A multidisciplinary study on DDoS attacks in the EU IoT ...
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of A multidisciplinary study on DDoS attacks in the EU IoT ...
Master`s Thesis:
Your toaster as a threat to critical infrastructure: A
multidisciplinary study on DDoS attacks in the EU IoT ecosystem
Your toaster as a threat to critical infrastructure: A
multidisciplinary study on DDoS attacks in the EU IoT ecosystem
LL.M Law & Technology Master Thesis
Tilburg Law School
Tilburg Institute of Law, Technology and Society (TILT)
Tilburg University
September 2018
Sebastian-Dan Naste Supervisors:
SNR: 2005377 Dr. C. Cuijpers
Dr. A. K. Martin
„Where there is a will, there is a way. If there is a chance in a million to do something,
anything, to keep what you want from ending, do it. Pry the door open or, if need be, wedge your
foot in that door and keep it open‟.1
PREFACE
The writing of this thesis has been the toughest challenge that I faced during my academic
journey. Through many days of research and reflection I have achieved valuable knowledge of
the EU legal framework dealing with large-scale DDoS attacks launched by insecure IoT devices
against the EU critical infrastructure.
I would like to thank my Master thesis supervisor, Dr. Colette Cuijpers for her continuous
support and help throughout this programme and for her inspiring guidance during the writing
period of this thesis. I would also like to thank Dr. A. K. Martin for his advice in finalising this
dissertation.
I especially thank my partner for her endless help and support when I most needed. Lastly, I
would like to thank to my sister, mother and father, who supported me throughout the entire Law
University, each in his own way.
I hope you enjoy your reading.
Vienna,
7 September 2018
1 Pauline Kael Quotes, (Brainy Quote) <https://www.brainyquote.com/citation/quotes/pauline_kael> accessed 7
September 2018.
Table of Contents Chapter 1 ....................................................................................................................................... 1
1.1 Background ............................................................................................................................. 1
1.2 Problem statement ................................................................................................................... 3
1.3 Research question ................................................................................................................... 5
1.4 Significance of this study ........................................................................................................ 6
1.5 Limitations .............................................................................................................................. 7
1.6 Approach and methodology .................................................................................................... 8
1.7 Structure .................................................................................................................................. 9
Chapter 2 ..................................................................................................................................... 10
2.1 Chapter Outline ..................................................................................................................... 10
2.2 „Cybercrime‟ in progress ...................................................................................................... 10
2.3 An insight into DDoS, Internet of Things and Critical Infrastructure .................................. 11
2.3.1 Distributed-Denial-of-Service attacks ............................................................................. 11
2.3.1.1 Introduction ................................................................................................................. 11
2.3.1.2 Types of DDoS attacks ............................................................................................... 13
2.3.1.3 Brief history of DDoS attacks ..................................................................................... 15
2.3.1.4 What makes DDoS attacks possible? .......................................................................... 15
2.3.2 Internet of Things- IoT..................................................................................................... 21
2.3.2.1 Introduction ................................................................................................................. 21
2.3.2.2 Shaping IoT ................................................................................................................. 23
2.3.2.2.1 Security considerations and challenges ................................................................. 24
2.3.2.2.2 Reasons why IoT devices became botnet „friendly‟ .............................................. 26
2.3.2.3 „Mirai‟ – „The future‟ is already here ......................................................................... 28
2.3.3 Critical Infrastructure ....................................................................................................... 31
2.3.3.1 Introduction ................................................................................................................. 31
2.3.3.2 Why Critical Infrastructure became a tempting target for DDoS attacks? ................. 34
2.4 Conclusions ........................................................................................................................... 36
Chapter 3 ..................................................................................................................................... 36
3.1 Chapter Outline ..................................................................................................................... 37
3.2 European legal framework .................................................................................................... 37
3.2.1 The Council of Europe – Budapest Convention .............................................................. 37
3.2.2 The European Union ........................................................................................................ 41
3.2.2.1 The „Botnet‟ Directive ................................................................................................ 44
3.2.2.1.1 The Attack Chain of a DDoS attack ...................................................................... 46
3.2.2.1.1.1 Step 1 - Reconnaissance.................................................................................... 47
3.2.2.1.1.2 Step 2 – Delivery/Getting access ...................................................................... 47
3.2.2.1.1.3 Step 3 – Compromising and control ................................................................. 52
3.2.2.1.1.4 Step 4 – Action on Objectives .......................................................................... 53
3.2.2.1.1.5 Step 5 – Weaponisation .................................................................................... 54
3.2.2.1.2 Sanctions ................................................................................................................ 56
3.2.2.1.3 Conclusions ............................................................................................................ 56
3.2.2.2 Overview of the „NIS‟ Directive ................................................................................. 57
3.2.2.2.1 Scope and applicability .......................................................................................... 58
3.2.2.2.2 Obligations and security requirements................................................................... 60
3.2.2.2.3 Conclusions ............................................................................................................ 61
Chapter 4 ..................................................................................................................................... 63
4.1 Conclusions ........................................................................................................................... 63
4.2 Recommendations ................................................................................................................. 67
Abbreviations .............................................................................................................................. 71
Bibliography ................................................................................................................................ 72
1
Chapter 1
INTRODUCTION
„Technology…is a queer thing. It brings you great gifts with one hand, and it stabs you in
the back with the other‟.2
1.1 Background
During a heavy winter in 2019, the power distribution across Eastern Europe suddenly
went off, and fear spread among 290 million Eastern Europeans. Soon, due to lack of electricity,
airports shut down their traffic, banks stopped their financial operations, hospitals could no
longer receive any more patients, and in the darkest night in Europe`s history, all systems went
offline. However, what triggered this hypothetical disaster? The answer is simple: a massive
Distributed-Denial-of-Service attack (from now on DDoS attack) targeting the critical
infrastructure (e.g. power grid, airports, banking or financial systems) of a major part of Europe,
launched by a group of unidentified hackers.3
Even if this outage is at the moment just a „worst-case scenario‟, it exposes „the ubiquity
of digital technology in modern life‟4 and the energy dependence of our smart society. Computer
systems have increasingly started to be part of our lives. The technology revolution has changed
our world, and now we are living in an „information society‟,5 which has come with its
disadvantages. Such a globalised, interconnected digital life has created many crime
opportunities across countries.6 An essential theory of criminology indicates that crime will
always follow an opportunity, and unfortunately, „opportunities abound in today`s computer
reliant world‟.7 Moreover, a smart-grid embodies more data and Internet controlling systems than
2 A. Lewis, quoting C.P. Snow, New York Times, 15 March 1971, p.37
<https://timesmachine.nytimes.com/timesmachine/1971/03/15/issue.html> accessed 11 December 2016. 3 L. A. Maglaras et al., „NIS directive: The case of Greece‟ (2018) Volume 4 EAI Endorsed Transactions on
Security and Safety Volume 4, Issue 14 <http://eudl.eu/doi/10.4108/eai.15-5-2018.154769> accessed 12 July 2018. 4 Jonathan Clough, Principles of Cybercrime (2
nd Edition, Cambridge University Press, 2015) p. 3.
5 A. D. Elyakov, „The Nature of the Modern Information Society‟ (2010), Scientific and Technical Information
Processing p.60 <https://link.springer.com/content/pdf/10.3103%2FS0147688210010090.pdf.> accessed 13 August
2018. 6 David S. Wall, The Transformation of Crime in the Information Age (first published 2007, Polity Press), p. 37.
7 Lucian Vasiu, Ioana Vasiu, „Dissecting Computer Fraud: From Definitional Issues to a Taxonomy‟ (2004),
<http://ieeexplore.ieee.org/document/1265413/> accessed 11 January 2017.
2
ever, a fact that has opened the door for countless new risks and cyber attacks.8 Countries have
become more and more reliant on ICT networks to provide vital services such as
communications, energy, transport, etc.9 In brief, because people are starting to be notably
dependent on computers and smart devices, technology itself has become a fascinating target for
cybercriminals.
For example, in November 2016, hackers attacked a smart building system in Finland,
resulting in the malfunction of heat distribution, hot water and ventilation. A DDoS attack
overwhelmed the network and blocked the remote access of the administrators, forcing the
devices to restart every few minutes. The problem was fixed when a technician went to the
properties and put the hardware offline manually until the attack was over. Fortunately, in this
case, the DDoS attack broke down „just the heating‟ of two houses during a heavy Finnish
winter, but this might be just the beginning as the same smart heating systems are used in some
hospitals all over Finland.10
Unfortunately, DDoS attacks targeting critical infrastructure, are likely to have a more
significant impact than in the Finnish case. Making critical infrastructure unavailable, even for a
few hours, may have a massive economic impact, affecting the day to day running of society,
and leading towards direct and physical damage, possibly including loss of life.11
Moreover,
because the EU critical infrastructure is interconnected and interdependent, a failure in one
country could easily lead to a chain reaction in other countries, being a threat to the European
Union`s security.12
Even if the result of many successful technical research studies was to introduce new
guidance for increasing the overall cyber security and cyber resilience of the critical
infrastructures, what has been missing until now, was the legal framework that the Member
States could rely on, for imposing mandatory cyber security measures on the providers of
essential services.13
This thesis aims to investigate in which manner a DDoS attack would be
8 Maglaras et al. (n 3).
9 L. A. Maglaras et al., „Cyber security of critical infrastructures‟ (2018) Volume 4 ICT Express, The Korean
Institute of Communications and Information Sciences, p. 42-45
<https://www.sciencedirect.com/science/article/pii/S2405959517303880> accessed 10 June 2018. 10
Paul, „Update: Let`s Get Cyberphysical: Internet Attack shuts off the Heat in Finland‟ (The Security Ledger, 8
November 2016) <https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland>
accessed 19 September 2017. 11
Maglaras et al. (n 9). 12
Maglaras et al. (n 3). 13
Ibid.
3
able to inflict damage to critical infrastructure, and if there are any potential gaps in the related
legal framework.
1.2 Problem statement
The Distributed-Denial-of-Service attack is one of the most significant concerns for cyber
security experts because these attacks are „explicit attempts to disrupt legitimate users` access to
services‟.14
David S. Wall defines this type of attack as „cyber-barrages‟, which affects the
computer or network availability having an aim to „prevent legitimate users from gaining access
to networks and computer systems by bombarding‟ them with many data.15
The outcome of a
DDoS attack can be understood easier by presenting the following example of a person who is
using automated means of calling over and over again, the 911 services, just for fun. The calls
will eventually block and prevent other legitimate calls received from persons who need help.
It is not adequately documented when the first Distributed-Denial-of-Service attack took
place. The earliest apparent attack, as such, came to light in 2000 when websites like Yahoo,
Amazon and eBay were down, leading to revenue losses of up to $1.2 Billion U.S. Dollars, not
taking into account the impact on public trust and reputation.16
Seventeen years later from that incident, DDoS attacks remain in sight, much more
harmful and sophisticated than ever as a result of today`s outbreak of online connectivity. Items
like, TV‟s, refrigerators, bathroom heaters, and so on, which until recently were traditionally
offline have now incorporated internet connectivity and are called „internet of things‟ (from now
on IoT). Because of having an unlimited internet connection, users rarely switch their devices
offline, and for this reason, smart devices could be transformed in the ultimate weapon to launch
a massive DDoS attack: the IoT botnet.17
Unfortunately, in 2016, the most powerful DDoS attack in the history of the Internet
launched by such an IoT botnet (also known the Mirai botnet) brought down major websites like
14
S. T. Zargar, James Joshi, David Tipper, „A Survey of Defense Mechanisms Against Distributed Denial of Service
(DDoS) Flooding Attacks‟ (2013) IEEE <https://ieeexplore.ieee.org/document/6489876/> accessed 24 January
2018. 15
Wall (n 6), p. 61. 16
Justin Stephen, „The Changing Face of Distributed Denial of Service Mitigation‟ (2001) Sans Institute.
<https://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-direction-36857> accessed 28
November 2017. 17
Clough (n 4), p. 5.
4
the Guardian, Netflix, Twitter, Reddit, CNN and other sites from the US and Europe.18
The cyber
attack targeted the servers of a cloud-based Internet company that provides resources for cloud
and the public Internet. In this case, the attackers controlled and abused a network of vulnerable
„things‟ with Internet connection like cameras, DVR`s and refrigerators, which were poorly
secured.
Thus, to launch a successful DDoS attack and to hinder, for example, the continuous flow
of electricity from a power plant, the attacker does not even have to get access to the computer
network of the target. One of the methods is to get control of thousands of vulnerable IoT
devices by infecting them with malware that allows the attacker to command over them.
Secondly, in a coordinated and distributed way, the DDoS attack will be initiated, and the
„network of remotely controlled, well organised, and widely scattered Zombies or Botnet19
computers‟20
sends continuously, at the same time, a large volume of unwanted and illegitimate
traffic, which will flood the target with requests. The system will respond too slowly and will
either become unavailable or crash entirely.21
Consequently, with more and more vulnerable IoT
devices that are present in our lives, a DDoS attack launched by an IoT botnet is so powerful,
that it could quickly reach substantial traffic levels not seen so far.
Furthermore, a central issue of being part of an IoT botnet is the fact that the victims are
in most cases unaware because the infected devices may work completely normal, with no
warning signs. However, if the device is compromised, the consequences could be severe: the
attacker could steal the personal data of the victim which can be used for other crimes like
identity theft or blackmail, or the device could contribute to the next major DDoS against a
nuclear power plant. Unfortunately, for the targeted computer system or network, it is almost
impossible to know if the tremendous number of requests are real, coming from a legitimate user
18
Nicky Woolf, „DDoS attack that disrupted internet was largest of its kind in history, experts say‟ (The Guardian,
San Francisco, 26 October 2016) <https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-
botnet> accessed 7 December 2016. 19
An internet bot is a software application that runs automated tasks over the Internet. For more details see K.
Dunham, J. Melnick, Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet,
(Auerbach Publications, Taylor&Francis Group, 2008), p. 1. The devices controlled by the attackers are named
„bots‟ or „robots‟ because they act just like some robots executing an automatic task. 20
Zargar et al. (n 14). 21
Jelena Mirkovic, Janice Martin and Peter Reiher, „A Taxonomy of DDoS Attacks and DDoS Mechanisms‟ (2004)
SIGCOMM Computer Communication Review vol. 34 <https://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf>
accessed on 24 January 2018.
5
or not and sometimes the effects are not known until it is too late, making this type of attack
challenging to be countered.
The DDoS attacks targeting the various critical infrastructure in the EU are the most
commonly reported; therefore, they have become a top priority for the EU law enforcement.
Unfortunately, law enforcement agencies have noticed an increasing number of these attacks in
the last couple of years. The most affected sector is aviation, with more than 1000 DDoS attacks
each month.22
It is expected that following the success of the Mirai botnet, there will be an
increasing number of massive DDoS attacks originating from vulnerable IoT, causing severe
disruptions to critical infrastructure.23
However, for preventing such disruption attempts and to
increase the level of security of the critical infrastructure,24
the EU legislator has adopted various
legal tools.25
To summarise, there is a current and delicate point in question, not regarding the cyber
safety anymore but the physical safety of the Europeans. Thus, a profound relevant question
follows these findings. Are the EU countries prepared, from a legal point of view, to prevent,
stop, and find the attackers in case of a DDoS attack launched by an IoT botnet on critical
infrastructure?
1.3 Research question
This thesis aims to determine whether the legal framework of the EU Member States is
sufficient to protect its citizens in front of the vast implications of more powerful and
sophisticated DDoS attacks than ever, launched with the help of unsecured IoT on critical
infrastructure. Therefore, the central research question of this thesis reads:
„Do EU Member States have enough legal bases to protect its citizens from massive
DDoS attacks originating from a variety of unsecured IoT devices and targeting critical
infrastructure?’
The following sub-questions have to be addressed to reach an answer to the central
research question:
22
EUROPOL, IOCTA 2017, Internet Organised Crime Threat Assessment, Europol, EC3 European Cybercrime
Centre, 2017 <https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-
assessment-iocta-2017> accessed 25 January 2018 23
Ibid. 24
Maglaras et al. (n 3). 25
Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high
common level of network and information security the Union COM (2013) 48 final, 2013/0027 (COD).
6
1) What are Distributed-Denial-Of-Service attacks and what makes them possible?
2) What is the Internet of Things and why did this category of devices become a „new
environment‟ for the proliferation of massive DDoS attacks? What could be learnt
from the Mirai botnet?
3) Which are the main characteristics of the critical infrastructure and why has it
become a tempting target for DDoS attacks?
4) Which is the relevant EU legal framework regarding the fight against attacks on
critical infrastructure? How are the steps for building a botnet and launching a DDoS
attack regulated under the Botnet and NIS Directive?
5) Are there any gaps regarding the current EU legal framework in respect to DDoS
launched by IoT botnets on critical infrastructure?
1.4 Significance of this study
This thesis will provide an extensive legal analysis from an EU point of view on the
characteristics and frameworks that deal with DDoS attacks targeting critical infrastructure.
Moreover, the author will assess and discuss the possible gaps in the legal framework and what
could be improved. Unfortunately, even if such topic has tremendous interest, many legal
scholars have not discussed yet the phenomenon connecting all the three central concepts of this
thesis: DDoS, IoT botnets and critical infrastructure. However, some technical experts and
political scientists have assessed to a certain extent these topics and showed that the EU is now
struggling in front of such new challenges in cyber security.26
Thus, without much legal
literature, the author will address the main characteristics of each concept. There is a lack of
research when it comes to how building an IoT botnet, and launching a DDoS is regulated and
criminalised but also what the operators of critical infrastructure should do in the aftermath of
such an attack. Also, the thesis will touch on a more debatable topic, concerning how the IoT is
reshaping the magnitude and the effects of a DDoS attack. Therefore, the thesis will not only
address some almost non explored topics, but it will also go further from the legal analysis of
each concept towards connecting all of them and addressing differently, under the Botnet and
NIS Directives. It is true that only a few legal scholars have referred to the Internet of Things and
critical infrastructure in their work. However, the focus was, just on the IoT devices embodied in
critical infrastructure, and on the effects and legal implications of taking control of such devices.
26
Maglaras et al. (n 3).
7
On the contrary, this thesis focuses on all IoT devices that are insecure and susceptible to be part
of a botnet.
In conclusion, the author hopes that this research will help the Member States, the EU
legislator, the law enforcement agencies and all the interested parties to identify the gaps of the
legal framework, to do more research on these matters and to set up the groundwork for further
discussions and cooperation.
1.5 Limitations
Due to the limited length of this thesis, the author will not demonstrate how resilient
critical infrastructure is in front of a DDoS attack, and what effects such attacks could have on
the society. However, according to technical scholars, at the moment, it is difficult to say or
predict and more related research on this matter is needed.27
Moreover, there will not be made a
distinction between various types of DDoS because, from a legal point of view, all the attacks
have the same result in overloading the network of critical infrastructure by sending vast
volumes of network traffic.28
There are many modalities of launching a DDoS attack, but it is
assessed only the modality of using an IoT botnet due to large traffic volume that is easy to
acquire. In addition, given the limited scope of the thesis, the focus will not be on cyber attacks
that are state-sponsored targeting vulnerabilities in industrial control systems (ICS) or systems
aiming to take control of the supervisory control and data acquisition (SCADA) that are assuring
the correct working of a power plant, for instance. Such attacks are, for sure, real but they fall
under the national security territory and maybe never reported to the law enforcement.29
The
attention will be concentrated on more common attacks which do not even require access to such
an isolated computer network.30
However, even if using a botnet like the Mirai to launch a DDoS
attack to any critical European infrastructure is a real direct threat, such an attack may not be as
powerful as taking the smart grid offline, but could still be able to produce severe disruption in
the targeted country and surrounding countries.31
27
Wiliam Hurst, Nathan Shone, Quentin Monnet, „Predicting the Effects of DDoS Attacks on a Network of Critical
Infrastructures‟ (2015) Thirteenth IEEE International Conference on DASC`15, Liverpool
<https://pdfs.semanticscholar.org/cf6c/41715347b703f4bd964425160010035ab957.pdf> accessed 25 January 2017. 28
Ibid. 29
EUROPOL, IOCTA 2017 (n 22). 30
Ibid. 31
Ibid.
8
Furthermore, due to the limited technical background of the author, a brief description on
the characteristics of the three central concepts will be depleted in order to pinpoint why the IoT
became a new and essential element for the attackers in order to launch a DDoS attack.
Lastly, because in the cyber world, attribution, namely the ability to discover who is
behind the cyber attack, is almost non existing and not as robust as in the real world,32
and due to
new-fangled attacks and matters presented in this thesis, the case law is highly not relevant or
even not existing.
1.6 Approach and methodology
The thesis aims to analyse the current EU legal framework, in respect to the matters
mentioned above, by using the methodology of doctrinal legal research. The primary focus is on
the EU law because the European Union tried to tackle the problem of cybercrimes, by having
the same legal frameworks which regulate „similar conduct‟,33
when other countries do not share
the same view on cyber attacks. Therefore, in order to reach an answer for the central research
question a number of relevant primary sources have to be analysed, including, but not limited, to
the Directive (EU) 2016/1148 concerning measures for a high common level of security network
and information system across the Union (hereinafter the NIS Directive), the Directive
2013/40/EU on attacks against information systems (hereinafter the Botnet Directive) and the
Convention CET 185 on Cybercrime (hereinafter the Budapest Convention). Secondary sources,
such as opinions and recommendations of the Article 29 Data Protection Working Party which
became in May 2018 the European Data Protection Board or EDPB (from now on WP29),34
academic papers including technical and legal research, other articles and websites, EU law
enforcement reports, legal scholar and technical books, study cases, reports and news journals,
will also be consulted. Firstly, all these sources will be explored to substantiate the unique
characteristics of the implications of IoT botnets in DDoS attacks on critical infrastructure. The
32
David D. Clark, Susan Landau, „The Problem isn`t Attribution; It`s Multi-Stage Attacks‟ (2010) ACM ReArch
<https://groups.csail.mit.edu/ana/ANA%20PUBLICATIONS/The_Problem_isnt_Attribution.pdf> accessed 28
November 2017. 33
Artur Appazov, „Legal Aspects of Cybersecurity‟ (University of Copenhagen 2014). 34
The WP29 is an independent European advisory body on privacy and data protection and was established by the
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. As of May 2018 the WP29
became the European Data Protection Board (EDPB), an independent European body that contributes to the
consistent application of data protection rules in the European Union and promotes cooperation between the EU`s
data protection authorities. See more details „Article 29 Working Party‟ (European Commission, 22 November
2016) <http://ec.europa.eu/newsroom/just/item > accessed 18 October 2017 and <https://edpb.europa.eu/about-
edpb/about-edpb_en> accessed 10 September 2018.
