netlab.tkk.fi/opetus/s38130/s98/tcpapp/TCP_appl.pdf> accessed 10 July 2018.

Usman Tariq, Yasir Malik, Bessam Abdulrrazak and M. Hong, „Collaborative Peer to Peer Defense Mechanism for

DDoS attacks‟ (2011) Procedia Computer Science p. 157-165 <https://www.sciencedirect.com/science/article/pii>

accessed 24 January 2018.

Usman Tariq, Yasir Malik, Bessam Abdulrrazak, „Defense and Monitoring Model for Distributed Denial of Service

Attacks‟ (2012) Procedia Computer Science 1052-1056 <http://www.sciencedirect.com/science/article/pii> accessed

28 November 2017.

Theses

Artur Appazov, „Legal Aspects of Cybersecurity‟ (University of Copenhagen 2014).

Legislation, Communications and other legal documents

Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of

Things‟ adopted on 16 September 2016, 14/EN/WP 223.

Commission Staff Working Document Advancing the Internet of Things in Europe, accompanying the document

Communication from the Commission to the European Parliament, the Council, the European Economic and Social

Committee and the Committee of the Regions – Digitising European Industry Reaping the full benefits of a Digital

Single Market, COM(2016) 180 final, Brussels 2016.

Commission Staff Working Document Liability for emerging digital technologies, accompanying the document

Communication from the Commission to the European Parliament, the European Council, the Council, the European

Economic and Social Committee and the Committee of the Regions – Artificial intelligence for Europe, COM(2018)

137 final, Brussels 2018.

Communication from the Commission to The Council, The European Parliament, The Economic and Social

Committee and The Committee of the Regions: Creating a Safer Information Society by Improving the Security of

Information Infrastructures and Combating Computer-Related Crime, COM (2000) 890, Brussels 2001.

75

Communication from the Commission to the European Parliament and the Council, The EU Internal Security

Strategy in Action: Five Steps towards a more secure Europe, COM (2010) 0673 final, Brussels 2010.

Communication from the Commission to the European Parliament, the Council and the Committee of the Regions -

Towards a general policy on the fight against cyber crime, COM(2007) 267 final, Brussels 2007.

Consolidated version of the Treaty On European Union and The Treaty On The Functioning of The European

Union, [2010] OJ C 83/1.

Convention on Cybercrime, ETS No. 185.

Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical

infrastructures and the assessment of the need to improve their protection [2008] OJ L345/75.

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, [2005] OJ

L 69/67.

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems [2005] OJ

L 69/67.

Cybercrime Convention Committee, T-CY Guidance Note #1 On the notion of “computer system” adopted by the

8th

Plenary of the T-CY (5 December 2012), T-CY (2012) 21.

Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering

botnets adopted by the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev.

Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th

Plenary of the T-CY

(4-5 June 2013), T-CY (2013)10E Rev.

Cybercrime Convention Committee, T-CY Guidance Note #6 Critical information infrastructure attacks adopted by

the 9th

Plenary of the T-CY (4-5 June 2013), T-CY (2013)11E Rev.

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a

high common level of security of network and information systems across the Union [2016] OJ L194/1.

Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against

information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L218/8.

Explanatory Report to the Budapest Convention.

Proposal for a Directive of the Council on the identification and designation of European critical infrastructures and

the assessment of the need to improve their protection COM/2006/0787.

Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high

common level of network and information security the Union COM (2013) 48 final, 2013/0027 (COD).

Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and

repealing Council Framework Decision 2005/222/JHA, COM (2010) 517 final, 2010/0263 (COD).

Websites and blogs

„Article 29 Working Party‟ (European Commission, 22 November 2016) <http://ec.europa.eu/newsroom/just/item >

accessed 18 October 2017.

„Your fridge is full of spam: Proof of an IoT-Driven Attack‟ (proofpoint, January 2014)

<https://www.proofpoint.com/us/threat-insight/post/Your-Fridge-is-Full-of-SPAM> accessed 5 May 2017.