9
second step, providing an answer to the central research question calls for a critical analysis of
the legal literature that governs all the three central concepts. Finally, all the sources identified
and listed in this research, will be assessed for providing the basis to the conclusions, final
remarks and recommendations of this thesis.
1.7 Structure
For providing concrete results and for answering the central research question and its
sub-questions, the thesis has in composition four chapters.
Chapter 1 is displaying the background of the problem that is examined in the thesis. It
introduces the research questions, the significance of the research and its limitations.
Chapter 2 introduces the unique characteristics of relevant concepts for this paper, such
as the Distributed-Denial-of-Service attacks, Internet of Things and critical infrastructure. This
chapter will further explore what makes DDoS attacks possible and which are the steps to launch
a successful attack. Moreover, it reveals why the IoT became a new way for the proliferation of
DDoS attacks and further analyses the security challenges and the Mirai botnet. The last part
identifies if such attacks are a real threat to critical infrastructure and why the latter became a
tempting target for the attackers.
Chapter 3 is focused only on the EU legal framework including the Budapest
Convention, NIS and Botnet Directives. The first part of this chapter provides a brief
introduction to the Convention, mostly the part dealing with every step that an attacker will need
to take in order to launch such attacks. The research then continues with examining the answer of
the European Union towards these emerging cyber threats against information systems. It then
passes to analysing how each phase in the DDoS attacks kill-chain is criminalised under the
Botnet Directive. It finally identifies the obligations and security requirements of critical
infrastructure operators under the NIS Directive and pinpoints possible gaps or imprecisions in
the EU legal literature.
Chapter 4 acknowledges the findings and the conclusions of the legal research done in
this thesis and attempts to issue some recommendations that could help the EU Member States to
win the cyber crime „war‟, where no one can be protected 100% against any cyber attack.
10
Chapter 2
DDoS ATTACKS, INTERNET OF THINGS AND CRITICAL
INFRASTRUCTURE
„Technology is moving so rapidly that from a security perspective, it is difficult to keep
up. Consider the evolution of cyber crime in just the past decade.‟35
2.1 Chapter Outline
Before starting the legal analysis of DDoS attacks, IoT and critical infrastructure, it is
indispensable to have a better overview regarding the links between these concepts. Firstly, the
notion of „cybercrime‟ is briefly introduced. Secondly, the scope will move to the in-depth
analysis of some essential notions and characteristics of the abovementioned concepts.
2.2 ‘Cybercrime’ in progress
Today, computer technology provides means of communication that enable people to talk
to each other at their convenience and sometimes even for free. Because of the progress of
technology, cybercrime also evolved transforming the computer into a target. The third
generation of cybercrimes, as classified by David S. Wall,36
is rising in number as a result of the
generative pattern of the Internet.37
Crime and technology have been in a stable relationship since ever,38
and even if proper
willing persons are developing advanced technology, in the same manner, individuals with
malicious intentions are searching for new ways of creating harm. Advanced forms of
cybercrime, from hacking, cracking to cyber terrorism and information warfare, are considered
threats which are affecting not only the citizens but also economies, geopolitical relations and
35
Robert S. Mueller III, Director Federal Bureau of Investigation (RSA Cyber Security Conference, San Francisco,
01 March, 2001) <https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-
outsmarting-terrorists-hackers-and-spies> accessed 18 November 2017. 36
Wall (n 6), p. 3. 37
According to Jonathan L. Zittrain, this typical feature of the Internet means that any person could have a
contribution to the Internet (i.e. an individual could create a new way of how people communicate like instant
messaging) without knowing exactly which the output change could be. See more details in Jonathan L. Zittrain, The
Future of the Internet – And How to Stop It (Yale University Press & Penguin Uk 2008) p.70
<https://dash.harvard.edu/bitstream/handle/1/4455262/Zittrain_Future%20of%20the%20Internet.pdf?sequence=1>
accessed 28 July 2018. For example, a computer virus might affect and destroy several computers; therefore this is a
bad output from a generative system. In the same manner, several persons could just plug in and install various
software due to installer setups created for this purpose. 38
Wall (n 6), p. 2.
11
democracies.39
Moreover, crimes in cyberspace create new challenges for lawmakers and law
enforcers, because the traditional law is no longer sufficient to deter such criminal conduct. The
high possibility of being convicted and sentenced to prison in case of a bank-robbery discourages
many persons from doing so. However, cyberspace is allowing criminals to engage in attacks
remotely and anonymously, which affects the chance of being identified or even captured.
Therefore, the discouragement, created by law, of committing such crimes is affected, and as a
result, cyber crimes are periodically increasing, in severity and power until they could jeopardise
the stability of countries.40
While writing this thesis, the Council of the European Union,41
adopted various measures regarding strengthening European cybersecurity. The EU Council
reaffirmed that cyber threats could undermine national security and critical infrastructures
stressing out the need of having a common response in combating this phenomenon.42
2.3 An insight into DDoS, Internet of Things and Critical
Infrastructure
2.3.1 Distributed-Denial-of-Service attacks
2.3.1.1 Introduction
Maybe one of the biggest threats to computer and network availability,43
and for sure the
„greatest security fear for IT managers‟,44
Distributed-Denial-of-Service-Attacks are an
outstanding method to overwhelm a network or computer resources.
39
Dimitris Avramopoulos, EU Commissioner for Migration, Home Affairs and Citizenship for the Press Release of
Europol „2017, The Year When Cybercrime Hit Close to Home‟. More details in
<https://www.europol.europa.eu/newsroom/news/2017-year-when-cybercrime-hit-close-to-home> accessed 22
November 2017. 40
S.W. Brenner, Cybercrime and the Law: Challenges, issues and outcomes (Northeastern University Press, 2012),
p. 1. 41
The Council of the European Union is the institution where national ministers from each EU country gather to
discuss, adopt and coordinate various policies in the entire Union. 42
The General Secretariat of the Council. „EU to beef up cybersecurity‟ (Press release, 20 November 2017)
<http://www.consilium.europa.eu/en/press/press-releases/2017/11/20/eu-to-beef-up-cybersecurity/#> accessed 22
November 2017. 43
The DDoS attacks could seriously affect the backbone availability and detach a network form the Internet,
therefore such attacks could disrupt the availability of a computer system or of a network. For more details see also
Thomas Dubendorfer, Arno Wagner, „Past and Future Internet Disasters: DDoS attacks‟ (2003) Security Protocols
and Applications seminar <http://www.insecure.in/papers/ddos_disasters.pdf> accessed 10 September 2018. 44
Usman Tariq, ManPyo Hong, Kyunk-suk Lhee, „A Comprehensive Categorization of DDoS Attack and DDoS
Defense Techniques‟ (2006) LNAI 4093 p.1025-1036 <https://link.springer.com/chapter/10.1007/11811305_112>
accessed 24 January 2018.
12
From a technical point of view, DDoS attacks are „[conquering] the target by exhausting
its resources, that can be anything related to network computing and service performance, such
as link bandwidth, TCP connection buffers, application/service buffer, CPU cycles, etc.‟.45
In other words, by launching a DDoS attack, the wrongdoer is trying to prevent the
legitimate users from accessing a computer system or/and its services. Thus, the attacker is
blocking a person from accessing various functions like e-mail, websites, online accounts and
any other operations based on the affected computer systems. When targeting the computer
network of a smart grid, a DDoS attack could block the flow of the energy to be measured by the
smart meter aggregators, which could affect the electric power availability and the demand on
the power plants.46
Susan Brenner is talking about an analogy between air strikes in time of war
and DDoS attacks, because both of the attacks are destroying the defensive or offensive
mechanisms of a system or a country, creating damage, without „entering the target of the
attack‟47
. DDoS attacks under Susan`s interpretation could be a threat just in a nonphysical
environment, but it could be argued that DDoS attacks are also able to inflict harm in a physical
environment. As an illustration, in a hypothetical scenario, a DDoS attack could disrupt the
continuous flow of energy from a power plant that would directly affect the telecommunication
system.48
Hence, a person in need of help calling 911 would be in imminent danger due to the
unavailability of this system.
Because it is easier for attackers to compromise the target`s bandwidth from many
computers rather than from a single one, the latest DDoS attacks were launched and orchestrated
by a considerable number of unsecured connected devices. Therefore, thousands of infected
devices are disrupting services by stopping and blocking the legitimate traffic from a network,
sometimes causing the system to crash entirely,49
therefore, the „denial‟ character of the attack.50
45
Q. Gu, P. Liu, „Denial of Service Attacks‟, (2007) in The Handbook of Computer Networks, Hossein Bidgoli et
al. (eds.), John Wiley & Sons, under second round revision
<https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118256107.ch29#references-section> accessed 15 August
2017. 46
Hurst et al. (n 27). 47
Brenner (n 40) p. 35. 48
Ibid. 49
„In a DDoS attack, because the aggregation of the attacking traffic can be tremendous compared to the victim`s
resource, the attack can force the victim to significantly downgrade its service performance or even stop delivering
any service’, therefore, the „denial‟ character of the attack. See more details in Gu, Liu (n 45). 50
Zargar et al. (n 14).
13
2.3.1.2 Types of DDoS attacks
Some federal agencies,51
in the USA, consider that the most common type of a DDoS
attack is the „flooding attack‟, where the perpetrator is „flooding‟ a network with requests.52
The
defence mechanisms designed to protect networks and computers against such attacks are not
able to identify correctly which the legitimate or illegitimate requests are, and thus become
inefficient.53
There are various types of DDoS attacks, but there are only three main modalities to
exploit a network and to overload it with huge traffic: SYN Flood attacks, UDP Flood attacks
and ICMP Flood attacks. Each technique abuses the way computers are connected,
communicate, and exchange information over Internet.54
51
Brenner (n 40) p. 36. 52
For example, when a person would like to access a web page, is sending a request to its server. The server can
process a limited number of requests per second; therefore, in case of a DDoS attack, the server could crash in front
of the multitudinous requests, creating the „denial of service‟ effect. 53
Usman Tariq, Yasir Malik, Bessam Abdulrrazak and M. Hong, „Collaborative Peer to Peer Defense Mechanism
for DDoS attacks‟ (2011) Procedia Computer Science 157-165 <https://www.sciencedirect.com/science/article/pii >
accessed 24 January 2018. 54
Therefore, a briefly introduction on the TCP/IP Internet protocols is needed to understand how all connected
devices can communicate to each other and to differentiate between the attack techniques. Computers and Internet
can operate just by using a „de facto‟ standard: the Transmission Control Protocol/Internet Protocol (hereinafter
TCP/IP). The TCP/IP is therefore a language that the Internet and all the connected computers can understand: „a
lingua franca‟. This protocol allows a computer system to communicate with another computer through Internet by
putting together the bits of data and sending them to the correct location. Thus, how the transfer of data actually
works? Notably, the computers have to establish a connection before any data will be exchanged. For this reason,
the „client‟ (the computer that is trying to ask information from another one is also known as „client‟) sends a
message to the „server‟ (the computer that receives the request) providing the latter with information on how to
identify it, also known as a „SYN‟ request (A „SYN‟ request comes from a „SYN‟ packet which is an abbreviation
for „synchronised – start‟. The „SYN‟ packet is originating from the „source host‟ or the person who is initiating the
communication protocol). Secondly, the „server‟ computer sends out to the „client‟ its own ID number and an
acknowledgement containing a message that the „server‟ is „awake‟ and running. Finally, the „client‟ computer will
send back an acknowledgement that is ready to receive the data; hence, the transfer can take place. It might be seen
as a redundant process but it is imperative to set up first the connection between the two computers. In the same
way, the TCP/IP protocol is based on two layers. The upper one, TCP, is responsible for transforming the data (a
photo, email, message, etc.) into small packets and sending them to the „client‟, along with the instructions on how
to rebuild correctly that data. Some experts see the TCP as a „digital shipping and receiving department‟. The lower
layer is the IP, which contains the incoming and outgoing location of the data packets. Thus, „TCP is the data. IP is
the Internet location GPS‟. For more details see Eric J. Sinrod and William P. Reilly, Cyber-Crimes: A Practical
Approach to the Application of Federal Computer Crime Laws, (16 Santa Clara High Tech. L.J. 177, 2000), p. 189-
191 <http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1258&context=chtlj> accessed 24 November
2018, Brian Foote, Don Roberts, „Lingua Franca‟, (1998) Fifth Conference on Patterns Languages and Programs
PLoP ‟98 <http://laputan.org/pub/foote/lingua.pdf > accessed 10 July 2018, Roberto Sanchez, „What is TCP/IP and
How Does It Make the Internet Work?‟ (HostingAdvice.com, 17 November 2015)
<https://www.hostingadvice.com/blog/tcpip-make-internet-work> accessed 9 August 2018.
14
The first type is the SYN Flood Attack. A computer or server can handle just a limited
number of „SYN‟ requests. Thus, the attackers are exploiting this weakness of the system by
sending more requests to the TCP than the latter could handle. In front of the multitude of
requests, the TCP tries to organise a queue with the other incoming requests. However, there is
also limited space in the queue, and when it reaches its capacity, the „SYN‟ requests are just
„turned back‟, generating the denial of service effect.55
The second type refers to the UDP Flood Attack, almost similar to the one previously
mentioned. When receiving a User Datagram Protocol (from now on UDP) request, the server
will provide information about itself including local time, echo, etc. In case of receiving a huge
number of such requests, the server will become overwhelmed, consuming all the servers`
resources and blocking the other persons who are trying to access the server under attack.56
Finally, the third type of such an attack, the ICMP Flood Attack is similar to the attacks
above. It is also known as the Internet Control Message Protocol (from now on ICMP), and by
launching this attack, the culprit is flooding the server with a large number of fake „ping‟
requests. Such ping requests are used to identify any errors in a computer network and to check if
there are any transport data problems.57
In the light of the above, the aftermath of a DDoS attack could be understood easier by
presenting the following example: a medium supermarket is visited by 1000 persons who are not
buying any product but are overwhelming the staff with questions about the products. The other
buyers will form a queue and will wait until they can enter the shop blocking other persons to
come in.58
Therefore, in the end, the server or the computer system targeted with a DDoS attack
will have too many requests and it will stop working. A DDoS attack creates a very much alike
effect like in the scenario above, but on purpose, and it may target the critical infrastructure of a
country.59
55
Sinrod, Reilly (n 54), p.192. 56
Ibid. 57
Ibid. 58
Clough (n 4), p. 44. 59
Ibid, p. 43.
15
2.3.1.3 Brief history of DDoS attacks
It is open to question when DDoS attacks aroused. Some experts claim that the first
DDoS attack emerged in 1974.60
According to other stories, from a DDoS attack timeline,61
it
seems that the tools for launching such attacks were developed „in the underground of the
Internet‟ during the summer of 1998 and the first reported DDoS attack took place in 1999.
However, it is sure that the public and governments became aware of such attacks just in
2000, specifically on 7th
February. On this day, a „15-year-old high school student from a posh
Montreal suburb‟62
also known as „Mafia boy‟, launched a massive DDoS attack on Yahoo`s
servers, consequently blocking more than half of the users, from logging into their accounts. In
the same way, the activity of other important websites such as CNN, eBay, Amazon or Dell was
paralysed just in a few moments, so it started to be like a game for the young „hacker‟ who was
asking for new possible targets on IRC chat rooms.63
Many experts, including the US president
Bill Clinton, considered this attack „an electronic Pearl Harbour‟ which served „as a wakeup
call to the fast-paced Internet industry‟. 64
2.3.1.4 What makes DDoS attacks possible?
As indicated above, the Distributed-Denial-of-Service-Attacks are a powerful way to
create significant damages with no warning signs against any target by taking advantage of the
intrinsic nature of the Internet.65
The Internet was built and designed to offer fast and cheap
means of communication with no security in mind. Although Internet is very successful in
60
The first DoS attack at the University of Illinois was claimed by Dave Dennis, a thirteen years old child, who
wanted to get control of some terminals using this method of an exploit against the channel operator. See Brian,
„Perhaps the first Denial-Of-Service Attack?‟ (Plato History, 11 February 2010)
<http://www.platohistory.org/blog/2010/02/perhaps-the-first-denial-of-service-attack.html> accessed 16 February
2017. 61
Dave Dittrich, „DDoS attack tool timeline‟ (Usenix, 22 July 2000)
<https://www.usenix.org/legacy/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/timeline.html>
accessed 29 April 2018. 62
Tu Thanh Ha, Barrie Mckenna, „The hacker who talked too much‟ (The Globe and Mail, 20 April 2000)
<https://www.theglobeandmail.com/news/national/the-hacker-who-talked-too-much> accessed 29 April 2018. 63
Michael Calce, Craig Silverman, Mafiaboy: how I cracked the Internet and why it`s still broken (1st Edition,
Viking, 2008) p. 112. 64
Brian Blomquist, „Prez holds summit to stop cyberhacks‟ (New York Post, 16 February 2000)
<https://nypost.com/2000/02/16/prez-holds-summit-to-stop-cyberhacks/> accessed 29 April 2018. 65
Michele De Donno, Nicola Dragoni, Alberto Giaretta, Angela Spognard, „Analysis of DDoS-Capable IoT
Malwares‟ (2018) Proceeding of the Federated Conference on Computer Science and Information Systems pp. 807-
816 <https://annals-csis.org/Volume_11/drp/pdf/288.pdf> accessed on 24 January 2018.
16
reaching its goal, plenty of security weaknesses provide the favourable circumstances to deploy
DDoS attacks: 66
Internet security is deeply interdependent – even if the attacked system could be well
secured, it depends on the security of the rest of the Internet if a target is vulnerable to
a DDoS attack;
Each Internet host has limited resources – no Internet hosts, networks, services, etc.
have unlimited resources. All entities have limited resources that can be depleted by a
finite number of users;
Long and many is better than short and few – when the attacks are launched in a
coordinated and distributed way, and the resources of the attackers are more advanced
than those of the victims, the attack is considered to be a success in almost all the
cases.
According to Mirkovic et al., there are four essential phases taking place while
assembling a successful DDoS attack:67
1. Enrolling vulnerable sources – to have many resources the attacker is automatically
scanning for vulnerable or poorly secured computer systems from the Internet to
enslave them; these systems will perform the DDoS attack, and they are not the final
target;
2. Infection and Exploitation – the attacker, is exploiting the security holes and
vulnerabilities. Therefore, the malware is planted. There are various ways to infect a
host. The attacker can use malicious software,68
such as viruses,69
bots,70
spyware,71
or
66
Christos Douligeris, Aikaterini Mitrokotsa, „DDoS attacks and defense mechanisms: classification and state-of-
the-art‟ (2003) Department of Informatics, Greece <http://citeseerx.ist.psu.edu/viewdoc/download> accessed on 24
January 2018. 67
Mirkovic et al. (n 21). 68
Malicious software or „malware‟ is software, which can be used for malicious purposes such as gathering personal
information for committing fraud, or discovering computer vulnerabilities that might be exploited, or accessing
confidential information. The main categories of malware are viruses, worms, Trojans, bots and spyware. See
Clough (n 4), p. 38-39. 69
Viruses and worms are not the same from a technical point of view, but both programs infect a computer by being
copied and then performing a programmed function such as deletion, modification of data, and installation of other
malware. The main difference between these two types of malware is that the virus needs to infect another program
in order to affect the system. The worm does not need to infect another application to become self-replicating. See
Clough (n 4), p. 40. 70
A bot is a type of malware, which infects a system and allows the attacker to control it remotely. These computers
or systems are also known as „slaves‟, „zombies‟ or „botnets‟. See Clough (n 4), p. 41. 71
Spyware is a programme, which monitors how the victim uses the computer or the system. This type of malware
can send to attacker information about what kind of websites the victim is accessing or can intercept passwords used
17
a Trojan.72
Moreover, independent and self-multiplying worms can be used to protect
the malware from being discovered and infect more hosts creating a vast attack
network formed by hundreds of thousands of computers.73
The „zombie army‟ created
is also known as a „botnet‟.74
At this stage, the owners of the infected devices typically
have no idea about the security breach or the fact that they will be part of a DDoS
attack. However, when the DDoS attack happens, it uses a minimum amount of
resources but the victims part of the botnet, might experience limited changes in the
normal performance of their devices;75
3. Communication – the attacker sends, through the command and control network,
instructions to the handlers to identify which agent is online, at what moment to
schedule an attack or how/when to upgrade the running agents;76
4. Attack phase – this is the final step where the attacker commands the commencement
of the attack,77
as well as, the target, total duration, methods for how to avoid detection
and any other needed parameters for a successful attack.78
Moreover, there are four main actors (Fig. 1)79
who need to engage in the DDoS attack:
on that websites. It can run in the back without the victims being aware, and it can send to the attacker personal and
financial information that can be used for further cybercrimes. See Clough (n 4), p. 42. 72
This type of malware is named after the legendary Trojan horse because it is innocent at a first look but containing
hidden functions and purposes. Trojans could be enclosed in software, email attachments, websites, etc. Some
Trojans can install a „back door‟ which will allow the attacker to control the infected device remotely. This
malicious software can intercept and send SMS messages, forward incoming calls, steal information from the mobile
devices, disable the anti-virus of a computer, etc. See Clough (n 4), p. 40-41. 73
Q. Gu, P. Liu (n 45). 74
A botnet is a conglomerate of advanced malicious software that has different methods and techniques using
viruses, worms, Trojan horses or rootkits to distribute itself and to penetrate a computer system to take control of it
and to provide the supreme authority to the attacker. See European Network and Information Security Agency
(ENISA), Botnets: Detection, Measurement, Disinfection & Defence, (2011) p.14
<https://www.enisa.europa.eu/publications/botnets-measurement-detection-disinfection-and-
defence/at_download/fullReport> accessed 10 June 2018. According to a Memorandum from the European
Commission, botnet indicates a network of computers that have been infected by malicious software (computer
virus). Such network of compromised computers or „zombies‟ may be activated to perform specific actions such as
attacks against information systems. These „zombies‟ can be controlled without the knowledge of the users of the
compromised computers by another computer. See <http://europa.eu/rapid/press-release_MEMO-13-661_en.htm>
accessed 19 May 2018. 75
Douligeris, Mitrokotsa (n 66). 76
De Donno et al. (n 65). 77
There are various ways how to deploy a DDoS attack. For example, the attacker can send thousands of emails or
requests to overwhelm and block a system. Other DDoS may use the IP protocol to overcome the victim`s system. A
server network can have a specific number of requests, and if there are simultaneous requests, the system forms a
queue. Because of the high number of requests, there is no place for all of them so no other requests can be received.
The legitimate requests cannot be accepted anymore by the system as it is dealing with the bogus enquiries. See
Clough (n 4), p. 44. 78
Ibid.
18
The real attacker or botmaster;
The handlers – „zombies‟ which are infected with a special malware, capable of
organising and controlling the agents;
The agents – „zombies‟ which are infected with a particular malware and which
are responsible for launching the DDoS attack by sending packets of data towards
the victim; these devices are not part of the attacker`s network to avoid the
possibility of being caught;
The victim.
Thus, involving various steps in building an IoT botnet (computer A gets control of
computer B), and then launching the DDoS attack (computer B is attacking computer C) the
design of such cyber attack is „multi-step‟ and „multi-stage‟, which is the most challenging and
complex to deter, from a technical point of view.80
Furthermore, DDoS attacks are successful
almost every time, due to the hidden source of the attack. The botmaster removes any data from
the infected devices that are launching the DDoS attack. By doing so, the attacker avoids any
attribution so any traceback by the law enforcement could be done in a very difficult way. In the
next chapter, all the four essential phases of a DDoS attack will be analysed from a legal
perspective.81
79
Douligeris, Mitrokotsa (n 66). 80
Clark, Landau (n 32). 81
Ibid.
Figure 1 – Actors of a DDoS attack
19
DDoS attacks can be classified in various ways: by the architecture model,82
by the
exploited vulnerability,83
by protocol level used during the attack,84
and by other parameters.85
The attackers, as identified by Wall,86
have various motivations for launching a DDoS attack,
such as unlawful easy commercial gain,87
criminal gain,88
the need of having respect in front of
other cyber criminals, revenge,89
or politically motivation.90
The 2017 Internet Organised Crime
Threat Assessment (IOCTA)91
reveals the fact that the reason for over one-third of DDoS attacks
is extortion of the victim. However, the communication absence between some attackers and
82
There are four types of network architectures that it is used: Agent-Handler Model, Reflector Model, IRC-Based
Model, Web-Based Model. See De Donno et al. (n 65). 83
DDoS attacks can exploit various vulnerabilities and based on the strategy used for the denial-of-service effect it
is possible to classify them in two categories: Bandwidth Depletion or Brute-Force and Resource Depletion. In case
of the Bandwidth Depletion a great amount of apparently legitimate packets are sent to the victim, in order to clog
up its communication resources (e.g., network bandwidth) and also its computational ones (e.g., CPU time, memory,
etc.) preventing them to be reached by legitimate traffic. These attacks can be further divided into Flood and
Amplification attacks. In Flood attacks, as shown in the previous paragraph, the botnet directly sends a large volume
of IP traffic to the victim machine to congest its network resources and prevent access by legitimate users, while in
Amplification attacks the agents use intermediaries‟ reflectors, exploiting the broadcast IP address feature with the
spoofed address of the victim. Resource Depletion attacks aim to preventing the victim to process legitimate
requests, by exhausting its resources. See De Donno et al. (n 65). 84
Examples of Network Level attacks are SYN Flood, UDP Flood and TCP Flood attacks. In Network Level DDoS
attacks, either Network or Transport layer protocols are used to carry out the attack, while in Application Level
DDoS attacks the victim resources (e.g., CPU, memory, disk/database, etc.) are exhausted targeting Application
layer protocols. See Douligeris, Mitrokotsa, (n 66). 85
De Donno et al. (n 65). 86
Wall (n 6) p. 62-65. 87
For example, some persons rely on the legacy of non-existent criminal groups, to launch small DDoS attacks and
scare the victims with a more ample attack if a payment as a ransom is not made. However, even if such attacks
could create minor service disruption it is unlikely that a subsequent attack to follow. Because of this fear, attackers
can hire DDoS or use DDoS tools for as much as 5 USD to initiate an attack over a business which could create
higher damages from an economical and reputational point of view. See EUROPOL, IOCTA 2017 (n 22). 88
In 2010, as part of the „Operation Payback‟, some hackers launched DDoS attacks over Visa, MasterCard and
PayPal`s websites making their services unavailable by flooding the network with a huge amount of online access
requests. Initially, „Operation Payback‟ was targeting several companies and persons of interest dealing with the
anti-piracy field, but the hackers changed their attention right after the affected companies announced that they
would not process any payments or donations towards WikiLeaks. See Lauren Turner, „Anonymous hackers jailed
for DDoS attacks on Visa, MasterCard and PayPal‟ (Independent, 24 January 2013)
<http://www.independent.co.uk/news/uk/crime/anonymous-hackers-jailed-for-ddos-attacks-on-visa-mastercard-and-
paypal> accessed 28 November 2017 and Usman Tariq, Yasir Malik, Bessam Abdulrrazak, „Defense and
Monitoring Model for Distributed Denial of Service Attacks‟ (2012) Procedia Computer Science 1052-1056
<http://www.sciencedirect.com/science/article/pii> accessed 28 November 2017. 89
In November 2010, DDoS attacks launched by unknown attackers took Myanmar offline for ten days. The
massive flood of data affected the country`s infrastructure, and it is presumed that the attacks came just before
general elections in the Southeast Asian country. See Brenner (n 40) p. 37 and Dan Goodin, „DDoS attacks take out
Asian nation‟ (The Register, 3 November 2010)
<https://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/> accessed 30 April 2018. 90
In 2008, DDoS attacks suspected to come from Russia, overwhelming the Georgian government sites and forcing
them to shut down. Websites like the Georgian President and the National Bank of Georgia became inoperable for
24 hours. See EUROPOL, IOCTA 2017 (n 22). 91
EUROPOL, IOCTA 2017 (n 22).
20
their victims could indicate that various DDoS attacks have an ideological/political nature. The
latter category along with the purely malicious attacks represents the motivations behind almost
half of the total reported number of DDoS attacks in 2016.
In conclusion, in light of the above particularities of DDoS attacks, it could be argued
that in the last couple of years, massive denial of service attacks increased in number and power
affecting the Internet.92
Moreover, a whole „malware ecosystem‟ was built to sustain DDoS
attacks launched by botnets.93
For example, an attacker could create and maintain a botnet easily
for launching DDoS attacks just by using such tools and infrastructure available in the „malware
ecosystem‟: „it`s botnets which unite all the disparate elements of cybercrime into an integrated
system, and make it possible to transfer funds from those who make a profit from mass mailings
and credit card thefts to malware writers and those who supply cybercriminal activities‟.94
Furthermore, it should not be surprising if in 2008, 15% of the online computers were part of a
botnet and a report predicted that the number of botnets was expected to grow in the upcoming
years.95
In the same year, Wenke Lee, a leading botnet researcher said that „compared with
viruses and spam, botnets are growing at a faster rate‟.96
After almost 10 years, the key findings
92
In 2014, a team of teenagers launched a DDoS attack over Sony PlayStation and Microsoft Xbox Live. With the
help of a botnet spread worldwide, compound of a large number of unsecured routers, the attackers took down the
two well known gaming networks. Moreover, the routers used to initiate the DDoS attack were not just home
systems but also infected routers with a link to commercial companies or even Universities around the world. The
reason behind using such infected devices was the fact that the botnet was scanning for new potential unprotected
hosts. For more details see Dan Goodin, „DDoS service targeting PSN and Xbox powered by home Internet routers‟
(arsTechnica, 1 September 2015) <https://arstechnica.com/security/2015/01/ddos-service-targeting-psn-and-xbox-
powered-by-home-internet-routers/> accessed 6 May 2017. Furthermore, in the same year, a researcher discovered a
botnet with approximately 450.000 unique IP addresses of infected devices. In this case, more than 25% were
hacked IoT sources such as WI-FI routers, VoIP phones, home security systems, PlayStations, DVR`s, televisions,
refrigerators and other multi-media sets. The IoT devices were configured to send hundreds of thousands of emails
being part of a massive malicious email campaign. See more details in „Your fridge is full of spam: Proof of an IoT-
Driven Attack‟ (proofpoint, January 2014) <https://www.proofpoint.com/us/threat-insight/post/Your-Fridge-is-Full-
of-SPAM> accessed 5 May 2017. Finally, in 2016, a massive DDoS attack was launched on a jewellery website
making it inaccessible for the online buyers. A botnet comprised of more than 25.000 CCTV cameras located in 105
countries initiated the attack. The cyber security analysts speculated that the attackers infected the devices through a
vulnerability that allows remote control on the recorders. See also Dan Goodin, „Large botnet of CCTV devices
knock the snot out of jewelry website‟ (arsTechnica, 28 June 2016) <https://arstechnica.com/security/2016/06/large-
botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/> accessed 6 May 2017. 93
Nart Villeneuve, „Inside a Crimeware Network‟ (Infowar Monitor, 2010)
<http://www.nartv.org/mirror/koobface.pdf> accessed 30 April 2018. 94
Vitaly Kamluk, „Inside the Massive Gumblar Attack‟ (Viewing InfoSec from the Trenches, 2009)
<http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-
gumblar> accessed 19 May 2018. 95
Emerging Cyber Threats Report for 2009, Georgia Tech Information Security Center, (2008), p. 2. 96
Ibid.
21
of Europol`s report were presenting the same picture:97
sophisticated cyber attacks such as large-
scale DDoS attacks emerged from IoT botnet are a real threat against critical European
infrastructure, and in the future we will see new variants of such botnets even more powerful,
due to the diversity of IoT devices.
2.3.2 Internet of Things- IoT
2.3.2.1 Introduction
For the past years, the interest around the IoT increased, and many experts are talking
about a revolution in our lives with new benefits towards the civil and military world.98
In the
first place, what exactly is the Internet of Things? According to Oxford English Dictionary,
which officially included in 2013 „Internet of Things‟ to their list of words,99
it is defined as „the
interconnection via the Internet of computing devices embedded in everyday objects, enabling
them to send and receive data‟.100
The WP29 defines the Internet of Things or IoT as:
An infrastructure in which billions of sensors embedded in common, everyday
devices – „things‟ as such, or things linked to other objects or individuals – are
designed to record, process, store and transfer data and, as they are associated
with unique identifiers, interact with other devices or systems using networking
capabilities. As the IoT relies on the principle of the extensive processing of data
through these sensors that are designed to communicate unobtrusively and
exchange data in a seamless way, it is closely linked to the notions of „pervasive‟
and „ubiquitous‟ computing.101
In other words, the „emerging concept‟ of IoT can be described as an expanded global
wide „ecosystem‟ of instrumented and interconnected „IoT services and IoT devices‟, such as
sensors, smart home objects, health devices, cars or industrial items,102
which will merge
97
EUROPOL, IOCTA 2017 (n 22). 98
Nicola Dragoni, Alberto Giaretta and Manuel Mazzara, „The Internet of Hackable Things‟ (2016) Proceedings of
the 5th
International Conference in Software Engineering for Defense Applications, SEDA16. 99
Jennifer Chen, „Internet of Things added to hall of fame for words, i.e., the Oxford English Dictionary‟ (Microsoft
Blog, 9 September 2013) <https://blogs.microsoft.com/firehose/2013/09/09/internet-of-things-added-to-hall-of-
fame-for-words-i-e-the-oxford-english-dictionary/> accessed 10 May 2018. 100
English Oxford Living Dictionaries <https://en.oxforddictionaries.com/definition/Internet_of_things> accessed
10 May 2018. 101
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223. 102
ENISA, Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures,
November 2017 <https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot> accessed
19 February 2018
22
physical and virtual worlds creating a smart environment.103
This „ecosystem‟ is widely bound to
the „cyber-physical‟ systems, which will enable smart-cities, smart-infrastructures and smart-
grids in order to offer better quality and functionality for the society.104
Hence, the IoT is
facilitating all the aspects of the world by building „intelligence‟ in day by day items, increasing
their effectiveness and providing automation for the majority of the critical and non-critical
industry sectors.105
At this moment, according to Ericsson, the number of IoT devices is growing steadily.106
In 2015 there were 15 billion connected devices (Fig. 2)107
, while the projection for 2020 is 28
billion connected devices,108
which will merge physical and virtual worlds creating a smart
setting. Nevertheless, the evolution of IoT devices is having a massive impact on market and
industry, changing the way we live as a society.109
However, it is not sure if this evolution is
feasible yet, but the smart objects are already communicating with our home and work
environment. According to a recent study by ENISA,110
the high speed of developing and
spreading IoT devices in our lives allows the automated use of data and creates unique sharing
and availability of data, which leads to fantastic novelty in the economic sector. On the
contrary, the same study acknowledges various „safety and security challenges‟ that have to be
addressed, „for IoT to reach its full potential‟.111
In like manner, WP29 stressed in its opinion that even if IoT provides significant
benefits for society, the manufactures of the IoT devices still need to address the numerous
security and privacy challenges.112
Unfortunately, the IoT devices are often distributed with
insufficient built-in security creating many possible risks that can affect both IoT developments
and users‟ fundamental rights like privacy, safety and security. According to the same opinion,
stakeholders from the IoT market should take into consideration when launching new models of
103
Jan Neutze, „Cybersecurity Policy for the Internet of Things‟ (2017) the 8th
Annual Internet of Things European
Summit, Brussels. 104
ENISA (n 102). 105
Ibid. 106
Ericsson Mobility Report, On the Pulse of the Networked Society, (2015) p. 10
<https://www.ericsson.com/en/mobility-report> accessed 10 May 2018. 107
Admir Tuzovic, „The Internet of Your Things Microsoft`s Vision for IoT‟ (2015). 108
Ericsson Mobility Report (n 106). 109
ENISA (n 102). 110
Ibid. 111
Ibid. 112
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223.
23
IoT, as there are risks such as data breaches, infection with various types of malware, illegal
access to a computer system without right, misuse of devices, etc. Moreover, ENISA has
pointed out that the IoT creates new legal disputes. Unfortunately, the policymakers are unable
to address and understand the security challenges around the IoT, leaving the companies to
focus on their own on the security framework of such „smart things‟.
2.3.2.2 Shaping IoT
However, before delving into the security considerations, some unique characteristics of
the IoT are provided. Despite the diversification and spread of IoT, the devices share the same
elements and characteristics in their architecture:113
The need for physical or virtual ‘thing’ – it is essential for the device to have
embedded objects, which are capable of communicating, exchanging, capturing,
storing and processing the data;
The smart decision making – per se, the IoT devices will need to analyse the
information by extracting the essential data;
Sensors: the critical building blocks of IoT ecosystem – the role of the sensors is
crucial because through them various indicators are monitored and information is
collected about networks and applications;
113
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223.
Figure 2 – IoT Devices
24
Communications – it is very crucial for the IoT device to send and receive data.
Therefore, multiple communication protocols could be used such as Bluetooth, Wi-Fi,
USB, 3G/4G, etc.; thus, it is not necessary for the IoT devices to have an active
connection to Internet in order to transfer information. However, the focus of this
thesis is just on the devices with an Internet connection.
2.3.2.2.1 Security considerations and challenges
Unfortunately, the majority of the IoT devices on the market are short of necessary
security such as complex passwords, encryption of traffic or communication and protected
firmware. Thus, cybercriminals are targeting the Internet of Things with attacks that can have
dangerous implications on privacy, data protection, even threatening public safety (i.e. a
malicious interference with the control of a car, power plant or a pacemaker).114
In the early
stages of the „IoT tsunami‟,115
the researchers already highlighted such problems and presented
what should be achieved from a technical perspective, to protect our privacy better and to secure
the IoT devices.116
Unfortunately, it is clear that the majority of the IoT manufacturers did not
listen and implement their recommendations and that there is still a lot left to do in terms of
achieving security in the IoT.
Following two of the EU Commission`s Working Documents the author considers that
the main reasons why the IoT manufacturers have not done more in achieving better security for
the IoT ecosystem are the various potential parties involved in the building and selling process of
an IoT device, actors which could all share liability including the final user; the fact that, it is still
unclear how the liability could be shared in the absence of such specific requirement (i.e. there
was no responsibility to assure the data protection or a specific level of cyber resilience for any
IoT devices from the IoT manufacturers); the issue of contractual liability, which is not
applicable as the IoT manufacturer does not need to provide any cyber resilience for the user; the
fact that many IoT software vendors are trying to exclude or minimise their civil liability by
inserting disclaimers and limitations for their liability in respect to providing the service.117
114
WIND, Security in the Internet of Things Lessons from the Past for the Connected Future, 2015,
<https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
> accessed 19 February 2018. 115
Dragoni et al. (n 98). 116
R. Roman, P. Najera and J. Lopez, „Securing the Internet of Things‟ (2011) IEEE Computer vol. 44 p. 51-58
<https://www.computer.org/csdl/mags/co/2011/09/mco2011090051.html> accessed 15 May 2018. 117
Dragoni et al. (n 98).
25
As an illustration, an HP study from 2014 revealed the shocking fact that more than 70%
of the IoT devices are vulnerable in front of a cyber attack.118
Moreover, the study presented
that among these devices, there are in average 25 vulnerabilities, which could be exploited any
time by attackers. The report showed that some simple security issues could be addressed
quickly by the manufacturer including:119
Privacy concerns – 90% of IoT devices were collecting personal data of the user such as
name, email address, home address, credit card, etc.;
Insufficient authorisation – 80% of devices were using passwords such as “1234” or
„admin‟ failing in requesting complex passwords;
Lack of encryption – 70% of tested IoT did not use any encryption for the
communications over the Internet, local networks or cloud;
It is interesting to see why the IoT manufacturers have not done more in achieving security for this ecosystem.
Firstly, the IoT is high in complexity, and it created sophisticated interdependencies between products and service
producers; moreover, there are many actors involved: from product manufacturers, sensor manufacturers, software
producers to final users, which all could have a share of liability. There is uncertainty in who should be responsible
for guaranteeing the safety of a product, who should be responsible for ensuring security for the full life cycle of a
product and how should liabilities be shared between the abovementioned actors when a product is not working
correctly, causing damage. Secondly, under the current EU legal framework, the products and services are not
treated in the same manner. In other words, supplying data through an IoT device is treated as a service. Therefore it
falls outside the scope of product liability and any safety frameworks. Thus, in the situation where damage or harm
is inflicted by providing erroneous data or failure to provide any data, liability becomes unclear, and any claims will
be difficult to enforce. Thirdly, the majority of the IoT devices are open to software updates and patches after they
are released on the market. However, such updates could change the behaviour and functionality of an IoT device
because a 3rd party has produced some parts of the IoT system. It is true that such security patches will close any
entry points for the hackers but could also affect some features of the IoT device. Finally, a software provider in
order to be liable has to fail to comply with the contractual obligations such as supplying security updates or
applications for a certain period. However, such liability could be limited in some cases where the users do not
install the latest available updates. Unfortunately, such a contractual relationship between the user and the IoT
manufacturer, to provide cyber security resilience or any updates for the devices, is almost always absent. However,
the courts could tend to impose tort liabilities on the IoT vendors for the damage or harm which could be caused to
third parties in case of a cyber attack. Furthermore, it is difficult to apply the product liability rules in case of cyber
attacks because some notions as „defect‟, „level of security‟ that users are expecting to have or the „impact of
patches‟ are difficult to define. For more details, see Commission Staff Working Document Advancing the Internet
of Things in Europe, accompanying the document Communication from the Commission to the European
Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions –
Digitising European Industry Reaping the full benefits of a Digital Single Market, COM(2016) 180 final, Brussels
2016 and Commission Staff Working Document Liability for emerging digital technologies, accompanying the
document Communication from the Commission to the European Parliament, the European Council, the Council,
the European Economic and Social Committee and the Committee of the Regions – Artificial intelligence for
Europe, COM(2018) 137 final, Brussels 2018. 118
„HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable of Attack‟ (Hewlett-Packard
Development Company, 2014) <http://www8.hp.com/ca/en/hp-news/press-release.html?id=1744676> accessed 10
May 2018. 119
Ibid.
26
Insecure interface – 60 % of IoT devices did not use encryption or any protection not
even when downloading patches or software updates made such data transmission
possible to be intercepted and modified.
According to another report, the majority of the manufacturers do not build the IoT with
security in mind, and moreover, cyber security is not their primary focus when developing such
devices.120
With this in mind, it is clear that the IoT manufacturers adopted some practices which
are oriented towards profit rather than cyber security, an opinion shared also by Dragoni et al.,121
a critical situation that will lead to even more dangerous cyber attacks with the help of IoT
botnets.
2.3.2.2.2 Reasons why IoT devices became botnet ‘friendly’
However, in the light of the above specifications, why are IoT devices the ideal way to
build a botnet? To answer this question, Kolias et al. provide five particular reasons why IoT
became a new environment for the proliferation of the latest major DDoS attacks:122
High availability of the IoT devices – unlike computer systems, which are sometimes
turned-off and thus disconnected from the Internet, the majority of IoT devices (i.e.
routers and webcams) are online 24/7;123
120
The report highlighted some shocking findings:
a) Only 49% of organisations update remotely and regularly their products;
b) Only 48% of manufactures focus on security by design (i.e. securing their devices from the beginning of the
development phase);
c) Only 36% of companies are trying to change and adopt security by design process;
d) Only 28% of companies are hiring hackers to identify the vulnerabilities in IoT;
e) Only 20% of manufactures are hiring IoT experts to improve the security skills.
For more details in this case see „Securing the Internet of Things Opportunity: Putting Cybersecurity at the Heart of
the IoT‟ (Capgemini Consulting, 2015) <https://www.capgemini.com/consulting/resources/security-in-the-internet-
of-things/> accessed 10 May 2018. 121
Dragoni et al. (n 98). For example, some experts pointed out that various issues with the liability of the
manufacturers could quickly be addressed by identifying and introducing policies dealing with adequate obligatory
checks done by the IoT vendors over safety and performance of the IoT devices. Moreover, the IoT manufacturers
could easily connect with the users and provide valuable information related to safety and security of the IoT device.