76

<https://edpb.europa.eu/about-edpb/about-edpb_en> accessed 10 September 2018.

Achilleas Kemos, „Everything connected: security and privacy in the Internet of Things‟ (European Commission –

DG Connect) <

https://docbox.etsi.org/Workshop/2016/201605_EuropeanApproachDigitalMarket/S02_POLICY_SESSION/KEMO

S_DG%20Connect.pdf> accessed 13 September 2018.

Aimee O`Driscoll, „What a brute force attack is (with examples) and how you can protect against one‟ (comparitech,

9 May 2018) <https://www.comparitech.com/blog/information-security/brute-force-attack/#gref> accessed 9 July

2018.

Arbore Networks <arbornetworks.com/stakes> accessed 12 August 2018.

Arthur van der Wees, „In IoT We Trust: Technology, Interoperability, Security, Privacy & Usability in the Hyper-

Connected World‟ (EU Commission, 16 August 2016) <https://ec.europa.eu/digital-single-market/en/blog/iot-we-

trust-technology-interoperability-security-privacy-usability-hyper-connected-world> accessed 13 September 2018.

Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU Research

& Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-under-daily-

attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.

Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU Research

& Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-under-daily-

attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.

Bill Gates, „Bill Gates: Trustworthy Computing‟ (wired, 17 January 2002) <https://www.wired.com/2002/01/bill-

gates-trustworthy-computing/> accessed 12 September 2018.

Brian Blomquist, „Prez holds summit to stop cyberhacks‟ (New York Post, 16 February 2000)

<https://nypost.com/2000/02/16/prez-holds-summit-to-stop-cyberhacks/> accessed 29 April 2018.

Brian Krebs, „KrebsOnSecurity Hit With Record DDoS‟ (KrebsonSecurity, 21 September 2016)

<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/> accessed 6 May 2017.

Brian, „Perhaps the first Denial-Of-Service Attack?‟ (Plato History, 11 February 2010)

<http://www.platohistory.org/blog/2010/02/perhaps-the-first-denial-of-service-attack.html> accessed 16 February

2017.

Bruce Schneier, „Regulation of the Internet of Things‟ (Schneier on Security, 10 November 2016)

<https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html> accessed 22 May 2018.

Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November

2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>

accessed 1 May 2018.

Chris Williams, „Today the web was broken by countless hacked devices – your 60-second summary‟ (The Register,

21 October 2016) <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1 May 2018.

Dan Goodin, „25-GPU cluster cracks every standard Windows password in <6 hours‟ (arsTECHNICA, 12 October

2012) <https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-

password-in-6-hours/> accessed 9 July 2018.

Dan Goodin, „DDoS attacks take out Asian nation‟ (The Register, 3 November 2010)

<https://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/> accessed 30 April 2018.

77

Dan Goodin, „DDoS service targeting PSN and Xbox powered by home Internet routers‟ (arsTechnica, 1 September

2015) <https://arstechnica.com/security/2015/01/ddos-service-targeting-psn-and-xbox-powered-by-home-internet-

routers/> accessed 6 May 2017.

Dan Goodin, „Large botnet of CCTV devices knock the snot out of jewelry website‟ (arsTechnica, 28 June 2016)

<https://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/>

accessed 6 May 2017.

Dan Goodin, „Record-breaking DDoS reportedly delivered by >145k hacked cameras‟ (arsTECHNICA, 29

September 2016) <https://arstechnica.com/information-technology/2016/09/botnet-of-145k-cameras-reportedly-

deliver-internets-biggest-ddos-ever/> accessed 1 May 2018.

Dave Dittrich, „DDoS attack tool timeline‟ (Usenix, 22 July 2000)

<https://www.usenix.org/legacy/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/timeline.html>

accessed 29 April 2018.