Such information could also include a step by step guide in respect to the correct installation and setup of the IoT
device, reminders regarding the secure use of such devices, updates and security patches, etc. The challenge stands
now in the hands of policymakers on how to ensure that such safety practices are flexible enough to lead the way
towards enhancing the IoT security. However, until this milestone is reached the security challenges could be
addressed by adopting the „Trusted IoT label‟ that gives information regarding the various levels of security and
privacy of the IoT devices. See more details in OECD publishing, „Consumer Product Safety in the Internet of
Things‟ (2018) OECD Digital Economy Paper <https://www.oecd-ilibrary.org/science-and-technology/consumer-
product-safety-in-the-internet-of-things_7c45fa66-en> accessed 9 September 2018. 122
Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, Jeffrey Voas „DDoS in the IoT: Mirai and Other
Botnets‟ (2017) IEEE Computer Society
<https://www.researchgate.net/publication/318288727_DDoS_in_the_IoT_Mirai_and_other_botnets> accessed 15
February 2018
27
Ineffective security – when rushing to deliver IoT devices, manufacturers often
disregard the security of the devices in favour to a more user-friendly interface; the
WP29 detailed that IoT brings security risks which are in a permanent „fight‟ with the
efficiency of such devices.124
As above mentioned, most of the IoT devices do not use
any encrypted communications because the manufacturers decided that applying such
secured way of transmitting data will have an impact on the low powered batteries
incorporated in IoT.125
Therefore, the IoT producers cannot balance the protection of
highly essential principles in cybercrime such as confidentiality, integrity and
availability of the data with the optimisation of the functionality of the smart devices;
Fair support and maintenance – the smart devices are not receiving enough firmware
updates, because of the irregularity of the security framework on the market; similarly,
the users or network admins do not check the setup of the devices unless they stop
working correctly;
Large attack traffic – the traffic that such IoT devices generate is similar to that of
computer systems;
Minimally user interaction – unlike computer systems, where there is an interactive
user interface, in case of IoT it is more complicated to find out about a malware
infection; thus, even when the user knows about the malware, the easiest and shortest
way of dealing with the infection is to replace the device.
Same default passwords - the author would like to add one more and maybe the most
crucial reason why the IoT devices became ideal for launching DDoS attacks: re-using
default passwords and credentials for entire categories of IoT devices by the
manufactures. Even if in the opinion of some researchers this reason would be part of
„ineffective security‟ because it is of utmost importance it could be considered per
se;126
As we can see in the table below, IoT DDoS capable botnets are growing in popularity, as
four new IoT botnet families were born just in 2016 when, until 2008 we had nearly two
123
De Donno et al. (n 65). 124
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223. 125
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223. 126
For more details see <arbornetworks.com/stakes> accessed 12 August 2018.
28
0
1
2
3
4
5
2008 2009 2010 2011 2012 2013 2014 2015 2016
IoT DDoS capable botnets - Year Progression
categories of such IoT malware, and before this year they have not even existed.127
Thus, the IoT
„ecosystem‟ has created new opportunities for cybercriminals in building massive IoT botnets
and launching DDoS attacks with short but high impact on critical infrastructure. For these
reasons, there is a high risk for any unprotected IoT device to be part of a botnet, which could
launch a massive DDoS attack, as predicted by Europol in the previous years.128
2.3.2.3 ‘Mirai’ – ‘The future’ is already here
‘The Mirai botnet and its variants and imitators are a wake-up call to the industry to
better secure Internet of Things devices or risk exposing the Internet infrastructure to
increasingly disruptive distributed denial-of-service-attacks.’129
The „Mirai‟ botnet, or in Japanese „the future‟, came to light in August 2016 and was
used to launch the most powerful DDoS attacks in history.130
In September 2016, the most
significant cyber attack ever seen or registered by Internet until then, with over 620 Gigabits of
traffic per second, hit the blog of security researcher Brian Krebs and brought it offline.
Simultaneous, the French cloud computing company OVH was hit with an even bigger DDoS
attack launched by the Mirai botnet, reaching 1.1 Tbps.131
Furthermore, the creator of the Mirai
127
De Donno et al. (n 65). 128
EUROPOL, IOCTA 2017 (n 22). 129
Kolias et al. (n 122). 130
Ibid. 131
Dan Goodin, „Record-breaking DDoS reportedly delivered by >145k hacked cameras‟ (arsTECHNICA, 29
September 2016) <https://arstechnica.com/information-technology/2016/09/botnet-of-145k-cameras-reportedly-
deliver-internets-biggest-ddos-ever/> accessed 1 May 2018.
29
botnet uploaded its source code on the Internet,132
and subsequently, a group of hackers started to
rent the massive botnet consisting of more than 400.000 infected devices.133
Unfortunately, one month later, unknown attackers, using the same botnet „bombarded‟
Dyn (a domain service provider)134
with DDoS attacks, which generated 1.2Tbps135136
of
traffic.137
The attacks completely took offline for 2 hours many popular websites,138
like Twitter,
Airbnb, GitHub, Pinterest, Reddit, Paypal, Spotify, SoundCloud, The Guardian, Amazon, CNN,
Yelp, Netflix and many more from the US and Europe.139
These attacks were atypical by the
magnitude of the traffic, but also because, the traffic was coming from peer-to-peer connected
devices.140
The enormous traffic was generated by „a vast army‟141
of hacked devices from all
over the world including IoT devices such as IP cameras, routers and DVRs. Mirai botnet‟s focus
was on such IoT devices because they were protected by default username and password.
The Mirai attack process was very straightforward, as shown in (Fig. 3).142
The botnet first
scanned for various IP addresses on the Internet, mainly trying to locate and detect which ones
belong to an IoT device. Secondly, the botnet launched a brute force attack (an attack in which
the hacker or the botnet itself is trying to figure out the credentials of the target) on the IoT
132
GitHub, „Leaked Mirai Source Code for Research/IoC Development Purposes‟ (GitHub)
<https://github.com/jgamblin/Mirai-Source-Code> accessed 1 May 2018. 133
Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November
2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>
accessed 1 May 2018. 134
Dyn is an important part of the Internet infrastructure, because when a person visits a website that uses Dyn`s
domain service provider servers, Dyn is helping the person`s browser or app to find the system to connect to. When
Dyn is offline and not working, the software cannot find the website that the person is looking for. For more details,
see <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1 May 2018. 135
Tera Bits Per Second=1000 Giga Bits Per Second. 136
Vincent Weafer and the others, „McAfee Labs Threats Report April 2017‟ (Intel Security McAfee Labs, April
2017) <https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017.pdf> accessed 6 May 2017. 137
1.2 Tbps are generated every second by 172 Tweets, 17 Instagram uploaded photos, 30 Tumblr posts, 60 Skype
calls, 1400 Google searches, 1560 YouTube videos viewed and 60.000 Emails sent including spam. In general the
Internet traffic is around 44 terabytes per second. See more details at the Internet Live Stats
<https://news.ycombinator.com/item?id=12769751>. 138
EUROPOL, IOCTA 2017 (n 22). 139
Libby Plummer, „Was massive hack that floored Amazon, Twitter and Reddit practice for election day?
Wikileaks supporters and hackers say attack was revenge for shutting down Assange – but many fear it`s just a
warm-up‟ (DailyMail Online, 24 October 2016) <http://www.dailymail.co.uk/sciencetech/article-
3859500/Widespread-internet-havoc-major-attack-takes-websites-offline-Spotify-Twitter-sites-suffer-outages.html>
accessed 6 May 2017. 140
Brian Krebs, „KrebsOnSecurity Hit With Record DDoS‟ (KrebsonSecurity, 21 September 2016)
<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/> accessed 6 May 2017. 141
Chris Williams, „Today the web was broken by countless hacked devices – your 60-second summary‟
(TheRegister, 21 October 2016) <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1
May 2018. 142
Weafer (n 136).
30
devices, using a list of instructions with a broad range of common factory usernames and
passwords, in order to identify the poorly secured IoT devices.143
After successfully hijacking the
IoT devices, the botnet sent the IP address and default credentials to the control server and
alternatively to a scanning receiver. Afterwards, the loading server downloaded the Mirai bot to
the IoT device. Once the compromised IoT devices are successfully infected with this malware,
the process is repeated. Thus, each infected IoT device will start searching for other vulnerable
devices, transforming them into a massive „zombie‟ IoT army. The Mirai botnet was so powerful
that it could even kill other small bots or to terminate the communication between IoT devices
and their ports giving the attacker full and independent access.
Furthermore, after the release of Mirai‟s code and after affecting so many devices, the
general expectation was that the main actors would develop effective defence and detection
mechanisms. However, precisely the opposite happened: a tremendous number of Mirai
variations continues to spread online using the same methods and inflicting damage even two
143
The following combinations of default username and password were used in the brute-force credential attack:
admin, root, 888888, admin1234, (none), 111111, 1234, 12345, 54321, 123456, user, 0, system, pass, 1111, etc.
Figure 3 –Mirai Botnet Attack Process
31
years after the initial attack. Surprisingly, the IoT manufactures are not paying enough attention
in applying at least any general security guidelines in protecting the IoT environment.144
Such
guidelines will be discussed later on after analysing the legal literature.
Under those circumstances, in February 2017, a new Mirai botnet variant launched a 54-
hour long DDoS attack against a US college.145
Another botnet called „Hajime‟ is scanning the
Internet for unsecured IoT devices at the moment, but this time, instead of inflicting malware, it
is protecting the IoT devices in front of botnets like Mirai, by dealing with the sources of
vulnerability. For this reason, the researchers are speculating that such atypical behaviour of a
botnet comes from a „white hat‟146
hacker.147
2.3.3 Critical Infrastructure
2.3.3.1 Introduction
In the light of the above paragraph, it seems that sophisticated distributed-denial-of-
service attacks are a real threat. Thus, they remain a top priority for the EU law enforcement with
more and more critical infrastructure being vulnerable in front of such DDoS attacks. Moreover,
due to the high availability of the Mirai code, Europol is expecting a growth of large-scale DDoS
attacks oriented towards critical infrastructure.148
Firstly, what exactly means „critical infrastructure‟? Unfortunately, there is no common
and accepted definition.149
However, the author will try to define „critical infrastructure‟ by
following the definitions used by the EU legal framework and legal literature. Therefore, the
Council Directive on the identification and designation of European critical infrastructures and
the assessment of the need to improve their protection stipulates that „critical infrastructure‟ is:
„An asset, system or part thereof located in Member States which is essential for
the maintenance of vital societal functions, health, safety, security, economic or
144
Kolias et al. (n 122). 145
Dima Bekerman, „New Mirai Variant Launches 54 Hour DDoS Attack against US College‟ (ImpervaIncapsula
Blog, 29 March 2017) <https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html> accessed 1 May
2018. 146
A „whitehat‟ or ethical hacker, is a person with very high specialization and with a belief in the ethics of freedom
of access to public information. These hackers are testing systems and improving the security of the computer
systems. See for example, Wall (n 6), p. 55. 147
Phil Muncaster, „Mirai-Busting Hajime Worm Could be Work of White Hat‟ (infosecurity, 20 April 2017)
<https://www.infosecurity-magazine.com/news/mirai-busting-hajime-worm-could/> accessed 1 May 2018. 148
EUROPOL, IOCTA 2017 (n 22). 149
Luca Montanari, Leonardo Querzoni „Critical Infrastructure Protection: Threats, Attacks and Countermeasures‟
(TENACE Project, Universita degli Studi di Roma “La Sapienza”, 2014), p.5
<http://www.dis.uniroma1.it/~tenace/download/deliverable/Report_tenace.pdf> accessed 10 June 2018.
32
social well-being of people, and the disruption or destruction of which would
have a significant impact in a Member State as a result of the failure to maintain
those functions.‟150
According to the same Directive, „European critical infrastructure‟ means:
„Critical infrastructure located in Member States the disruption or destruction of
which would have a significant impact on at least two Member States. The
significance of the impact shall be assessed in terms of cross-cutting criteria. This
includes effects resulting from cross-sector dependenices on other types of
infrastructure.‟151
To put it differently, it is a complicated process to identify a critical European
infrastructure, which counts on possible damage that could be triggered by the downfall of such
critical infrastructure.152
However, Montanari and Querzoni followed the Directive`s approach
and established three inter-sectoral evaluation criteria for identifying any critical infrastructure:
the likely number of victims in case of an attack (i.e. fatalities or injuries);
the probable economic effects in case of an attack (i.e. financial losses, damage towards
the products and services which could also affect the environment);
the possible consequences on the population in case of an attack (i.e. physical damage
creating turmoil in society, impact on public confidence, loss of vital public services);
Unfortunately, the above-mentioned Directive only focus per se, on the energy and
transport services, without including other sectors such as the information and communication
technology sector.153
The Directive provides, as guidance for the Member States, a list of critical
infrastructure sectors and sub-sectors: energy (electricity, oil, gas) and transport (road transport,
rail transport, air transport, inland waterways transport, ocean and short-sea shipping and ports).
However, before adopting this Directive, there was an EU proposal for including also other
critical infrastructure sectors like information, communication, technologies (ICT), water, food,
health, financial, chemical industry, space and research facilities.154
The author believes that the
Directive should also cover these sectors and it does not need any motivation behind.155
150
Article 2 (a) of Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of
European critical infrastructures and the assessment of the need to improve their protection [2008] OJ L345/75. 151
Article 2 (b) of Council Directive 2008/114/EC. 152
Montanari, Querzoni (n 149), p. 6. 153
Recital 5 of Council Directive 2008/114/EC. 154
Proposal for a Directive of the Council on the identification and designation of European critical infrastructures
and the assessment of the need to improve their protection COM/2006/0787. 155
For example, abusing the financial system of a country would lead to a considerable danger for the entire society,
because banking and financial services are the core of any economy in modern world; water and food sector go hand
33
Nonetheless, the EU legislator follows the definition of critical infrastructure from the
previously mentioned Directive, and makes the Botnet Directive more explicit by including in its
definition examples of critical infrastructure such as „power plants, transports networks or
government networks’.156
Furthermore, the head of the European Reference Network for Critical
Infrastructure defines critical infrastructure as „infrastructures which in our society depends on in
daily life. So it is not only transport and only energy, it is also IT and there are many other
sectors which could be included in that’.157
The author shares this approach because nowadays
the backbone of our society is based on a secured Internet and moreover on secured information
systems. The disruption or improper functioning of such critical infrastructure would have direct
consequences on all the EU citizens and moreover, on many organisations which provide goods
and services to the population.158
Moreover, as part of the EU Cybersecurity strategy,159
in 2016 the European Parliament
adopted the NIS Directive. The author suggests that the NIS Directive is the first step in
achieving EU-wide cybersecurity legislation and an improvement in the EU legal framework
because it gives the mandate to the Member States to supervise the cybersecurity of critical
infrastructure operators such as:160
energy (electricity, oil, gas), transport (air transport, rail
transport, water transport, road transport), banking, financial market infrastructures, health
(healthcare providers including hospitals and private clinics), water (drinking water supply and
distribution) and digital infrastructure (IXP161
s, DNS162
service providers and TLD163
name
in hand and are strategically connected – if there is not enough water for watering the fields than the food production
may suffer; the energy sector is also critical, sometimes relying on the water sector. For more details also see
Montanari, Querzoni (n 149), p. 7. 156
Recital 4 of Botnet Directive. 157
Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU
Research & Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-
under-daily-attack-erncip-head-georg-peter_en.html> accessed 19 May 2018. 158
ENISA, Stocktaking, Analysis and Recommendations on the Protection of CIIs, 2016
<https://www.enisa.europa.eu/publications/stocktaking-analysis-and-recommendations-on-the-protection-of-
ciis/at_download/fullReport> accessed 12 May 2018. 159
European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportuinity‟
(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>
accessed 12 May 2018. 160
Annex II of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning
measures for a high common level of security of network and information systems across the Union [2016] OJ
L194/1 hereinafter the NIS Directive. 161
Article 4 (13) of NIS Directive provides that internet exchange point or IXP means a network facility which
enables the interconnection of more than two independent autonomous systems, primarily for the purpose of
facilitating the exchange of internet traffic.
34
registries). NIS Directive provides in Article 5 guidance for the Member States to identify the
operators of essential services by applying three criteria:164
(1) The entity provides a service which is essential for the maintenance of critical
societal/economic activities;
(2) The provision of that service depends on network and information systems;
(3) An incident would have significant disruptive effects on the provision of that service.
Thus, by corroborating the criteria mentioned above with Article 2 (a) of Council
Directive 2008/114/EC of 8 December 2008, it results that critical infrastructure is similar to the
essential services (from now on CIs) and the operators of such services are the operators of
critical infrastructure. Moreover, Article 1 (4) of the NIS Directive stipulates that the latter is
applicable „without prejudice‟ to Council Directive 2008/114/EC.
In other words, the author believes that critical infrastructure is that infrastructure whose
improper working, even for a short period, may influence negatively the economy and well-
being of the society, leading to economic losses and exposing individual persons, groups or
things as such, to safety and security risks and the provision of its service is dependent on
network and information systems,165
opinion also strengthened by the NIS Directive.
2.3.3.2 Why Critical Infrastructure became a tempting target
for DDoS attacks?
The operators of essential services from a lot of EU countries had to adapt to the
increasing need for all kind of services coming from the society. Thus, they had to implement
infrastructure technology166
and made the CIs be increasingly electronically managed relying on
ICT networks to provide its products and services.167
Moreover, in the past years, for the reason of improving the performance level, the
operators of essential services integrated in their network, Internet monitoring and controlling
162
Article 4 (14) NIS Directive provides that domain name system or DNS means a hierarchical distributed naming
system in a network which refers queries for domain names; i.e. a DNS serves like a phone book which translates
hostnames into IP addresses. 163
Article 4 (16) of NIS Directive provides that top-level domain name registry or TLD means an entity which
administrates and operates the registration of internet domain names under a specific top-level domain. 164
Article 5 of NIS Directive. 165
Montanari, Querzoni (n 149), p.5. 166
Hurst et al. (n 27). 167
Montanari, Querzoni (n 149), p. 23.
35
systems,168
based on advanced technologies such as wireless components,169
leading an
increasing number of access points in the critical networks which so far were closed, and not
accessible from the Internet.170
Furthermore, considering far-reaching geographic spreading and
reliance on computerisation, the operators of CIs had to use remote access which requires an
Internet connection.171
Thereupon, several sectors of critical infrastructure became physically
interconnected and cyber interdependent, by using physical links among them to communicate
and send information.172
For example, an offline power plant got connected to the smart grid,
which allows now to control the smart distribution of the service; or the emergency services
which rely on the telecommunications network infrastructure to transmit and receive
information.
Consequently, relying on computer systems and the Internet in almost all critical
infrastructure sectors has opened the door for cybercriminals and new digital threats alongside
traditional threats. According to Georg Peter, banks,173
railway networks,174
power plants and
telephone networks,175
are daily under attack by cyber criminals, and it is expected that the
168
Ibid. 169
Hurst et al. (n 27). 170
Ibid. 171
Ibid. 172
Montanari, Querzoni (n 149), p. 24. 173
In January 2018, the most important Dutch banks ABN Amro, ING, Rabobank and the Dutch Taxation Authority
were hit by a coordinated DDoS attack. The attack on the banks was blocking the customers to access and use the
mobile or online banking for several hours while the attack on the Tax Agency was preventing the taxpayers to
complete the tax-related documents. Moreover, the website of ABN Amro bank was offline for a long period
causing accessibility problems for its customers. The Ministry of Justice in the Netherland said that is known in
Europe that Dutch banks improved their cybersecurity in the past years, but such advanced attacks could still create
massive outages. See J.P Buntix, „Major DDoS Attack Against ABN Amro Causes Major Outage‟ (Fintechist, 17
January 2018) <http://www.fintechist.com/new-cyberattack-cripples-services-abn-amro/> accessed 19 May 2018,
Pierluigi Paganini „Three Dutch banks and Tax Agency under DDoS attacks…is it a Russian job?‟ (security affairs,
30 January 2018) <https://securityaffairs.co/wordpress/68428/hacking/dutch-banks-ddos.html> accessed 19 May
2018, and Janene Pieters „Russian Servers Linked to DDoS Attack on Netherlands Financial Network: Report‟
(NLTimes, 29 January 2018) <https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-
financial-network-report> accessed 19 May 2018. 174
One of the most recent attacks occurred on 15 May 2018 when a massive DDoS attack hit the Danish state rail
operator. In their attempt to bring the DSB‟s system entirely down, the attackers were able to block the ticketing
system and to prevent the customers from buying tickets. To create more damage, the attackers also took offline the
telephone infrastructure and the internal email system. Therefore the company was able to communicate with the
passengers just through social media. For more details see Pierluigi Paganini „Massive DDoS attack hit the Danish
state rail operator DSB‟ (security affairs, 15 May 2018) <https://securityaffairs.co/wordpress/72530/hacking/rail-
operator-dsb-ddos.html> accessed 19 May 2018. 175
In 2016, a DDoS attack with more than 500 Gbps of traffic was launched against the Internet infrastructure of
Liberia. However, just one of the four main telecom providers in Liberia was affected and managed to mitigate the
attack successfully. Some experts held that this attack was launched against the telecommunication infrastructure of
Liberia because the Internet cable between Africa and Europe which was supposed to be the initial target, provides
36
number of such attacks will increase in the next period.176
Thus, due to interconnectivity and
interdependency, a powerful DDoS attack could create a domino outage having a severe impact
on the wellbeing of society.
2.4 Conclusions
This chapter revealed that the IoT brings not only fantastic advantages for the society but
their vulnerabilities combined with the unique characteristics lead to the proliferation of new
large-scale DDoS attacks, which can be a danger for critical infrastructure and in some cases to
create physical harm. Furthermore, because the society has ignored the signals triggered by the
researchers on these matters, in 2016 the Internet was hit with the most significant DDoS attack
in the history launched by the Mirai botnet. The latter, representing the synergy between DDoS
and IoT had in composition more than 400.000 IoT devices, which were infected by a malware
that was guessing their default credentials. The analysis of these issues revealed that such huge
botnets are just the beginning and there is a high probability of launching even more powerful
DDoS attacks against critical infrastructure than ever. Therefore, further assessment of the EU
legal framework is needed, to appreciate how each step of building an IoT botnet and then
launching DDoS attacks is criminalised. For this purpose, Chapter 3 will explore which is the
relevant EU legal framework that deals with DDoS attacks, which are the cyber security
requirements for the operators of critical infrastructure in case of any cyber attacks and if there
are any regulatory gaps.
Internet for more than nine African countries. Also see James Scott, Drew Spaniel, Rise of the Machines – The Dyn
attack was just a practice run (Institute for Critical Infrastructure Technology, 2016) p. 19. 176
Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU
Research & Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-
under-daily-attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.
37
Chapter 3
The relevant EU legal framework; is there something missing?
„Security flaws in these things could mean people dying and property being destroyed.‟177
3.1 Chapter Outline
In a constant never-ending back-and-forth dance, the adage „codes we live by, laws we
follow, and computers that move too fast to care‟178
perfectly describes the regulatory gap on a
global level deployed by new technology and ecosystems including IoT. When talking about
massive DDoS launched by huge IoT botnets, it is interesting to study if such gaps exist in the
legal literature. However, the legislation should counter these constantly growing risks even
when technology advances or not.179
Fighting against cybercrime, thus against DDoS attacks
needs globally coordinated action from the EU organisations regarding harmonised conventions,
guidelines and recommendations.180
As some of these instruments are already in place in the EU,
this chapter focuses on outlining the European Union`s legal framework regarding the fight
against attacks on critical infrastructure.
3.2 European legal framework
3.2.1 The Council of Europe – Budapest Convention
Before analysing the most recent legal developments in fighting against DDoS attacks
from the EU‟s perspective, the author will briefly introduce the Budapest Convention.181
After
many years of preparatory work, the Council of Europe adopted the Convention to cope with the
177
Bruce Schneier, „Regulation of the Internet of Things‟ (Schneier on Security, 10 November 2016)
<https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html> accessed 22 May 2018. 178
Vivek Wadhwa „Laws and Ethics Can`t Keep Pace with Technology‟ (MIT Technology Review, 15 April 2014)
<https://www.technologyreview.com/s/526401/laws-and-ethics-cant-keep-pace-with-technology/> accessed 13 June
2018. 179
Laviero Buono, „Gearing up the fight against Cybercrime in the European Union: a new set of rules and the
establishment of the European Cybercrime Centre (EC3)‟ (2012) New Journal of European Criminal Law, Vol. 3
<https://www.europol.europa.eu/sites/default/files/documents/njecl-2012-buono.pdf> accessed 20 June 2018. 180
Stein Schjolberg, „The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva‟
(2008) Cybercrime Law <http://www.cybercrimelaw.net/documents/cybercrime_history.pdf> accessed 20 May
2018. 181
Convention on Cybercrime, ETS No. 185, hereinafter Budapest Convention. See
https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185.
38
jurisdictional issues, caused by the evolution of the Internet.182
This international instrument was
opened for signature on 23rd
November 2001 and entered into force on July 1st 2004.
183 This is a
historic achievement because the Convention represents the first multilateral binding tool in the
fight against cybercrime. The agreement was initially signed by 30 countries including Non-
Members of the Council of Europe like Canada, Japan, South Africa and the US.184
At the time
of writing this thesis, just two Member States of the EU had not ratified the Convention yet:
Sweden and Ireland whereas Greece has ratified it in 2017. However, the European Union
recognised several times the importance of this international tool, encouraging all the Member
States and third countries which have not ratified the Convention to do so.185
Thus, the Convention was the first step to achieve a „common criminal policy‟ to fight
against computer-related crimes, by adjusting national legislation, by increasing law enforcement
capabilities and supporting international cooperation.186
On these matters, the Convention
mentions nine crimes grouped in four different categories of computer-related offences as it
follows:187
Offences against the confidentiality, integrity and availability of computer data and
systems – illegal access, illegal interception, data interference, system interference and
misuse of devices;
Computer-related offences – computer-related forgery and computer-related fraud;
Content-related offences – offences related to child pornography;
Offences related to infringements of copyright and related rights – copyright
infringement and related rights.
182
Amalie M. Weber, „The Council of Europe`s Convention on Cybercrime‟ (2003) Berkeley Technology Law
Journal, Volume 18 <https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1416&context=btlj> accessed
19 May 2018. 183
Art 36 of Budapest Convention. 184
Budapest Convention, see <https://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/185/signatures?p_auth=2BXHZHFQ> accessed 12 August 2018. 185
Communication from the Commission to the European Parliament, the Council and the Committee of the
Regions - Towards a general policy on the fight against cyber crime, COM(2007) 267 final, Brussels 2007. 186
Archick Kristin, „Cybercrime: The Council of Europe Convention‟ (2002) CRS Report for Congress,
Congressional Research Service, The Library of Congress
<https://digital.library.unt.edu/ark%3A/67531/metacrs2394/> accessed 10 June 2018. 187
Explanatory Report to the Budapest Convention.
39
The Budapest Convention grants „great latitude with respect to the legislative approach’
to signatories to the Convention.188
In other words, by outlining all the above-mentioned criminal
offences, the Convention is helping the states involved to adopt the necessary laws and
procedures to better fight against cybercrime.189
The Convention introduces procedural law
provisions which require the states to „establish domestic procedures for detecting, investigating,
and prosecuting computer crimes, and collecting electronic evidence of any criminal offense’.190
Such legislative measures include expedited preservation of stored computer data and traffic
data, search and seizure of computer system data or computer-stored data, and real-time
collection or interception of computer data.191
Furthermore, the Budapest Convention provides
new principles for adequate and swift international cooperation laying down conditions for
extradition and mutual assistance between parties. Under these principles, the law enforcement
agency from one country can collect computer data evidence from another country,192
or could
receive such data without a prior request.193
To make possible such transborder cooperation and
assistance, Article 35, deems parties to create a „24/7 Network‟ by designating „a point of
contact available on a twenty-four hour, seven-day-a-week basis‟.194
Moreover, this Convention „uses technology-neutral language so that substantive
criminal law offences may be applied to both current and future technologies involved‟.195
Therefore, this instrument is capable of adapting to new forms of criminal activities including
botnets or DDoS attacks. Nevertheless, some authors argue that the Convention does not cover
all the forms of cybercrime such as identity theft, sexual „grooming‟, spam or cyberterrorism.196
However, the focus of this thesis will be on DDoS attacks launched by IoT botnets on critical
188
Nicole M., Eun A. Jo, Soesanto S., „Cybersecurity in the European Union and Beyond: Exploring the Threats and
Policy Responses‟ (2015) European Parliament, p. 52
<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536470/IPOL_STU(2015)536470_EN.pdf> accessed
10 May 2018. 189
Ibid. 190
Kristin (n 186). 191
Articles 16-21 of Budapest Convention. 192
Kristin (n 186). 193
Nicole et al. (n 188). 194
Article 35 of Budapest Convention. 195
Explanatory Report to the Budapest Convention. 196
Jonathan Clough, „A World of Difference: The Budapest Convention of Cybercrime and the Challenges of
Harmonisation (2014), Monash U. L. Rev 698
<https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf> accessed 11 June 2018.
40
infrastructure, offences against the confidentiality, integrity and availability of computer data and
systems, which are covered by Title 1 under the relevant articles from the Convention.197
As presented in the previous chapter, a DDoS attack is launched by a multitude of
unprotected IoT devices with the scope of making a computer system unavailable to the users by
overloading the computer target or network with requests, denying the access of the user. Thus,
because such behaviour requires going through various steps until launching a successful DDoS
attack, the Budapest Convention Committee (T-CY) issued various Guidance Notes, to facilitate
the use and the implementation of the Convention in respect to these matters.198
Therefore, the
DDoS attacks launched by IoT botnets and directed towards critical infrastructure can be
criminalised under the following articles from the Budapest Convention:199
Article 2 - Illegal access – as showed in Chapter 2, the conception of an IoT botnet
requires the attacker to exploit the vulnerabilities of the devices in order to plant
malware. Afterwards, the botnet could be used to infect and illegally access other IoT
devices;200
Article 4 – Data Interference – when creating a botnet, the data from an infected
device is always damaged, deleted, deteriorated or suppressed because the attacker
197
Article 2 of Budapest Convention provides: Illegal access as
…the access to the whole or any part of a computer system without right. A Party may require that the offence be
committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in
relation to a computer system that is connected to another computer system.
Article 4 – Data interference:
…the damaging, deletion, deterioration, alteration or suppression of computer data without right. A Party may
reserve the right to require that the conduct described in paragraph 1 result in serious harm.
Article 5 – System interference:
… the serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data.
Article 6 – Misuse of devices:
…the production, sale, procurement for use, import, distribution, or otherwise making available of:
i. a device, including a computer program, designed or adapted primarily for the purpose of committing any of the
offences established in accordance with Articles 2 through 5;
ii. a computer password, access code, or similar data by which the whole or any part of a computer system is capable
of being accessed, with intent that it be used for the purpose of committing any of the offences established in
Articles 2 through 5; and the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used
for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law
that a number of such items be possessed before criminal liability attaches. 198
Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th
Plenary of the T-
CY (4-5 June 2013), T-CY (2013)10E Rev. 199
Ibid. 200
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev.
41
sends the attack instructions to the „enslaved‟ IoT devices. Moreover, also the data
from the critical infrastructure information systems is damaged;201
Article 5 – System Interference – the aim of any DDoS attack is exactly to severely
hamper the functioning of the computer system from a critical infrastructure;
Article 6 – Misuse of devices – the definition from this article covers all the botnets
because they are created in such a way as to commit the offences mentioned above.
Furthermore, any software that is used to create such botnets also falls under this
article. Moreover, it prohibits the production, sale, and procurement for use, import,
distribution, or otherwise making available as well as the possession of botnets or
programmes used for their creation or functioning;202
Article 13 – Sanctions – DDoS attacks could have serious implications in many ways
on individuals and public sector institutions specifically when targeting critical
infrastructures such as banking, airports or hospitals. The governments should
consider such attacks when they cause serious harm; therefore the Parties should
ensure that according to Article 13 of the Convention, such offences „are punishable
by effective, proportionate and dissuasive sanctions, which include the deprivation of
liberty‟.203
Under the same article, the Parties could consider aggravating
circumstances, for example when a botnet affects a high number of IoT devices and
when DDoS attacks cause „considerable damage, including deaths or physical
injuries, or damage to critical infrastructure‟.204
3.2.2 The European Union
To prevent such attacks without geographical borders, new instruments that can assure
mutual legal assistance need to be implemented by the EU Member States.205
In the early 2000‟s,
the European Union already had in composition 15 countries but avoided to come up with its
201
Cybercrime Convention Committee, T-CY Guidance Note #6 Critical information infrastructure attacks adopted
by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)11E Rev. 202
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 203
Article 13 of Budapest Convention. 204
Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th
Plenary of the T-
CY (4-5 June 2013), T-CY (2013)10E Rev. 205
Laviero Buono, „Fighting cybercrime between legal challenges and practical difficulties: EU and national
approaches‟ (2016) Academy of European Law <https://link.springer.com/article/10.1007/s12027-016-0432-5>
accessed 10 July 2018.
42
solutions addressing cybercrime. However, in January 2001 the Commission issued a
Communication to the Council and the EU Parliament, on „creating a safer information society
by improving the security of information infrastructures and combating computer-related
crime‟.206
In this first „soft law‟ instrument aimed specifically to tackle cybercrime,207
the EU
acknowledges the existence of vulnerabilities in information infrastructures that could lead to
cyber criminal activities, including denial of service attacks. Moreover, the Commission
indicates that an approximation of laws and sanctions is needed along the Member States for an
effective fight against cybercrime and notes that there is a demand for complementing the EU
legal framework with substantive criminal law in respect to computer-related crimes.208
In 2002, after the waiting for the CoE negotiations to end, the Commission proposed a
Framework Decision on Attacks Against Information Systems with the aim to harmonize the
Member States‟ criminal legislation regarding cybercrime, to improve the cooperation between
judicial and other competent authorities (the police and other LEAs)209
and to cover the
significant regulatory gaps in respect to these matters.210
The Decision entered into force in 2005
and was closely following the Budapest Convention, but its applicability was not so broad as the
latter.211
For example, the Decision was applicable just to the EU Member States, and it did not
touch any of the rules regarding investigative measures.212
However, with this Decision, the EU
complemented the work of the CoE, by supporting a common legal approach throughout the
EU.213
Unfortunately, within this decision, the Commission has not taken into consideration
botnets and large-scale attacks against critical infrastructure. Only, in 2007, the EU started to
move its attention to such issues, just right after the Estonian cyber attack occurred in the same
206
Communication from the Commission to The Council, The European Parliament, The Economic and Social
Committee and The Committee of the Regions: Creating a Safer Information Society by Improving the Security of
Information Infrastructures and Combating Computer-Related Crime, COM (2000) 890, Brussels 2001. 207
Buono (n 205). 208
COM (2000) 890 (n 206). 209
Erik Wennerstrom, „EU-legislation and Cybercrime A Decade of European Legal Developments‟ (2010)
Stockholm Institute for Scandinavian Law <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733634>
accessed 11 December 2017. 210
Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, [2005]
OJ L 69/67. 211
Wennerstrom (n 209). 212
Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)
<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018. 213
Stein (n 180).
43
year.214
This attack made clear that without an effective fight against cybercrime, including
adequate protection of critical infrastructure, the Member States could not avoid the possible
disruptions caused by cyber attacks, including DDoS. Thus, fighting against cybercrime became
a top priority on the EU security agenda.215
Moreover, because cyber crime started to be treated
as a serious crime,216
it was included in 2009 in Article 83(1) of the Treaty On The Functioning
of the European Union or TFEU,217
in the same category of „serious crimes with a cross-border
dimension‟ as other top crimes: terrorism, human trafficking, sexual exploitation, organised
crime, corruption, illicit arms trafficking, etc.218
Furthermore, in 2010 the European Commission
built on the previously mentioned provision, and one of its five main objectives was to „raise
levels of security for citizens and businesses in cyberspace‟.219
Finally, the culminating moment
of all these legal and policy initiatives was setting up the European Cybercrime Centre also
known as EC3 in 2012.220
214
In 2007, Estonia took a decision to remove a Soviet-era memorial and soon street riots in the centre of Tallinn had
broken out. The decision had an enormous opposition from Russian Government and many other Russian and
international media. The memorial was a bronze statue of a soldier in natural sizes. Unfortunately, the statue
represented a place for commemorating the Soviet era loses but soon it became a space for national extremists,
which were provocative and hostile towards the Estonian country. The riots from the offline world moved in
cyberspace where unidentified attackers „took down‟ various webpages of the Estonian government‟s institutions
and private sector businesses, attacks that lasted until the end of May 2007. The first phase of the attack was
relatively an „emotional response‟ to the situation, because the attackers were launching coordinated ping commands
over the targets. The Estonian authorities quickly and easily mitigated these attacks. However, on the second phase,
attacks that are more sophisticated were affecting the Estonian information infrastructure. The hackers launched
sophisticated and coordinated DDoS attacks using a huge botnet and making unavailable banking and government
services. For additional information about this case see Enek T., Kadri K., Liss V. „International Cyber Incidents
Legal Considerations‟ (2010) Cooperative Cyber Defence Centre of Excellence CCDCOE <
https://ccdcoe.org/publications/books/legalconsiderations.pdf> accessed 22 August 2017. 215
Laviero Buono, „The Key Features of the EU Cybercrime Directive 2013; The newly adopted European
framework for legislative measures on attacks against information systems‟ (2013) Computer Law Review
International
<https://www.researchgate.net/publication/314498695_The_Key_Features_of_the_EU_Cybercrime_Directive_2013
_The_newly_adopted_European_framework_for_legislative_measures_on_attacks_against_information_systems>
accessed 17 May 2018. 216
Ibid. 217
Consolidated version of the Treaty On European Union and The Treaty On The Functioning of The European
Union, [2010] OJ C 83/1. 218
Buono (n 215). 219
COM (2010) 0673, Communication from the Commission to the European Parliament and the Council, The EU
Internal Security Strategy in Action: Five Steps towards a more secure Europe. 220
Buono (n 215). The European Cybercrime Centre (EC3) is established within Europol in the Hague and
represents the European Union`s focal point in the fight against Cybercrime. The EC3 is focus on major categories
of cybercrime, such as fighting online fraud, online child sexual abuse and cyber-attacks affecting critical
infrastructure and information systems in the EU. For more details, see Buono (n 179).
44
3.2.2.1 The ‘Botnet’ Directive
Finally, even if for the past fifteen years the EU legislator has made significant steps
towards an adequate legal framework to address the challenges posed by cybercrime,221
it was on
July 2013, when for a better response to these emerging cyber threats against information
systems, the European Union adopted the Directive on attacks against information systems
(hereinafter Botnet Directive) and replaced the previous Council Framework Decision.222
The
primary purpose of this Directive was to harmonize the criminal law in the EU, in respect to
cyber attacks, by establishing minimum rules regarding how to define the criminal offences, how
to set relevant sanctions, to improve cooperation between the primary stakeholders including
LEAs, police, other EU bodies and agencies as well as to create an effective prevention
mechanism.223
Various elements of the Framework Decision were kept in the Botnet Directive by the
legislator, without any significant additions. In other words, the primary definitions of the
cybercrimes included in the Framework Decision (illegal access to information systems, illegal
system interference, and illegal data interference),224
rules about jurisdiction, the liability of legal
persons and the exchange of information through the 24hours/7days network are maintained in
the Directive. Moreover, the Directive follows the Budapest Convention as „the main legal
framework of reference for combating cybercrime‟ and builds on this legal instrument.225
For this
reason, the Directive criminalises the illegal interception of computer data and outlaws the tools
used for committing such offences.226
These new elements are added in the EU legal framework,
but most Member States have already implemented in their national framework such provisions
from the Convention.227
221
Buono (n 215). 222
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against
information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L218/8 hereinafter
Botnet Directive. 223
Recitals 1 and 2 of Botnet Directive. 224
No longer in force, Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against
information systems [2005] OJ L 69/67. 225
Recital 15 of Botnet Directive. 226
European Commission Memo, „Questions and Answers: Directive on attacks against information systems‟
(European Commission Press Release Database, 4 July 2013) <http://europa.eu/rapid/press-release_MEMO-13-
661_en.htm> accessed 30 June 2018. 227
Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)
<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.
45
Important as well, some parts of the Botnet Directive are entirely new. The Directive
takes into consideration new methods and tools for committing cybercrimes,228
like the creation
and the use of botnets to launch a „large-scale cyber attack‟.229
Furthermore, the Directive
introduces aggravating circumstances and more severe penalties where:
„A cyber attack is conducted on a large scale, affecting a significant number of
information systems, including where it is intended to create a botnet, or where a
cyber attack causes serious damage, including where it is carried out through a
botnet. It is also appropriate to provide for more severe penalties where an attack
is conducted against a critical infrastructure of the Member States or of the
Union.‟230
On the negative side, there are some challenges for the Member States to implement
these new elements of the Directive. For example, it is questionable how the Member States will
categorise a cyber attack as a large-scale attack; or how the Member States will understand what
a „significant number of information systems‟ and „serious damage‟ in the attacks against critical
infrastructure is.231
However, in the explanatory memorandum of the proposal, it is mentioned
that large-scale attacks could be launched either by using various tools, which affect a significant
number of computers or the attacks produce extensive losses in respect of personal data,
financial costs or disrupted computers. The same document acknowledges that it is difficult to
indicate what a „big botnet‟ is, regarding size, but until 2010, the moment when the proposal was
drafted, the biggest botnet had in composition between 40.000 and 100.000 infected devices for
24 hours.232
However, as it has been noted in the previous chapter, the latest major IoT botnet
„Mirai‟ infected and controlled more than 400.000 compromised devices.233
In the next years,
jurisprudence and more research on these points should offer some real guidance in this
respect.234
228
Proposal for a Directive of the European Parliament and of the Council on attacks against information systems
and repealing Council Framework Decision 2005/222/JHA, COM (2010) 517 final, 2010/0263 (COD), hereafter
Proposal for Botnet Directive. 229
Recital 5 of Botnet Directive. 230
Recital 13 of Botnet Directive. 231
Article 9 of Botnet Directive. 232
Proposal for Botnet Diective. 233
Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November
2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>
accessed 1 May 2018. 234
Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)
<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.
46
On the positive side, the Directive aims to enhance the cooperation and the efforts of the
Member States, in the fight against large-scale cyber attacks, which could be a potential threat to
society and it provides the States with new legal „weapons‟ to stand against this phenomenon.
In conclusion, the Botnet Directive takes into account large-scale attacks against the
critical infrastructures of a country, attacks that could create significant disruption and
destruction. The increasing number of such attacks is linked with the development of new
sophisticated tools of committing cybercrimes, such as the creation and the use of „botnets‟. The
author will further analyse in the next paragraph, how the creation of an IoT botnet and then
launching a DDoS towards a critical infrastructure, covers various stages of a criminal act, where
each act alone could be a threat and how the Botnet Directive criminalises these acts.235
3.2.2.1.1 The Attack Chain of a DDoS attack
As shown in the previous chapter, there are four essential phases taking place while
assembling a successful DDoS attack.236
Expanding on these phases, the „intrusion kill chain‟
proposed by Lockheed Martin paper,237
is used to describe a process for cyber intrusions, where
„an adversary engages a specific target to further malicious intent‟.238
Thus, the kill chain steps are depicted in (fig. 4)239
, and the methodology is also shared by
ENISA, in the Threat Landscape Report for 2018 and by other experts.240
However, according to
235
Recital 5 of Botnet Directive. 236
Mirkovic et al. (n 21). 237
Eric M. Hutchnis et al., „Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains‟ (2011) Proceeding of the 6th
International Conference on Information Warfare
and Security, Washington D.C <https://lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf> accessed 19 July 2018. 238
Bryan Harris, Eli Konikoff, Phillip Peterson, „Breaking the DDoS Attack Chain‟ (2013) Institute for Software
Research, Carnegie Mellon University <https://www.cmu.edu/mits/files/breaking-the-ddos-attack-chain.pdf>
accessed 18 July 2018. 239
ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018
<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4
July 2018.
Figure 4 –The attack chain of a DDoS attack
47
the author of this thesis, a complete legal analysis of a DDoS attack launched by an IoT botnet
can be based upon five main steps as it follows: reconnaissance, delivery (getting access),
compromising and control, action on objectives and weaponisation.
3.2.2.1.1.1 Step 1 - Reconnaissance
The main characteristic of a DDoS attack is the distributed aspect, which requires access
and control on a large number of devices.241
Therefore, an attacker will have to build an IoT
botnet, by starting to scan for vulnerable or poorly secured IoT devices. At this step, the attacker
uses various ways to scan for random public IP addresses of the future botnet victims.
Sometimes the scanning phase is done directly by the bots, like in the Mirai botnet, or the
attacker uses a special search engine (Shodan or Censys)242
to find potential vulnerable IoT
devices.243
However, because these activities are deployed all over the public Internet, for the
owner of an IoT device, it could be technically difficult to detect or even limit such actions.244
Moreover, these actions are legal because the attacker is gathering information from an open-
source and this search is often seen as legitimate „web-based research‟.245
Therefore, the Botnet
Directive does not criminalise this very first process, and unfortunately, there is little the victim
can do.
3.2.2.1.1.2 Step 2 – Delivery/Getting access
In general, most of the IoT devices come out of the factory`s doors with their telnet,246
and web interface protected just by default passwords to allow the buyers to access their devices.