Dima Bekerman, „New Mirai Variant Launches 54 Hour DDoS Attack against US College‟ (ImpervaIncapsula

Blog, 29 March 2017) <https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html> accessed 1 May

2018.

English Oxford Living Dictionaries <https://en.oxforddictionaries.com/definition/Internet_of_things> accessed 10

May 2018.

European Commission Memo, „Digital Single Market – Digitising European Industry Questions & Answers‟

(European Commission Press Release, 19 April 2016) <http://europa.eu/rapid/press-release_MEMO-16-

1409_en.htm> accessed 13 September 2018.

European Commission Memo, „Questions and Answers: Directive on attacks against information systems‟

(European Commission Press Release Database, 4 July 2013) <http://europa.eu/rapid/press-release_MEMO-13-

661_en.htm> accessed 30 June 2018.

European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportunity‟

(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>

accessed 12 May 2018.

GitHub, „Leaked Mirai Source Code for Research/IoC Development Purposes‟ (GitHub)

<https://github.com/jgamblin/Mirai-Source-Code> accessed 1 May 2018.

Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)

<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.

Internet Live Stats <https://news.ycombinator.com/item?id=12769751> accessed 1 May 2017.

J.P Buntix, „Major DDoS Attack Against ABN Amro Causes Major Outage‟ (Fintechist, 17 January 2018)

<http://www.fintechist.com/new-cyberattack-cripples-services-abn-amro/> accessed 19 May 2018.

Janene Pieters „Russian Servers Linked to DDoS Attack on Netherlands Financial Network: Report‟ (NLTimes, 29

January 2018) <https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-

report> accessed 19 May 2018.

Jennifer Chen, „Internet of Things added to hall of fame for words, i.e., the Oxford English Dictionary‟ (Microsoft

Blog, 9 September 2013) <https://blogs.microsoft.com/firehose/2013/09/09/internet-of-things-added-to-hall-of-

fame-for-words-i-e-the-oxford-english-dictionary/> accessed 10 May 2018.

78

Libby Plummer, „Was massive hack that floored Amazon, Twitter and Reddit practice for election day? Wikileaks

supporters and hackers say attack was revenge for shutting down Assange – but many fear it`s just a warm-up‟

(DailyMail Online, 24 October 2016) <http://www.dailymail.co.uk/sciencetech/article-3859500/Widespread-

internet-havoc-major-attack-takes-websites-offline-Spotify-Twitter-sites-suffer-outages.html> accessed 6 May 2017.

Nart Villeneuve, „Inside a Crimeware Network‟ (Infowar Monitor, 2010)

<http://www.nartv.org/mirror/koobface.pdf> accessed 30 April 2018.

Nicky Woolf, „DDoS attack that disrupted internet was largest of its kind in history, experts say‟ (The Guardian,

San Francisco, 26 October 2016) <https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-

botnet> accessed 7 December 2016.

Paul, „Update: Let`s Get Cyberphysical: Internet Attack shuts off the Heat in Finland‟ (The Security Ledger, 8

November 2016) <https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland>

accessed 19 September 2017.

Pauline Kael Quotes, (Brainy Quote) <https://www.brainyquote.com/citation/quotes/pauline_kael> accessed 7

September 2018.

Phil Muncaster, „Mirai-Busting Hajime Worm Could be Work of White Hat‟ (infosecurity, 20 April 2017)

<https://www.infosecurity-magazine.com/news/mirai-busting-hajime-worm-could/> accessed 1 May 2018.

Pierluigi Paganini „Massive DDoS attack hit the Danish state rail operator DSB‟ (security affairs, 15 May 2018)

<https://securityaffairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html> accessed 19 May 2018.

Pierluigi Paganini „Three Dutch banks and Tax Agency under DDoS attacks…is it a Russian job?‟ (security affairs,

30 January 2018) <https://securityaffairs.co/wordpress/68428/hacking/dutch-banks-ddos.html> accessed 19 May

2018.