240
Irving Lachow, „Active Cyber Defense: A Framework for Policymakers‟ (2013) Center for a New American
Security <https://www.cnas.org/publications/reports/active-cyber-defense-a-framework-for-policymakers> accessed
15 July 2018. 241
Harris et al. (n 238). 242
If Google allows a person to search online for specific and loads of amount of data, Shodan works the same but
for the Internet of Things. The search engine helps the person to search for specific types of IoT like webcams,
routers, and servers with an active online connection to the Internet. The results of the search will contain
information about the device like the IP address, information about the software, what options the service supports
and sometimes the default username and password of the user. See also <https://www.shodan.io> accessed 5 July
2018. 243
Kishore Angrishi, „Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets‟ (2017)
arXiv <https://arxiv.org/pdf/1702.03681.pdf> accessed 18 December 2017. 244
Agnes Kasper, „Legal Aspects of CyberSecurity in Emerging Technologies: Smart Grids and Big Data, European
Answers to Security Breaches and “Common” Cyber crime‟ in T. Kerikmae (ed.), Regulating eTechnologies in the
European Union, (Springer, 2014), p. 202. 245
Lachow (n 240). 246
If the IP (Internet Protocol) makes possible to connect all the computer systems the TELNET protocol makes it
possible to use them. This Protocol offers the possibility for the user to connect and log on from his computer to any
other hosts that are online in the user‟s network. This protocol allows the user to have a remote log on capability.
48
Unfortunately, the users forget to change the passwords and „leave the door, and the windows
opened‟ for IoT malware.247
Even if there are many possibilities to compromise the security of
an IoT device, the author of the thesis, will focus on the brute-force password guessing attacks. It
seems that, until now, this method was the best for getting access to a large number of IoT
devices.248
Compromising a device through this uncomplicated way, it is very simple and does not
require much knowledge. The hacker or the botnet itself is trying to guess a valid combination
between a username, password or any other protective measures.249
Even if the system is
operating on a fully updated patch, a weak password is usually identified as „Achilles heel‟.250
Moreover, a weak password is the first point of access for attackers.251
On top of that, an attacker, or the bot itself, after scanning for compromised IoT devices,
could also find details regarding the default password of a smart „thing‟ like in fig. 5 even
without a brute-force attack.252
Likewise, the attackers could easily obtain valuable information
See more in T. Harjunen, A. Sarkka, „Classic TCP/IP applications: TELNET, FTP, SMTP, NNTP and SNMP‟
(1998) <https://www.netlab.tkk.fi/opetus/s38130/s98/tcpapp/TCP_appl.pdf> accessed 10 July 2018. 247
Al-Alami, Haneen & Hadi, Ali & Al-Bahadili, H., „Vulnerability Scanning of IoT Devices in Jordan Using
Shodan‟ (Information Technology Renewable Energy Processes and Systems (2017) IT-DREPS, University of Petra
<https://www.researchgate.net/publication/321588682_Vulnerability_Scanning_of_IoT_Devices_in_Jordan_using_
Shodan> accessed 10 July 2018. 248
A brute-force password guessing attack is an automatic way used to gather user information (such as username,
password, pin, etc.). In other words, the computational power is used to crack a password and to guess the username.
Such programs will try all the possible combinations for an account to unlock it. A research from 2012 showed that
any eight characters Windows password could be cracked in less than six hours. See also Dan Goodin, „25-GPU
cluster cracks every standard Windows password in <6 hours‟ (arsTECHNICA, 12 October 2012)
<https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-
password-in-6-hours/> accessed 9 July 2018. There are various types of brute-force attacks like hybrid (dictionary
attack), reverse or credential stuffing. In building the Mirai botnet, the attackers used the so-called „Dictionary
Attack‟, which sometimes is faster than the normal brute-force attack. This attack involves using a common list of
usernames and passwords to gain access to a particular device or network. The dictionary attack is trying to match
the most occurring passwords with the most frequent usernames like admin, root, 888888, admin1234, (none),
111111, 1234, 12345, 54321, 123456, user, 0, system, pass, 1111. See also Aimee O`Driscoll, „What a brute force
attack is (with examples) and how you can protect against one‟ (comparitech, 9 May 2018)
<https://www.comparitech.com/blog/information-security/brute-force-attack/#gref> accessed 9 July 2018 and M.
Raza, M. Iqbal, M. Sharif and W. Haider, „A Survey of Password Attacks and Comparative Analysis on Methods for
Secure Authentification‟ (2012) Comsats Institute of Information Technology
<https://www.researchgate.net/profile/Mudassar_Raza2/> accessed 10 July 2018. 249
Bryan Sullivan, „Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot‟
(2007) SPI Dynamics <https://www.researchgate.net/publication/2> accessed 8 July 2018. 250
Jim Owens, Jeanna Matthews, „A Study of Passwords and Methods Used in Brute-Force SSH Attacks‟ (2008)
Clarkson University <http://people.clarkson.edu/~owensjp/pubs/leet08.pdf> accessed 5 July 2018. 251
Angrishi (n 243). 252
After one legit search on Shodan.io the author was able to identify 68.519 of IoT using default password and
username like the example provided. The hackers could access these results in order to take control over them or by
researchers. See also <https://www.shodan.io/search?query=default+password> accessed 5 July 2017.
49
about default passwords and open ports of such products, from their product manuals, which are
often available online.253
After finding the correct credentials, the bot will log on to the new
vulnerable IoT devices and will download the malware as we will see in the next paragraph.254
Compromising an IoT device in this second step, by finding a way to access it and then to
control it, is covered by the Botnet Directive in Article 3 (illegal access to information systems).
In other words, Article 3 of the Botnet Directive stipulates that the illegal access to information
systems is punishable for at least two years of imprisonment and considered a criminal offence
where committed by infringing a security measure.255
The question that arises now is, if an IoT
device is seen as information or computer system as it is defined by Article 2 of the Directive:
„A device or group of inter-connected or related devices, one or more of which,
pursuant to a programme, automatically processes computer data, as well as
computer data stored, processed, retrieved or transmitted by that device or group
of devices for the purposes of its or their operation, use, protection and
maintenance.‟256
According to the CoE‟s guidance note on the notion of „computer system‟ and
corroborating with the explanatory report of the Budapest Convention, it is clear that an
„information system‟ should include any device which is processing the data automatically, and
253
Al-Alami et al., (n 247). 254
The bot will send the default credentials along with other device features including the IP address, towards the
reporting server. Next, the botmaster will deliver an infection command to the loader containing all the details of the
victim. The loaders are used for the dissemination of executables which are targeting various platforms and which
are communicating directly with the victims. In other words, a loader is the way used to log on into the vulnerable
IoT. The attackers use the loaders to log on to the new vulnerable IoT devices and instructs the IoT on how to
download and install the malware. The communication between the IoT malware and the devices is established
through the telnet connection. See also Angrishi (n 243). 255
Article 3 and 9 of Botnet Directive. 256
Article 2(a) of Botnet Directive.
Figure 5 – Default Password Results from Shodan.io
50
consists of two essential parts: hardware and software.257
The author agrees that this definition
also includes all the IoT devices because, as shown in the previous chapter, for such device to
work it is crucial to have the capability of sending and receiving data.
Moreover, going back to Article 3 of the Botnet Directive, it states that the intrusion to
the whole or just to a part of an information system should be committed intentionally and
without right, regardless of the communication method used.258
The legislator does not define
what „access‟ is. However, considering the explanatory report of the Budapest Convention, it
could be seen as „entering of another computer system, where it is connected via a public
telecommunication network, or to a computer system on the same network, such as a LAN (local
area network) or Intranet within an organisation‟.259
Equally important, „intentionally‟ means
that the attacker gained illegal access with criminal intent; therefore, the Directive is not
applicable when the above-mentioned objective criteria are met, but the person acted without any
bad intent. The legislator has implemented this requirement because it is easier for a person to
access a restricted area accidentally on a computer network than accessing a restricted area from
a building without the intent of trespassing.260
In the same way, the Directive takes into consideration as the threshold for
criminalisation,261
if the access was „without right‟ which is defined by the legislator as the
„access… not authorised by the owner or by another right holder of the system or of part of it, or
not permitted under national law‟.262
This prerequisite was introduced because the legislator
wanted to exclude all the possibilities of being under criminal liability, in the case of any person
who got a mandate from the owner of an information system, to test the strength of the security
of such systems.263
It is just natural that such experts have to simulate DDoS attacks on the
computer systems by using the same tools as cybercriminals. Therefore, this provision does not
257
Cybercrime Convention Committee, T-CY Guidance Note #1 On the notion of “computer system” adopted by
the 8th
Plenary of the T-CY (5 December 2012), T-CY (2012) 21. 258
Kasper (n 244). 259
Explanatory Report of the Budapest Convention. 260
Paul De Hert et al., „Fighting cybercrime in the two Europes. The added value of the EU framework decision and
the council of Europe Convention‟ (2006) Revue internationale de droit penal
<https://www.researchgate.net/publication/251058766_Fighting_cybercrime_in_the_two_Europes_The_added_valu
e_of_the_EU_framework_decision_and_the_Council_of_Europe_convention> accessed 27 June 2018. 261
Paul De Hert et al. (n 260). 262
Article 2(d) of Botnet Directive. 263
Recital 17 of Botnet Directive.
51
cover access by the authorised users, and the attacker needs to have a malicious intention to gain
illegal access.264
Also, Article 3 excludes all the offences of illegal access to an information system, which
are minor cases. Recital 11 of the Directive provides some guidance for the Member States when
a case could be considered minor:
„A case may be considered minor, for example, where the damage caused by the
offence and/or the risk to public or private interests, such as to the integrity of a
computer system or to computer data, or to the integrity, rights or other interests
of a person, is insignificant or is of such a nature that the imposition of a criminal
penalty within the legal threshold or the imposition of criminal liability is not
necessary.‟265
Finally, a person would be punishable for illegal access to a computer just if that person
has infringed the security measures of the device. Unfortunately, the Directive is not defining
what „security measures‟ means even if this qualifying element constitutes an essential
prerequisite for criminalising such behaviour.266
It is questionable if, some active defence
techniques, which are not per se considered security measures - but used to prevent and detect
the reconnaissance phase of the DDoS attack,267
are seen as security measures within the
meaning of Article 3.268
In conclusion, by creating a botnet, the attacker will always need illegal access to
computer systems.269
Therefore, at this step, the behaviour of the attacker when compromising an
IoT device is considered unlawful under Article 3 of the Botnet Directive and punishable with
imprisonment of at least two years.270
By doing so, the attacker has the intention to pass the
security measure, which in this case is the password of the IoT device and access is obtained
without right. Therefore all the elements of illegal access to information systems are met.
264
Pedro Miguel F. Freitas and Nuno Goncalves, „Illegal access to information systems and the Directive
2013/40/EU‟ (2015) International Review of Law, Computers & Technology
<https://dl.acm.org/citation.cfm?id=2767890> accessed 10 June 2018. 265
Recital 11 of Botnet Directive. 266
Miguel et al. (n 264). 267
Kasper (n 244). 268
For example „honey pots‟ are computer systems, which are set up by the „good guys‟ in order to attract the
attackers to penetrate the system to study their attack methods and the tools used or to send them fake data. See
more in Kasper (n 244). 269
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 270
Article 9 of Botnet Directive.
52
3.2.2.1.1.3 Step 3 – Compromising and control
After getting access to the IoT devices, the attacker needs to control them somehow, in
order to launch the DDoS attack. Therefore, to transform the IoT devices into a „zombie‟
network, the attacker instructs them to download malware from a distribution server. Just after
downloading and installing the malware, the IoT device is reconfigured to come under control
and to communicate with the command and control server.271
Furthermore, the bot malware is
fixing the vulnerabilities of the IoT devices, by making sure that no other malware could use the
same method to compromise the devices. At this moment, the malware remains in a latent
condition,272
and for this reason, the owner of the infected IoT device does not know about the
malware infection.273
Under those circumstances, this step is considered as altering the integrity of the
computer data,274
behaviour that is directly linked to the „Illegal data interference‟ covered by
Article 5 of the Botnet Directive, which reads:
„Member States shall take the necessary measures to ensure that deleting,
damaging, deteriorating, altering or suppressing computer data on an information
system, or rendering such data inaccessible, intentionally and without right, is
punishable as a criminal offence, at least for cases which are not minor.‟275
The Directive aims to provide IoT data and any other computer data, the same level of
protection as the material objects have in front of any intentional imposed damage.276
The
definition maintains the key elements of „intention‟, „information system‟, „without right‟ and
„minor cases‟, elements presented above. However, some keywords are not addressed at all by
the Directive, and the author suggests that the interpretation of the missing expressions might be
done by following the Explanatory Report of the Budapest Convention. For this reason, if
„deteriorating‟ and „damaging‟ the data are linked to the alteration of the integrity element,
„deletion‟ could be seen as identical to destroying and making something indistinguishable.277
„Suppressing‟ computer data means „any action that prevents or terminates the availability of the
data to the person who has access to the computer or the data carrier on which it was stored‟
271
Angrishi (n 243). 272
Ibid. 273
Douligeris, Mitrokotsa, (n 66). 274
Kasper (n 244). 275
Article 5 of Botnet Directive. 276
Explanatory Report to the Budapest Convetion. 277
Clough, (n 4) p. 123.
53
whereas „altering‟ means modifying the existing data.278
Therefore, it is clear that executing any
malware on the IoT will lead to an alteration of the integrity of the data.279
In conclusion, by taking control of IoT devices to build a botnet, the botmaster will
always alter the data and may delete, damage, deteriorate or suppress the IoT data. For this
behaviour, the attacker could face imprisonment of at least two years.280
Moreover, botnets
themselves delete, damage, deteriorate, alter, suppress, or render IoT data inaccessible.281
The
author needs to mention that also the DDoS attacks per se, when launched against critical
infrastructure, have the power to alter the integrity of the data from the affected computer
system.282
3.2.2.1.1.4 Step 4 – Action on Objectives
This is the final step where the attacker is launching the DDoS attack by simply
instructing through the command and control server, all the IoT bots to start an attack against
critical infrastructure.283
As the author has shown before, the main objective of a DDoS attack is
to seriously hinder the functioning and availability of the targeted computer system,284
which
might have a significant effect on the operator of the critical infrastructure.285
Article 4 of the
Botnet Directive declares that making a computer system unavailable is unlawful and obliges the
Member States to:
„Take the necessary measures to ensure that seriously hindering or interrupting the
functioning of an information system by inputting computer data, by transmitting,
damaging, deleting, deteriorating, altering or suppressing such data, or by
rendering such data inaccessible, intentionally and without right, is punishable as
a criminal offence, at least for cases which are not minor.‟286
This Article aims to protect the interest of the users, which are lawfully using the
computer systems in front of an intentional „hindering‟ that could affect their proper
278
Explanatory Report to the Convention on Cybercrime, ETS No. 185. 279
Clough, (n 4), p. 112. 280
Article 9 of Botnet Directive. 281
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 282
Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th
Plenary of the T-
CY (4-5 June 2013), T-CY (2013)10E Rev. 283
Kolias et al. (n 122). 284
Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th
Plenary of the T-
CY (4-5 June 2013), T-CY (2013)10E Rev 285
Kasper (n 244). 286
Article 4 of Botnet Directive.
54
functioning.287
Unfortunately, the legislator has not mentioned what „illegal interference‟ is.
However, some authors argue that such interference is also known as „tampering‟ or „computer
sabotage‟,288
and broad enough to encompass the „disruption of information systems‟ caused by
DDoS attacks, where the access to the computer system is restricted.289
Following the
Explanatory Report of the Budapest Convention, „hindering‟ means any action that will interfere
with the good functioning of a computer system. The „hindering‟ needs to be „serious‟ and must
take place by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing
computer data. It is not clear where the threshold for „serious‟ stands. However, sending much
data to a target in such a way that it is significantly creating problems for the owner or for the
operator to use that system, or is blocking the possibility to communicate with other systems, is
qualified as serious illegal system interference.290
Accordingly, in the opinion of the author, a DDoS attack launched by an IoT botnet will
qualify „easily‟ as serious and such conduct would be punishable under Article 4 of the
Directive. On the other hand, the botnet per se may hinder the functioning of the infected IoT but
not necessarily,291
because when taking part in a DDoS attack, each IoT device uses just a
fraction of the available resources, thus, the users may experience a limited change regarding
performance.292
In this case, we cannot talk about system interference as defined by the Article
mentioned above.
3.2.2.1.1.5 Step 5 – Weaponisation
Aside from the offences of illegal access, illegal system and data interference, the Botnet
Directive also outlaws the weaponisation step of a DDoS attack.293
Because the commission of
such offences frequently requires the possession of some means of attack (in our case without a
large botnet a DDoS attack could not have the impact expected), the legislator provides a
separate and independent legal basis to outlaw, the availability on the black market of such
„hacker tools‟.294
For this reason, the „production, sale, procurement for use, import, distribution
287
Explanatory Report to the Convention on Cybercrime, ETS No. 185. 288
Ibid. 289
De Hert et al. (n 260). 290
Explanatory Report to the Convention on Cybercrime, ETS No. 185. 291
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 292
Douligeris, Mitrokotsa, (n 66). 293
Kasper (n 244). 294
Explanatory Report to the Budapest Convention.
55
or otherwise making available‟ of any devices or tools such as computer programs, passwords or
access codes, which are specially designed or adapted for committing the crimes mentioned
above are criminalised by Article 7 of the Directive.295
In this case, „distribution‟ means forwarding the data to others whereas „making
available‟ refers to one placing online the devices for the availability and use of others. When
talking about „computer program‟ or „tools‟, the legislator took into consideration any programs
particularly designed for illegal access, illegal system and data interference.296
However, the
terms are not defined, but in J. Clough‟s opinion, it includes both software and hardware.297
In
particular, such „tools‟ could encompass malicious software or virus programs, including those
able to create botnets.298
For clarity purposes, in the future, the legislator could specify exactly
what kind of tools fall under the definition of Article 7 and what a „computer program‟ is, in
order to avoid ambiguity.299
In this case, according to CoE, all botnets are considered tools as
defined in Article 7 because they are created, designed and used for committing various offences.
Furthermore, any program that is used by the attacker for creating and operating a botnet falls
under the definition.300
Because the Directive refers just to devices designed exclusively for committing the
above cybercrimes, in practice, there are some challenges.301
For example, there are some
frictions between a DDoS attack launched by a botnet created for legitimate use to test the
capacity of a computer system, and the illegitimate use of that botnet.302
As a result, it is not
enough to demonstrate that such a tool may be used for committing offences, but it is important
to show the intention and the design behind the device used for illegal purposes. To sum up,
under the Botnet Directive just the possession of an IoT botnet is not an offence if lacking the
criminal intent element.303
However, selling an IoT botnet or making it available online for the
use of other persons is punishable as a criminal offence.
295
Article 7 of Botnet Directive. 296
Explanatory Report to the Budapest Convention. 297
Clough, (n 4) p. 134. 298
Recital 16 of Botnet Directive. 299
Clough, (n 4) p. 135. 300
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev. 301
Explanatory Report to the Budapest Convention. 302
Clough, (n 4) p. 135. 303
Ibid.
56
3.2.2.1.2 Sanctions
As we have seen, botnets might serve the criminal purpose of launching a DDoS attack
against critical infrastructure, which could have a serious impact on the society. With this in
mind, the behaviour just mentioned should be punishable by „effective, proportionate and
dissuasive criminal penalties‟.304
As a rule, Article 9 requires for illegal access, illegal system
and data interference and making available the tools for committing these offences, a punishment
with imprisonment of at least two years.305
Also, incitement, aiding, abetting for all the offences
and attempt to commit illegal system and data interference are punished like a criminal
offence.306
The EU legislator introduced penalties for some aggravating circumstances. In other
words, by corroborating Article 9 and Recital 13 of the Directive, it results in a penalty of „at
least three years‟ of imprisonment in the case of a cyber attack conducted on a „large scale‟ and
which „is affecting a significant number of computer systems‟, including where it is „intended to
create a botnet‟. The same Article mentions a maximum punishment of „at least five years‟ of
imprisonment, when a „cyber attack is causing serious damage‟, including when it „is carried
through a botnet‟ or „against a critical infrastructure‟.307
3.2.2.1.3 Conclusions
As the author presented above, all the steps and phases of a DDoS attack against critical
infrastructure could fall within the scope of the Botnet Directive.308
Moreover, such behaviour is
sanctioned with severe penalties, but still, large DDoS attacks are possible because the botmaster
cannot be sometimes identified. The measures proposed by the Botnet Directive are preventive
or responsive, and other phases of a cyber incident like detection, assessment, recovery or
communication are not covered at all.309
For example, the assessment phase of cyber incident
management is not supported by any legal or technical means. This was also the case with the
communication phase of a DDoS attack until the NIS Directive was adopted. By carrying out a
security risk assessment, the operator of critical infrastructure would become aware of the
304
Article 9 of Botnet Directive. 305
Ibid. 306
Article 8 of Botnet Directive. 307
Article 9 of Botnet Directive. 308
Kasper (n 244). 309
Ibid.
57
„strengths, weaknesses and vulnerabilities‟310
of critical infrastructure.311
For this reason, even
the best security measures that are protecting the critical infrastructure could not be effective in
front of a DDoS attack.312
In conclusion, by introducing some minimum-security requirements for critical
infrastructure, the communication of the most dangerous cyber attacks that occurred, could be
achieved. Therefore, the author will continue the legal analysis of the implications of the NIS
Directive on critical infrastructure.
3.2.2.2 Overview of the ‘NIS’ Directive
As the author has shown in the previous chapter, the NIS Directive entered into force in
August 2016 and was adopted by the EU Parliament to strengthen the EU Cybersecurity
strategy.313
The main aim of the Directive is to achieve a „high common level of security of
network and information systems‟ in the EU.314
It could be argued that, by the time of the
adoption of the NIS Directive, there were already in place enough research studies on new
methods or frameworks, which could improve and increase the cybersecurity level of CIs.
However, one important element was missing before 2016, and that is the legal tool through
which the Member States could extend required security measures to a broader set of private
entities, including the operators of CIs,315
and to make the notification regarding any security
incident mandatory.316
The legislator also shares this view in Recital 4 of the Directive, which
urges that the Member States should „have minimum capabilities and a strategy ensuring a high
level of security of network and information system in their territory‟. Also, the Directive intends
to promote a European culture of risk management and that the most serious cyber incidents
suffered by the operators of essential services and digital service providers are reported to the
relevant authority. In other words, the NIS Directive builds on the EU`s readiness for cyber
310
For example, Sun Tzu a Chinese general and philosopher said that „If you know the enemy and know yourself,
you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle‟. 311
Kasper (n 244). 312
Ibid. 313
European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportuinity‟
(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>
accessed 12 May 2018. 314
Article 1 of NIS Directive. 315
Janine S. Hiller, Roberta S. Russell, „The challenge and imperative of private sector cybersecurity: An
international comparison‟ (2013) Virginia Tech, Computer Law & Security Review 29 236-245
<https://www.sciencedirect.com/science/article/pii/S0267364913000575> accessed 19 July 2018. 316
Maglaras et al. (n 3).
58
attacks, being aware that safety and security of the essential services are indispensable for
society.317
3.2.2.2.1 Scope and applicability
The Directive was not applicable immediately after coming into force, but the Member
States had 21 months to implement the NIS Directive into national law.318
Seven main
milestones have to be adopted or implemented by the Member States:319
1. To adopt a national strategy on the security of network and information systems;320
2. To designate one or more national competent authorities on NIS; to designate a single
national point of contact on NIS;321
to designate one or more CSIRTs (Computer
security incident response teams);322
3. To create a cooperation group to support and facilitate strategic cooperation among the
Member States and to exchange information;323
4. To create a Computer security incident response teams network to contribute to the
development of confidence and promote swift and effective cooperation;324
5. To establish security requirements and incident notification for operators of essential
services;325
6. To establish security requirements and incident notification for digital service
providers;326
7. To identify by 9 November 2018 all the operators of essential services which are
located on their territory.327
The Directive became applicable on 10th
May 2018,328
and it covers „operators of
essential services‟ and „digital service providers‟.329
The NIS Directive does not apply to sectors
317
Richard Piggin, „NIS Directive and the Security of Critical Services‟ (2018) ITNOW, 60. 44-44. 10.1093
<https://academic.oup.com/itnow/article-abstract/60/1/44/4858516?redirectedFrom=fulltext> accessed 10 May
2018. 318
M.-T. Holzleitner, J. Reichl, „European provisions for cyber security in the smart grid – an overview of the NIS-
directive‟ (2017) Elektrotechnik & Informationstechnik, 134/1: 14–18. DOI 10.1007/s00502-017-0473-7
<https://link.springer.com/article/10.1007%2Fs00502-017-0473-7> accessed 10 July 2018. 319
Ibid. 320
Article 7(1) of NIS Directive. 321
Article 8(1) and (3) of NIS Directive. 322
Article 9(1) of NIS Directive. 323
Article 11(1) of NIS Directive. 324
Article 12(1) of NIS Directive. 325
Article 14 of NIS Directive. 326
Article 16 of NIS Directive. 327
Article 5(1) NIS Directive.
59
that are regulated by other legal tools, with minimum equivalent provisions to those in the
Directive.330
As before mentioned, the focus of the thesis is on „operators of essential services‟
similar to „operators of critical infrastructure‟, which includes sectors like energy, healthcare,
water, transport and key digital services.331
The author will not insist on what an operator of
essential services is, because this matter was already discussed in the previous chapter. However,
the author needs to mention that, for avoiding any disproportionate financial and administrative
burden, the legislator excluded the micro and small enterprises (hereafter: SMEs), which provide
a digital service as indicated by the NIS Directive.332
In the author‟s view, such exclusion is not
the best decision taken, because, for example, some SMEs could be in the future part of a „smart
grid‟, without having to align to the security protocols from the NIS provisions. Therefore, the
attackers could find an easy way to get into the systems of CIs if the national authorities will not
implement some minimum-security features that each legal person, irrespective of its size, has to
follow to be connected to a grid.333
Thus, the network and information systems play an essential role in the functioning of
any critical infrastructure, and their reliability and security are necessary for assuring that.334
According to Article 4(1) of the NIS Directive, „network and information system‟ is defined as
„an electronic communications network‟. „Network and information system‟ also means „any
device or group of interconnected or related devices, one or more of which, pursuant to a
program, performs automatic processing of digital data; or digital data stored, processed,
retrieved or transmitted by elements covered under points (a) and (b) for their operation, use,
protection and maintenance‟.335
Such systems could be affected by a DDoS attack, stopping their
proper functioning and negatively affecting the society. Henceforth, concerning all the possible
328
Article 25 of NIS Directive. 329
Article 1(2)(d) of NIS Directive. 330
Holzleitner, Reichl (n 318). It could be argued that maybe the legislator is preparing for updating some
regulations for other critical specific sectors like the Energy sector, which is the second most important to be
affected by the NIS Directive requirements, after the banking and finance sector. Or, for example, in the UK, the
financial and civil nuclear sectors are already regulated by tools which are providing at least the same provisions to
those in the NIS Directive. See also Piggin (n 317). 331
Piggin (n 317). 332
Recital 53 and Article 16(11) of NIS Directive. 333
Holzleitner, Reichl (n 318). 334
Ibid. 335
Article 4(1) of NIS Directive.
60
threats, it is mandatory for the operators of critical infrastructures to adopt proper security
measures to secure network and information systems.336
3.2.2.2.2 Obligations and security requirements
One of the main elements of the NIS Directive is the security requirements and
compulsory incident notification of cyber incidents.337
Article 14 and 16 of the Directive deals
with these matters covering both entities, operators of essential services and digital service
providers, but with less strict provisions for the latter.338
As the focus of this thesis is on critical
infrastructure, the author will further consider just Article 14 of the NIS Directive.339
Thus, under this article, the operators of essential services will have to:
Take security measures, including technical and organisational, which will be
appropriate and proportionate to „manage the risks posed to the security of network
and information systems which they use in their operation‟340
and to „guarantee a level
of security appropriate to the risk‟;341
Take „appropriate measures to prevent and minimise the impact of incidents affecting
the security of the network and information systems… with a view to ensuring the
continuity of those services‟;342
Notify the competent authorities when an incident that could have „significant impact
on the continuity of the essential services they provide‟ occurred;343
Provide information upon request of the competent authorities about network and
information system security policies;344
Undergo a security audit by the competent authority or a qualified third-party auditor,
and share the results with the competent authority.345
Some terms used by the legislator require further attention for clarity purposes. Article 4
of the NIS Directive defines „risk‟ as „any reasonably identifiable circumstance or event having a
336
Holzleitner, Reichl (n 318). 337
Ibid. 338
Ibid. 339
Ibid. 340
Article 14(1) of NIS Directive. 341
Hiller, Russell (n 315). 342
Article 14(2) of NIS Directive. 343
Article 14(3) of NIS Directive. 344
Article 15(2)(a) of NIS Directive. 345
Article 15(2)(b) of NIS Directive.
61
potential adverse effect on the security of network and information systems‟.346
Unfortunately,
the legislator has not defined what „appropriate and proportionate technical and organisational
measures‟ means. By corroborating Article 14(1) with Recital 49, the author interprets
„appropriate, proportionate technical and organisational‟ measures as security measures that by
„having regard to the state of the art‟ of existing technology, would „ensure a level of security
commensurate with the degree of risk posed to the security of the digital services they
provide‟.347
Further, the Directive guides the Member States to determine the „significance‟ of a
possible impact of an incident and the following criteria are given:348
a) the number of the users affected by the disruption of the essential service;
b) the duration of the incident;
c) the geographical spread about the area affected by the incident.
To continue, in the case of a significant impact of an incident, the competent authority or
CSIRT shall inform all the affected Member States and „preserve the security and commercial
interests of the operator of essential services, as well as the confidentiality of the information
provided in its notification‟.349
As the author explained above, the competent authorities from the
involved Member States will have to cooperate and exchange information regarding the incident.
In some circumstances, for public awareness and for preventing such incidents to happen again,
the competent authority or the CSIRT would have to inform the public about the incident.350
Finally, under the NIS Directive, Member States are required to lay down rules on
penalties and to ensure that such penalties are implemented against the operators of CIs, which
fail to comply with the provisions of the Directive.351
3.2.2.2.3 Conclusions
By securing the critical infrastructures of each EU country, the NIS Directive aims to
build an overall level of cybersecurity throughout the European Union.352
However, even if the
NIS Directive brings new provisions for an improved level of harmonisation across the Member
346
Article 4(9) of NIS Directive. 347
Article 14(1) and Recital 49 of NIS Directive. 348
Article 14(4) of NIS Directive. 349
Article 14(5) of NIS Directive. 350
Article 14(6) of NIS Directive. 351
Article 21 of NIS Directive. 352
Maglaras et al. (n 3).
62
States in respect to the security of network and information systems, it is still questionable how
the Member States will implement such provisions. For example, further research will need to
answer the next important questions: How each country will decide what a significant impact is
for a smart grid? Which is the threshold for the significant impact of an incident and when is it
justified to inform the public – in case of a major DDoS attack, a blackout or a technical failure?
Is there any difference between „significant impact‟ as required for the incident to be in case of
operators of essential services and „substantial impact‟ as required for the incident to be in case
of digital service providers? Moreover, what will happen in case of a DDoS, which will have a
significant impact on a smart grid affecting the continuity of essential services of another
country? How could „state of the art of technology‟ be achieved by the operators of CIs? And,
finally, what is the role of public awareness and when is it necessary to avoid an incident?353
For the future, the Member States should introduce new provisions dealing particularly
with the provisions from the NIS Directive and should adopt new national cyber security laws
covering large cyber attacks against CIs and address all the problems discussed above.354
353
Holzleitner, Reichl (n 318). 354
Ibid.
63
Chapter 4
Conclusions and future work
„So now, when we face a choice between adding features and resolving security issues,
we need to choose security.‟355
4.1 Conclusions
Chapter 2 revealed that there are various types of DDoS with the same aim: flooding the
target with requests until it becomes unresponsive. The distributed power of the DDoS attack is
one of its main characteristics. Thus, the attacker needs to have many devices under control.
However, it is challenging for the law enforcement agencies to deter or investigate such „multi-
step‟ and „multi-stage‟ attacks which have increased in number and power during the last years.
Furthermore, on the positive side,356
the Internet of Things is the latest Internet revolution
with the primary mission to interconnect an entire variety of „traditionally dumb devices‟.357
All
the data processed by these „things‟, brings new remarkable solutions for smart cities, smart
health, smart monitoring, to deal with significant societal issues, improving our daily life.358
On the negative side, because the majority of the IoT devices are developed with no
security in mind, in the last years many „poorly designed and badly protected‟ IoT devices were
launched on the market.359
The lack of any basic cyber security attention triggered new security
challenges for critical infrastructure and society, in general. The IoT „ecosystem‟ became ideal
for launching new large-scale DDoS for a couple of reasons: the majority of the devices have
unlimited access to the Internet; when launching a new model of an IoT device the security part
is not the primary concern of the manufacturers; the IoT devices do not receive any firmware
updates that could increase their security or do not even have this feature; and finally, the IoT
devices are protected with default credentials set up by the manufacturers for entire categories of
devices.
355
Bill Gates, „Bill Gates: Trustworthy Computing‟ (wired, 17 January 2002) <https://www.wired.com/2002/01/bill-
gates-trustworthy-computing/> accessed 12 September 2018. 356
Dragoni et al. (n 98). 357
Ibid. 358
Elisa Bertino, Kim-Kwang Raymond Choo, Dimitirios Georgakopolous and Surya Nepal „Internet of Things
(IoT): Smart and Secure Service Delivery‟ (2016) ACM Trans. Internet Technol. 16
<https://dl.acm.org/citation.cfm?id=3013520> accessed 16 July 2018. 359
De Donno et al. (n 65).
64
Thus, the IoT created the means and the possibilities for the proliferation of powerful and
sophisticated DDoS attacks. Moreover, the IoT not only „encouraged‟ the deploying of such
attacks, but also, rushed the evolution and diversity of the DDoS attacks.360
Identically, Europol
mentioned that the European critical infrastructure is more vulnerable than ever in front of such
sophisticated DDoS attacks launched by IoT botnets.361
However, the defining moment occurred
in 2016, when the Mirai botnet, representing the outstanding synergy between the DDoS attacks
and the IoT, blasted the Internet with the most powerful DDoS attack ever seen. A surprising fact
is how Mirai set up and controlled such a vast network of unsecured „things‟. The botnet was
able to infect the IoT devices by using a small dictionary of default usernames and passwords,
relying on the „non-security behaviour‟ of the IoT users and vendors (i.e. the attackers expected
that users will still use the default credentials of the devices provided by the IoT vendors).
The analysis of these issues revealed the fact that unfortunately, Mirai is the first chapter
of a long story that has just begun. The risks IoT devices bring to the Internet were highlighted
by the impact of DDoS attacks launched by the Mirai botnet.362
It is generally accepted that this
cyber threat problem is growing and the future will bring new security risks for critical
infrastructure, with the possibility of harming human life.363
Furthermore, as shown in the
previous chapters, CIs rely on computer systems and Internet connection in almost all sectors to
provide its services. Therefore, critical infrastructure suffers from the same attack vectors as
traditional IT systems,364
because such online connectivity created many numbers of access
points in the network.
Therefore, in order to appreciate how each step in the DDoS „kill chain‟ is criminalised
an assessment of the EU legal framework is needed. For this purpose, Chapter 3 assessed which
is the relevant European legal framework that deals with massive DDoS attacks, which are the
cyber security requirements for the operators of critical infrastructure in the aftermath of a DDoS
attack and if there are any regulatory gaps. This chapter has unveiled that the European Union
has started since 2001 to come up with legal solutions based on the Budapest Convention,
including both „soft‟ and „hard‟ law in respect to cybercrimes. Therefore, the European
Commission has proposed the Framework Decision on Attacks against Information Systems,
360
Bertino et al. (n 184). 361
EUROPOL, IOCTA 2017 (n 22). 362
Kolias et al. (n 122). 363
Bertino et al. (n 184). 364
Maglaras et al. (n 3).
65
which entered into force in 2005. However, this legal tool was excluding botnets and large-scale
attacks against critical infrastructure. Triggered by the Estonian cyber attack, the fight against
cyber crime became a top priority for the EU. Thus, among various policy and legal steps to win
this battle, the Botnet Directive replaced the Framework Decision, and it was finally making
explicit reference to large-scale attacks against critical infrastructure.365
The Botnet Directive set
minimum rules in all Member States and raised the level of penalties.366
Equally important, this
Directive outlaws the creation and the use of botnets when launching massive cyber attacks and
it has introduced aggravating circumstances for such behaviour. Although the Botnet Directive
brought new easy to implement elements for the Member States, there are still some challenges
on what a large-scale cyber attack is and what severe damage represents.
Moving on to the legal implications of the „intrusion kill chain‟, this chapter presented
that there are five main steps taking place while building an IoT botnet and then launching a
DDoS attack as it follows: reconnaissance, delivery (getting access), compromising and control,
action on objectives and weaponisation. All the steps, except reconnaissance are criminalised
under the Botnet Directive with various penalties.
Thus, from a legal point of view, the Member States have enough basis to deter such
behaviour. However, when dealing with DDoS attacks, the main aspect should be prevention and
mitigation.367
Furthermore, these attacks succeed because the attacker is taking various
cautionary measures of hiding each step in the „kill chain‟ and without attribution, the tools used
by the police to trace back these „multi-stage‟ attacks are limited in their effectiveness.368
Therefore, further research is needed on attribution when considering „multi-step‟ and „multi-
stage‟ attacks.369
To continue the fight against cyber crime and to boost the overall level of cybersecurity
in Europe, the EU legislator has adopted the NIS Directive, which imposes new obligations for
the operators of critical infrastructure, requirements that were missing from the Botnet
Directive.370
It is very well received that such operators will have to undergo cybersecurity tests
to discover any risks posed to the security of network and information systems, which they
365
Buono (n 215). 366
Ibid. 367
Clark, Landau (n 32). 368
Ibid. 369
Ibid. 370
Maglaras et al. (n 3).
66
use.371
In other words, by implementing „appropriate and proportionate technical and
organisational measures‟, the operators of CIs could not only simulate a DDoS attack and find
out the outcome of such attack but could also address any vulnerabilities found in the network
and information systems. However, policy and technical tools influence the regulation of
detection of malicious activity in critical infrastructures. For instance, considering the banking or
financial market infrastructures as defined by the NIS Directive, it could be seen that the
legislator has implemented „supportive and complementary legal measures‟ such as money
laundering or terrorist financing prevention regulation. Concerning other sectors, the Smart Grid
Coordination Group was mandated by the EU Commission to address various standards for the
smart grids and provided some guidance on how such standards could have an important role for
active cyber defence measures like the use of „honeypots‟ or other techniques for understanding
the attacker`s behaviour.372
However, it is true that the Member States need to adopt appropriate
legal tools for various sectors and establish cross-sector-based competent institutions,373
for the
protection of confidentiality, integrity and availability of the data. Thus, it is not clear yet how
they will implement the provisions from the NIS Directive into national laws. However, the NIS
Directive introduced new provisions for achieving an improved level of harmonisation across
Europe in respect to security of network and information systems,374
but in reality, we are far
away from completely „shielding Europe from external threats‟.375
To sum up, one of the main visible features of the fight against DDoS attacks is the
prevention of such attacks and mitigating the risks and danger when it occurs.376
The operators of
CIs could achieve this by complying with the NIS requirements. Significantly, much
responsibility for deploying DDoS remains with the owners of the unprotected IoT devices, who
fail to follow some basic security guidelines.377
However, the responsibility should also be
shared with the IoT manufacturers who deployed IoT devices with weak security. Moreover, the
manufacturers are in the position of issuing patch updates that would easily fix these issues.378
More research is needed from a legal point of view on how responsibility for the DDoS attacks
371
Article 14 of NIS Directive. 372
Kasper (n 244). 373
Holzleitner, Reichl (n 318). 374
Holzleitner, Reichl (n 318). 375
Maglaras et al. (n 3). 376
Clark, Landau (n 32). 377
Kolias et al. (n 122). 378
Ibid.
67
could be shared between various stakeholders and how any liability limitations inserted in the
terms of service of IoT and software vendors would be upheld in case of possible litigation.379
However, without much prevention and attribution, the future DDoS attacks will only succeed.
All in all, such major DDoS attacks could still affect any type of critical infrastructure in the
future, which is not protected enough because in today`s cyber crime „game‟ no one can be
100% protected against any cyber attack.
4.2 Recommendations
Therefore, what are the recommendations that the EU Member States or the EU legislator
should follow? How can we mitigate, the impact of massive DDoS attacks? How could we solve
this security and privacy disaster?380
In order to answer these questions, the first step is to assess
which is the nature of the problem. Therefore, the next question is if this situation is
technological? Are we missing the so needed technology to protect the IoT devices? The author
shares the opinion of other scholars, which regarding the issue of massive IoT botnets, we do not
need security solutions or technological innovation.381
Firstly, the priority should be in this case the „cyber‟ education, because what is missing
is a developed and effective security „mind-set‟, a culture of awareness and understanding of the
cyber risks, in our daily life.382
Sometimes we should not rely just on a computer algorithm, but
people should also intervene. For example, all the described vulnerabilities of the IoT devices are
possible just because of their manufacturer‟s and users‟ approach. In other words, some IoT
users do not even know that their devices also have configurable interfaces regarding security,
like a computer.383
Thus, by following some basic security practices, it would have been possible
to protect the IoT devices in front of the Mirai botnet. Unfortunately, the main issue in this case
379
The European Commission made a case study analysis on the case where the IoT devices are targeted with cyber
attacks. For example, taking the Mirai botnet, because there are many actors involved, the liability should be shared
between various parties: the attackers` group who programmed the malware; the users who failed to change the
default password of the devices; the software vendor, which launched the IoT devices with an unprotected interface.
Moreover, it is clear that the attacker should be liable in the first instance, but as shown above, such DDoS are often
anonymous and sometimes impossible for the victim to identify the botmaster behind and obtain any legal
compensation from him. However, it is questionable if such liability limitations would stand in front of the Court,
thus much research is still needed on this topic. See more details in Commission Staff Working Document Liability
for emerging digital technologies, accompanying the document Communication from the Commission to the
European Parliament, the European Council, the Council, the European Economic and Social Committee and the
Committee of the Regions – Artificial intelligence for Europe, COM(2018) 137 final, Brussels 2018. 380
Dragoni et al. (n 98). 381
Ibid. 382
Ibid. 383
Schneier (n 177).
68
was not the lack of technological innovation.384
Therefore, the world already has the technology
that could fix the most security vulnerabilities, but the lack of basic security culture is
stronger.385
Secondly, the EU should „regulate responsibly‟ and fix the market failure by helping the
IoT manufacturers with enough economic incentives, sufficient to prioritise the security „by
design‟ and „by default‟ for the IoT devices.386
According to some scholars, the EU could
enforce minimum security standards for the IoT manufacturers and vendors, even in the cases
where the users do not care about cyber security.387
For example, the legislator could impose a
„trusted IoT label‟,388
an idea already discussed by the EU Commission.389
Such „trusted IoT
label‟ would provide high standards for the protection of privacy, personal data and security,
aimed at the IoT users by granting clear information about the levels of privacy and security of
an IoT device and demonstrating compliance with the EU`s legal requirements.390
Such an idea
would also improve innovation and competitiveness on the IoT market.391
384
Dragoni et al. (n 98). 385
Ibid. 386
In other words, the technical reason behind why the IoT devices are still insecure is complicated. The IoT devices
are developed low-cost without many teams with security knowledge. The IoT manufacturers are not willing to give
extra money for the additional costs that security „by design‟ or „by default‟ would require. Unfortunately, neither
the IoT vendor nor the buyer cares about resolving the vulnerabilities. See also Schneier (n 177). 387
Schneier (n 177). For example the EU Commission could implement technical recommendations in respect to
privacy and cyber security including a set of guidelines for the IoT software developers so that any new launched
software will be compliant with the privacy regulations and guidance for the same developers to implement privacy
„by design‟. See also Achilleas Kemos, „Everything connected: security and privacy in the Internet of Things‟
(European Commission – DG Connect) <
https://docbox.etsi.org/Workshop/2016/201605_EuropeanApproachDigitalMarket/S02_POLICY_SESSION/KEMO
S_DG%20Connect.pdf> accessed 13 September 2018. 388
A valuable starting point could be the IoT Trust Framework released by the Online Trust Alliance. Such
framework has four key areas including security principles, user access and credentials, privacy, disclosure and
transparency, notifications and related best practices. For example, the security principles could be applicable to any
IoT device or sensor. Furthermore, the IoT manufacturers could be obliged to encrypt all the passwords and user
names and to integrate mechanisms to prevent the brute-force attack. For more details see Test-Achats, „Which
generic security and privacy principles to ensure a Trusted IoT environment? The consumer view‟ (Competence
Center Products & Services) <https://ec.europa.eu/information_society/newsroom/image/document/2017-
11/generic_security_and_privacy_principles_to_ensure_a_trusted_iot_environment_the_consumer_view_by_test-
aankooptest-achats_0B8C19DD-E2B3-A0B3-4234275F9238BC24_43661.pdf> accessed 13 September 2018. 389
Arthur van der Wees, „In IoT We Trust: Technology, Interoperability, Security, Privacy & Usability in the
Hyper-Connected World‟ (EU Commission, 16 August 2016) <https://ec.europa.eu/digital-single-
market/en/blog/iot-we-trust-technology-interoperability-security-privacy-usability-hyper-connected-world>
accessed 13 September 2018. 390
European Commission, „Digital Single Market – Digitising European Industry Questions & Answers‟ (European
Commission Press Release, 19 April 2016) <http://europa.eu/rapid/press-release_MEMO-16-1409_en.htm>
accessed 13 September 2018. 391
Van der Wees (n 388).