Press Release of Europol, „2017, The Year When Cybercrime Hit Close to Home‟ (Press release, 27 September

2017) <https://www.europol.europa.eu/newsroom/news/2017-year-when-cybercrime-hit-close-to-home> accessed

22 November 2017.

Robert S. Mueller III, Director Federal Bureau of Investigation (RSA Cyber Security Conference, San Francisco, 01

March, 2001) <https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-

terrorists-hackers-and-spies> accessed 18 November 2017.

Roberto Sanchez, „What is TCP/IP and How Does It Make the Internet Work?‟ (HostingAdvice.com, 17 November

2015) <https://www.hostingadvice.com/blog/tcpip-make-internet-work> accessed 9 August 2018.

Shodan <https://www.shodan.io> accessed 5 July 2018.

The General Secretariat of the Council, „EU to beef up cybersecurity‟ (Press release, 20 November 2017)

<http://www.consilium.europa.eu/en/press/press-releases/2017/11/20/eu-to-beef-up-cybersecurity/#> accessed 22

November 2017.

Tu Thanh Ha, Barrie Mckenna, „The hacker who talked too much‟ (The Globe and Mail, 20 April 2000)

<https://www.theglobeandmail.com/news/national/the-hacker-who-talked-too-much> accessed 29 April 2018.

79

Vitaly Kamluk, „Inside the Massive Gumblar Attack‟ (Viewing InfoSec from the Trenches, 2009)

<http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-

gumblar> accessed 19 May 2018.

Vivek Wadhwa „Laws and Ethics Can`t Keep Pace with Technology‟ (MIT Technology Review, 15 April 2014)

<https://www.technologyreview.com/s/526401/laws-and-ethics-cant-keep-pace-with-technology/> accessed 13 June

2018.

Working papers, reports, conference proceedings and other sources

„HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable of Attack‟ (Hewlett-Packard Development

Company, 2014) <http://www8.hp.com/ca/en/hp-news/press-release.html?id=1744676> accessed 10 May 2018.

„Securing the Internet of Things Opportunity: Putting Cybersecurity at the Heart of the IoT‟ (Capgemini Consulting,

2015) <https://www.capgemini.com/consulting/resources/security-in-the-internet-of-things/> accessed 10 May

2018.

A. Lewis, quoting C.P. Snow, New York Times, 15 March 1971, p.37

<https://timesmachine.nytimes.com/timesmachine/1971/03/15/issue.html> accessed 11 December 2016.

Admir Tuzovic, „The Internet of Your Things Microsoft`s Vision for IoT‟ (2015).

Al-Alami, Haneen & Hadi, Ali & Al-Bahadili, H., „Vulnerability Scanning of IoT Devices in Jordan Using Shodan‟

(Information Technology Renewable Energy Processes and Systems (2017) IT-DREPS, University of Petra

<https://www.researchgate.net/publication/321588682_Vulnerability_Scanning_of_IoT_Devices_in_Jordan_using_

Shodan> accessed 10 July 2018.

Brian Foote, Don Roberts, „Lingua Franca‟, (1998) Fifth Conference on Patterns Languages and Programs PLoP

‟98 <http://laputan.org/pub/foote/lingua.pdf > accessed 10 July 2018.

Bryan Sullivan, „Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot‟

(2007) SPI Dynamics <https://www.researchgate.net/publication/2> accessed 8 July 2018.

Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, Jeffrey Voas „DDoS in the IoT: Mirai and Other

Botnets‟ (2017) IEEE Computer Society

<https://www.researchgate.net/publication/318288727_DDoS_in_the_IoT_Mirai_and_other_botnets> accessed 15

February 2018.

Elisa Bertino, Kim-Kwang Raymond Choo, Dimitirios Georgakopolous and Surya Nepal „Internet of Things (IoT):

Smart and Secure Service Delivery‟ (2016) ACM Trans. Internet Technol. 16

<https://dl.acm.org/citation.cfm?id=3013520> accessed 16 July 2018.

Emerging Cyber Threats Report for 2009, Georgia Tech Information Security Center, (2008). Available at

https://smartech.gatech.edu/bitstream/handle/1853/26301/CyberThreatsReport2009.pdf.

ENISA, Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures,

November 2017 <https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot> accessed

19 February 2018

ENISA, Stocktaking, Analysis and Recommendations on the Protection of CIIs, 2016

<https://www.enisa.europa.eu/publications/stocktaking-analysis-and-recommendations-on-the-protection-of-

ciis/at_download/fullReport> accessed 12 May 2018.

80

ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018

<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4

July 2018.

Eric M. Hutchnis et al., „Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary

Campaigns and Intrusion Kill Chains‟ (2011) Proceeding of the 6th

International Conference on Information Warfare

and Security, Washington D.C <https://lockheedmartin.com/content/dam/lockheed-

martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf> accessed 19 July 2018.

Ericsson Mobility Report, On the Pulse of the Networked Society, (2015) <https://www.ericsson.com/en/mobility-

report> accessed 10 May 2018.

Erik Wennerstrom, „EU-legislation and Cybercrime A Decade of European Legal Developments‟ (2010) Stockholm

Institute for Scandinavian Law <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733634> accessed 11

December 2017.

European Network and Information Security Agency (ENISA), Botnets: Detection, Measurement, Disinfection &

Defence, (2011) <https://www.enisa.europa.eu/publications/botnets-measurement-detection-disinfection-and-

defence/at_download/fullReport> accessed 10 June 2018.

EUROPOL, IOCTA 2017, Internet Organised Crime Threat Assessment, Europol, EC3 European Cybercrime

Centre, 2017 <https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-

assessment-iocta-2017> accessed 25 January 2018

Jan Neutze, „Cybersecurity Policy for the Internet of Things‟ (2017) the 8th

Annual Internet of Things European

Summit, Brussels.

Janine S. Hiller, Roberta S. Russell, „The challenge and imperative of private sector cybersecurity: An international

comparison‟ (2013) Virginia Tech, Computer Law & Security Review 29 236-245

<https://www.sciencedirect.com/science/article/pii/S0267364913000575> accessed 19 July 2018.

Jim Owens, Jeanna Matthews, „A Study of Passwords and Methods Used in Brute-Force SSH Attacks‟ (2008)

Clarkson University <http://people.clarkson.edu/~owensjp/pubs/leet08.pdf> accessed 5 July 2018.

Lauren Turner, „Anonymous hackers jailed for DDoS attacks on Visa, MasterCard and PayPal‟ (Independent, 24

January 2013) <http://www.independent.co.uk/news/uk/crime/anonymous-hackers-jailed-for-ddos-attacks-on-visa-

mastercard-and-paypal> accessed 28 November 2017.

Luca Montanari, Leonardo Querzoni „Critical Infrastructure Protection: Threats, Attacks and Countermeasures‟

(TENACE Project, Universita degli Studi di Roma “La Sapienza”, 2014), p.5

<http://www.dis.uniroma1.it/~tenace/download/deliverable/Report_tenace.pdf> accessed 10 June 2018.

Lucian Vasiu, Ioana Vasiu, „Dissecting Computer Fraud: From Definitional Issues to a Taxonomy‟ (2004),

<http://ieeexplore.ieee.org/document/1265413/> accessed 11 January 2017.

Memorandum from the European Commission <http://europa.eu/rapid/press-release_MEMO-13-661_en.htm>

accessed 19 May 2018.

Michele De Donno, Nicola Dragoni, Alberto Giaretta, Angela Spognard, „Analysis of DDoS-Capable IoT

Malwares‟ (2018) Proceeding of the Federated Conference on Computer Science and Information Systems pp. 807-

816 <https://annals-csis.org/Volume_11/drp/pdf/288.pdf> accessed on 24 January 2018.

Nicola Dragoni, Alberto Giaretta and Manuel Mazzara, „The Internet of Hackable Things‟ (2016) Proceedings of the

5th

International Conference in Software Engineering for Defense Applications, SEDA16.

81

Nicole M., Eun A. Jo, Soesanto S., „Cybersecurity in the European Union and Beyond: Exploring the Threats and

Policy Responses‟ (2015) European Parliament,

<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536470/IPOL_STU(2015)536470_EN.pdf> accessed

10 May 2018.

OECD publishing, „Consumer Product Safety in the Internet of Things‟ (2018) OECD Digital Economy Paper

<https://www.oecd-ilibrary.org/science-and-technology/consumer-product-safety-in-the-internet-of-

things_7c45fa66-en> accessed 9 September 2018.

Pedro Miguel F. Freitas and Nuno Goncalves, „Illegal access to information systems and the Directive 2013/40/EU‟

(2015) International Review of Law, Computers & Technology <https://dl.acm.org/citation.cfm?id=2767890>

accessed 10 June 2018.

Q. Gu, P. Liu, „Denial of Service Attacks‟, (2007) in The Handbook of Computer Networks, Hossein Bidgoli et al.

(eds.), John Wiley & Sons, under second round revision

<https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118256107.ch29#references-section> accessed 15 August

2017.

R. Roman, P. Najera and J. Lopez, „Securing the Internet of Things‟ (2011) IEEE Computer vol. 44 p. 51-58

<https://www.computer.org/csdl/mags/co/2011/09/mco2011090051.html> accessed 15 May 2018.

S. T. Zargar, James Joshi, David Tipper, „A Survey of Defense Mechanisms Against Distributed Denial of Service

(DDoS) Flooding Attacks‟ (2013) IEEE <https://ieeexplore.ieee.org/document/6489876/> accessed 24 January

2018.

Stein Schjolberg, „The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva‟ (2008)

Cybercrime Law <http://www.cybercrimelaw.net/documents/cybercrime_history.pdf> accessed 20 May 2018.

Test-Achats, „Which generic security and privacy principles to ensure a Trusted IoT environment? The consumer

view‟ (Competence Center Products & Services)

<https://ec.europa.eu/information_society/newsroom/image/document/2017-

11/generic_security_and_privacy_principles_to_ensure_a_trusted_iot_environment_the_consumer_view_by_test-

aankooptest-achats_0B8C19DD-E2B3-A0B3-4234275F9238BC24_43661.pdf> accessed 13 September 2018.

Thomas Dubendorfer, Arno Wagner, „Past and Future Internet Disasters: DDoS attacks‟ (2003) Security Protocols

and Applications seminar <http://www.insecure.in/papers/ddos_disasters.pdf> accessed 10 September 2018.

Usman Tariq, ManPyo Hong, Kyunk-suk Lhee, „A Comprehensive Categorization of DDoS Attack and DDoS

Defense Techniques‟ (2006) LNAI 4093 p.1025-1036 <https://link.springer.com/chapter/10.1007/11811305_112>

accessed 24 January 2018.

Vincent Weafer and the others, „McAfee Labs Threats Report April 2017‟ (Intel Security McAfee Labs, April 2017)

<https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017.pdf> accessed 6 May 2017.

Wiliam Hurst, Nathan Shone, Quentin Monnet, „Predicting the Effects of DDoS Attacks on a Network of Critical

Infrastructures‟ (2015) Thirteenth IEEE International Conference on DASC`15, Liverpool

<https://pdfs.semanticscholar.org/cf6c/41715347b703f4bd964425160010035ab957.pdf> accessed 25 January 2017.

WIND, Security in the Internet of Things Lessons from the Past for the Connected Future, 2015,

<https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

> accessed 19 February 2018.