69
Thirdly, the EU should find a way to hold the IoT manufacturers accountable. However,
even if for now, it is not sure if a regulatory intervention is appropriate and necessary in this
respect,392
other solutions could be taken into consideration. For example, a first step from the
EU might be to refuse to engage anymore with any IoT manufacturers, IoT software vendors, or
other involved actors, which cannot demonstrate that they are following the principles of security
„by design‟ and „by default‟. The media could also play an important role, by informing the
population about the IoT threats and about simplified cyber-hygiene and cyber-resilience
advice.393
Finally, in addressing the security weaknesses, the IoT manufacturers should launch a
detailed risk analysis following the best security practices, to identify the cyber threats for their
products. Moreover, the manufacturers should apply the principle of „security by design‟, right
from the initial phase of designing any IoT device. Following ENISA`s methodology some
technical measures for the main stakeholders involved are provided:394
to sign the code of the IoT device to ensure its security and the fact that no malicious
software has been tampered;
to implement run-time protection and monitoring to be sure that the malicious attacks
are unable to overwrite the code;
to control the installation of software on the IoT devices and to prevent any
unauthenticated software or files of being loaded onto it;
to enable security by default by deactivating any unused or not secure functionalities
and by enabling all the security features by default;
to have hard passwords to crack for all the IoT devices;
to check that the default passwords and usernames are changed during the initial
installation;
to ensure that only the necessary ports are opened and running;
392
Commission Staff Working Document Liability for emerging digital technologies, accompanying the document
Communication from the Commission to the European Parliament, the European Council, the Council, the European
Economic and Social Committee and the Committee of the Regions – Artificial intelligence for Europe, COM(2018)
137 final, Brussels 2018. 393
James Scott, Drew Spaniel, Rise of the Machines – The Dyn attack was just a practice run (Institute for Critical
Infrastructure Technology, 2016) p. 52. 394
IoT experts, software developers and manufacturers, IT/Security solutions architects, etc. For more details see
ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018
<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4
July 2018.
71
Abbreviations
CIs Critical Infrastructures
CoE the Council of Europe
CPU central processing unit
CSIRT Computer Security Incident Response Team
DDoS distributed denial of service (attack)
DNS Domain Name System
DVR digital video recorder
EC3 European Cybercrime Centre
EPDB European Data Protection Board
EU European Union
Gbps Giga Bits per Second
GPS global positioning system
ICMP Internet Control Message Protocol
ICS industrial control systems
ICT information and communications technology
IoT Internet of Things
IP Internet Protocol
IRC Internet Relay Chat
IXP Internet Exchange Point
LEA Law Enforcement Agency
NIS network and information systems
OECD Organisation for Economic Co-operation and Development
SCADA supervisory control and data acquisition
SME Small and Medium Enterprises
SYN synchronise
Tbps Tera Bits per Second
TCP Transmission Control Protocol
TFEU Treaty on the Functioning of the European Union
TLD Top Level Domain
UDP User Datagram Protocol
WP29 Article 29 Data Protection Working Party
72
Bibliography
Books
Agnes Kasper, „Legal Aspects of CyberSecurity in Emerging Technologies: Smart Grids and Big Data, European
Answers to Security Breaches and “Common” Cyber crime‟ in T. Kerikmae (ed.), Regulating eTechnologies in the
European Union, (Springer, 2014).
David S. Wall, The Transformation of Crime in the Information Age (first published 2007, Polity Press).
James Scott, Drew Spaniel, Rise of the Machines – The Dyn attack was just a practice run (Institute for Critical
Infrastructure Technology, 2016).
Jonathan Clough, Principles of Cybercrime (2nd
Edition, Cambridge University Press, 2015).
K. Dunham, J. Melnick, Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet,
(Auerbach Publications, Taylor&Francis Group, 2008).
Michael Calce, Craig Silverman, Mafiaboy: how I cracked the Internet and why it`s still broken (1st Edition, Viking,
2008).
S.W. Brenner, Cybercrime and the Law: Challenges, issues and outcomes (Northeastern University Press, 2012).
E-books and PDFs
A. D. Elyakov, „The Nature of the Modern Information Society‟ (2010), Scientific and Technical Information
Processing <https://link.springer.com/content/pdf/10.3103%2FS0147688210010090.pdf.> accessed 13 August
2018.
Online Journals
Amalie M. Weber, „The Council of Europe`s Convention on Cybercrime‟ (2003) Berkeley Technology Law Journal,
Volume 18 <https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1416&context=btlj> accessed 19 May
2018.
Archick Kristin, „Cybercrime: The Council of Europe Convention‟ (2002) CRS Report for Congress, Congressional
Research Service, The Library of Congress <https://digital.library.unt.edu/ark%3A/67531/metacrs2394/> accessed
10 June 2018.
Bryan Harris, Eli Konikoff, Phillip Peterson, „Breaking the DDoS Attack Chain‟ (2013) Institute for Software
Research, Carnegie Mellon University <https://www.cmu.edu/mits/files/breaking-the-ddos-attack-chain.pdf>
accessed 18 July 2018.
Christos Douligeris, Aikaterini Mitrokotsa, „DDoS attacks and defense mechanisms: classification and state-of-the-
art‟ (2003) Department of Informatics, Greece <http://citeseerx.ist.psu.edu/viewdoc/download> accessed 24 January
2018.
David D. Clark, Susan Landau, „The Problem isn`t Attribution; It`s Multi-Stage Attacks‟ (2010) ACM ReArch
<https://groups.csail.mit.edu/ana/ANA%20PUBLICATIONS/The_Problem_isnt_Attribution.pdf> accessed 28
November 2017.
73
Enek T., Kadri K., Liss V. „International Cyber Incidents Legal Considerations‟ (2010) Cooperative Cyber Defence
Centre of Excellence CCDCOE < https://ccdcoe.org/publications/books/legalconsiderations.pdf> accessed 22
August 2017.
Eric J. Sinrod and William P. Reilly, Cyber-Crimes: A Practical Approach to the Application of Federal Computer
Crime Laws, (16 Santa Clara High Tech. L.J. 177, 2000), p. 189-191
<http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1258&context=chtlj> accessed 24 November 2018.
Irving Lachow, „Active Cyber Defense: A Framework for Policymakers‟ (2013) Center for a New American
Security <https://www.cnas.org/publications/reports/active-cyber-defense-a-framework-for-policymakers> accessed
15 July 2018.
Jelena Mirkovic, Janice Martin and Peter Reiher, „A Taxonomy of DDoS Attacks and DDoS Mechanisms‟ (2004)
SIGCOMM Computer Communication Review vol. 34 <https://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf>
Jonathan Clough, „A World of Difference: The Budapest Convention of Cybercrime and the Challenges of
Harmonisation (2014), Monash U. L. Rev 698
<https://www.monash.edu/__data/assets/pdf_file/0019/232525/clough.pdf> accessed 11 June 2018.
Jonathan L. Zittrain, The Future of the Internet – And How to Stop It (Yale University Press & Penguin Uk 2008)
<https://dash.harvard.edu/bitstream/handle/1/4455262/Zittrain_Future%20of%20the%20Internet.pdf?sequence=1>
accessed 28 July 2018.
Justin Stephen, „The Changing Face of Distributed Denial of Service Mitigation‟ (2001) Sans Institute.
<https://www.sans.org/reading-room/whitepapers/threats/threat-intelligence-planning-direction-36857> accessed 28
November 2017.
Kishore Angrishi, „Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV): IoT Botnets‟ (2017) arXiv
<https://arxiv.org/pdf/1702.03681.pdf> accessed 18 December 2017.
L. A. Maglaras et al., „Cyber security of critical infrastructures‟ (2018) Volume 4 ICT Express, The Korean Institute
of Communications and Information Sciences, p. 42-45
<https://www.sciencedirect.com/science/article/pii/S2405959517303880> accessed 10 June 2018.
L. A. Maglaras et al., „NIS directive: The case of Greece‟ (2018) Volume 4 EAI Endorsed Transactions on Security
and Safety Volume 4, Issue 14 <http://eudl.eu/doi/10.4108/eai.15-5-2018.154769> accessed 12 July 2018.
Laviero Buono, „Fighting cybercrime between legal challenges and practical difficulties: EU and national
approaches‟ (2016) Academy of European Law <https://link.springer.com/article/10.1007/s12027-016-0432-5>
accessed 10 July 2018.
Laviero Buono, „Gearing up the fight against Cybercrime in the European Union: a new set of rules and the
establishment of the European Cybercrime Centre (EC3)‟ (2012) New Journal of European Criminal Law, Vol. 3
<https://www.europol.europa.eu/sites/default/files/documents/njecl-2012-buono.pdf> accessed 20 June 2018.
Laviero Buono, „The Key Features of the EU Cybercrime Directive 2013; The newly adopted European framework
for legislative measures on attacks against information systems‟ (2013) Computer Law Review International
<https://www.researchgate.net/publication/314498695_The_Key_Features_of_the_EU_Cybercrime_Directive_2013
_The_newly_adopted_European_framework_for_legislative_measures_on_attacks_against_information_systems>
accessed 17 May 2018.
M. Raza, M. Iqbal, M. Sharif and W. Haider, „A Survey of Password Attacks and Comparative Analysis on Methods
for Secure Authentification‟ (2012) Comsats Institute of Information Technology
<https://www.researchgate.net/profile/Mudassar_Raza2/> accessed 10 July 2018.
74
M.-T. Holzleitner, J. Reichl, „European provisions for cyber security in the smart grid – an overview of the NIS-
directive‟ (2017) Elektrotechnik & Informationstechnik, 134/1: 14–18. DOI 10.1007/s00502-017-0473-7
<https://link.springer.com/article/10.1007%2Fs00502-017-0473-7> accessed 10 July 2018.
Paul De Hert et al., „Fighting cybercrime in the two Europes. The added value of the EU framework decision and
the council of Europe Convention‟ (2006) Revue internationale de droit penal
<https://www.researchgate.net/publication/251058766_Fighting_cybercrime_in_the_two_Europes_The_added_valu
e_of_the_EU_framework_decision_and_the_Council_of_Europe_convention> accessed 27 June 2018.
Richard Piggin, „NIS Directive and the Security of Critical Services‟ (2018) ITNOW, 60. 44-44. 10.1093
<https://academic.oup.com/itnow/article-abstract/60/1/44/4858516?redirectedFrom=fulltext> accessed 10 May
2018.
T. Harjunen, A. Sarkka, „Classic TCP/IP applications: TELNET, FTP, SMTP, NNTP and SNMP‟ (1998)
<https://www.netlab.tkk.fi/opetus/s38130/s98/tcpapp/TCP_appl.pdf> accessed 10 July 2018.
Usman Tariq, Yasir Malik, Bessam Abdulrrazak and M. Hong, „Collaborative Peer to Peer Defense Mechanism for
DDoS attacks‟ (2011) Procedia Computer Science p. 157-165 <https://www.sciencedirect.com/science/article/pii>
accessed 24 January 2018.
Usman Tariq, Yasir Malik, Bessam Abdulrrazak, „Defense and Monitoring Model for Distributed Denial of Service
Attacks‟ (2012) Procedia Computer Science 1052-1056 <http://www.sciencedirect.com/science/article/pii> accessed
28 November 2017.
Theses
Artur Appazov, „Legal Aspects of Cybersecurity‟ (University of Copenhagen 2014).
Legislation, Communications and other legal documents
Article 29 Data Protection Working Party, „Opinion 8/2014 on the on Recent Developments on the Internet of
Things‟ adopted on 16 September 2016, 14/EN/WP 223.
Commission Staff Working Document Advancing the Internet of Things in Europe, accompanying the document
Communication from the Commission to the European Parliament, the Council, the European Economic and Social
Committee and the Committee of the Regions – Digitising European Industry Reaping the full benefits of a Digital
Single Market, COM(2016) 180 final, Brussels 2016.
Commission Staff Working Document Liability for emerging digital technologies, accompanying the document
Communication from the Commission to the European Parliament, the European Council, the Council, the European
Economic and Social Committee and the Committee of the Regions – Artificial intelligence for Europe, COM(2018)
137 final, Brussels 2018.
Communication from the Commission to The Council, The European Parliament, The Economic and Social
Committee and The Committee of the Regions: Creating a Safer Information Society by Improving the Security of
Information Infrastructures and Combating Computer-Related Crime, COM (2000) 890, Brussels 2001.
75
Communication from the Commission to the European Parliament and the Council, The EU Internal Security
Strategy in Action: Five Steps towards a more secure Europe, COM (2010) 0673 final, Brussels 2010.
Communication from the Commission to the European Parliament, the Council and the Committee of the Regions -
Towards a general policy on the fight against cyber crime, COM(2007) 267 final, Brussels 2007.
Consolidated version of the Treaty On European Union and The Treaty On The Functioning of The European
Union, [2010] OJ C 83/1.
Convention on Cybercrime, ETS No. 185.
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical
infrastructures and the assessment of the need to improve their protection [2008] OJ L345/75.
Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems, [2005] OJ
L 69/67.
Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems [2005] OJ
L 69/67.
Cybercrime Convention Committee, T-CY Guidance Note #1 On the notion of “computer system” adopted by the
8th
Plenary of the T-CY (5 December 2012), T-CY (2012) 21.
Cybercrime Convention Committee, T-CY Guidance Note #2 Provisions of the Budapest Convention covering
botnets adopted by the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)6E Rev.
Cybercrime Convention Committee, T-CY Guidance Note #5 DDoS attacks adopted by the 9th
Plenary of the T-CY
(4-5 June 2013), T-CY (2013)10E Rev.
Cybercrime Convention Committee, T-CY Guidance Note #6 Critical information infrastructure attacks adopted by
the 9th
Plenary of the T-CY (4-5 June 2013), T-CY (2013)11E Rev.
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a
high common level of security of network and information systems across the Union [2016] OJ L194/1.
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against
information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L218/8.
Explanatory Report to the Budapest Convention.
Proposal for a Directive of the Council on the identification and designation of European critical infrastructures and
the assessment of the need to improve their protection COM/2006/0787.
Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high
common level of network and information security the Union COM (2013) 48 final, 2013/0027 (COD).
Proposal for a Directive of the European Parliament and of the Council on attacks against information systems and
repealing Council Framework Decision 2005/222/JHA, COM (2010) 517 final, 2010/0263 (COD).
Websites and blogs
„Article 29 Working Party‟ (European Commission, 22 November 2016) <http://ec.europa.eu/newsroom/just/item >
accessed 18 October 2017.
„Your fridge is full of spam: Proof of an IoT-Driven Attack‟ (proofpoint, January 2014)
<https://www.proofpoint.com/us/threat-insight/post/Your-Fridge-is-Full-of-SPAM> accessed 5 May 2017.
76
<https://edpb.europa.eu/about-edpb/about-edpb_en> accessed 10 September 2018.
Achilleas Kemos, „Everything connected: security and privacy in the Internet of Things‟ (European Commission –
DG Connect) <
https://docbox.etsi.org/Workshop/2016/201605_EuropeanApproachDigitalMarket/S02_POLICY_SESSION/KEMO
S_DG%20Connect.pdf> accessed 13 September 2018.
Aimee O`Driscoll, „What a brute force attack is (with examples) and how you can protect against one‟ (comparitech,
9 May 2018) <https://www.comparitech.com/blog/information-security/brute-force-attack/#gref> accessed 9 July
2018.
Arbore Networks <arbornetworks.com/stakes> accessed 12 August 2018.
Arthur van der Wees, „In IoT We Trust: Technology, Interoperability, Security, Privacy & Usability in the Hyper-
Connected World‟ (EU Commission, 16 August 2016) <https://ec.europa.eu/digital-single-market/en/blog/iot-we-
trust-technology-interoperability-security-privacy-usability-hyper-connected-world> accessed 13 September 2018.
Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU Research
& Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-under-daily-
attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.
Ben Deighton „Critical infrastructures under daily attack – ERNCIP head Georg Peter‟ (Horizon The EU Research
& Innovation Magazine, 20 March 2017) <https://horizon-magazine.eu/article/critical-infrastructures-under-daily-
attack-erncip-head-georg-peter_en.html> accessed 19 May 2018.
Bill Gates, „Bill Gates: Trustworthy Computing‟ (wired, 17 January 2002) <https://www.wired.com/2002/01/bill-
gates-trustworthy-computing/> accessed 12 September 2018.
Brian Blomquist, „Prez holds summit to stop cyberhacks‟ (New York Post, 16 February 2000)
<https://nypost.com/2000/02/16/prez-holds-summit-to-stop-cyberhacks/> accessed 29 April 2018.
Brian Krebs, „KrebsOnSecurity Hit With Record DDoS‟ (KrebsonSecurity, 21 September 2016)
<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/> accessed 6 May 2017.
Brian, „Perhaps the first Denial-Of-Service Attack?‟ (Plato History, 11 February 2010)
<http://www.platohistory.org/blog/2010/02/perhaps-the-first-denial-of-service-attack.html> accessed 16 February
2017.
Bruce Schneier, „Regulation of the Internet of Things‟ (Schneier on Security, 10 November 2016)
<https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html> accessed 22 May 2018.
Catalin Cimpanu, „You can now rent a Mirai Botnet of 400,000 bots‟ (BLEEPINGCOMPUTER, 24 November
2016) <https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/>
accessed 1 May 2018.
Chris Williams, „Today the web was broken by countless hacked devices – your 60-second summary‟ (The Register,
21 October 2016) <https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/> accessed 1 May 2018.
Dan Goodin, „25-GPU cluster cracks every standard Windows password in <6 hours‟ (arsTECHNICA, 12 October
2012) <https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-
password-in-6-hours/> accessed 9 July 2018.
Dan Goodin, „DDoS attacks take out Asian nation‟ (The Register, 3 November 2010)
<https://www.theregister.co.uk/2010/11/03/myanmar_ddos_attacks/> accessed 30 April 2018.
77
Dan Goodin, „DDoS service targeting PSN and Xbox powered by home Internet routers‟ (arsTechnica, 1 September
2015) <https://arstechnica.com/security/2015/01/ddos-service-targeting-psn-and-xbox-powered-by-home-internet-
routers/> accessed 6 May 2017.
Dan Goodin, „Large botnet of CCTV devices knock the snot out of jewelry website‟ (arsTechnica, 28 June 2016)
<https://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/>
accessed 6 May 2017.
Dan Goodin, „Record-breaking DDoS reportedly delivered by >145k hacked cameras‟ (arsTECHNICA, 29
September 2016) <https://arstechnica.com/information-technology/2016/09/botnet-of-145k-cameras-reportedly-
deliver-internets-biggest-ddos-ever/> accessed 1 May 2018.
Dave Dittrich, „DDoS attack tool timeline‟ (Usenix, 22 July 2000)
<https://www.usenix.org/legacy/publications/library/proceedings/sec2000/invitedtalks/dittrich_html/timeline.html>
accessed 29 April 2018.
Dima Bekerman, „New Mirai Variant Launches 54 Hour DDoS Attack against US College‟ (ImpervaIncapsula
Blog, 29 March 2017) <https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html> accessed 1 May
2018.
English Oxford Living Dictionaries <https://en.oxforddictionaries.com/definition/Internet_of_things> accessed 10
May 2018.
European Commission Memo, „Digital Single Market – Digitising European Industry Questions & Answers‟
(European Commission Press Release, 19 April 2016) <http://europa.eu/rapid/press-release_MEMO-16-
1409_en.htm> accessed 13 September 2018.
European Commission Memo, „Questions and Answers: Directive on attacks against information systems‟
(European Commission Press Release Database, 4 July 2013) <http://europa.eu/rapid/press-release_MEMO-13-
661_en.htm> accessed 30 June 2018.
European Commission, „EU Cybersecurity plan to protect open internet and online freedom and opportunity‟
(European Commission Press Release, 7 February 2013) <http://europa.eu/rapid/press-release_IP-13-94_en.htm>
accessed 12 May 2018.
GitHub, „Leaked Mirai Source Code for Research/IoC Development Purposes‟ (GitHub)
<https://github.com/jgamblin/Mirai-Source-Code> accessed 1 May 2018.
Hans Graux, „New Directive on Attacks against Information Systems‟ (time.lex, 16 October 2013)
<http://timelex.eu/en/blog/detail/new-directive-on-attacks-against-information-systems> accessed 30 June 2018.
Internet Live Stats <https://news.ycombinator.com/item?id=12769751> accessed 1 May 2017.
J.P Buntix, „Major DDoS Attack Against ABN Amro Causes Major Outage‟ (Fintechist, 17 January 2018)
<http://www.fintechist.com/new-cyberattack-cripples-services-abn-amro/> accessed 19 May 2018.
Janene Pieters „Russian Servers Linked to DDoS Attack on Netherlands Financial Network: Report‟ (NLTimes, 29
January 2018) <https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-
report> accessed 19 May 2018.
Jennifer Chen, „Internet of Things added to hall of fame for words, i.e., the Oxford English Dictionary‟ (Microsoft
Blog, 9 September 2013) <https://blogs.microsoft.com/firehose/2013/09/09/internet-of-things-added-to-hall-of-
fame-for-words-i-e-the-oxford-english-dictionary/> accessed 10 May 2018.
78
Libby Plummer, „Was massive hack that floored Amazon, Twitter and Reddit practice for election day? Wikileaks
supporters and hackers say attack was revenge for shutting down Assange – but many fear it`s just a warm-up‟
(DailyMail Online, 24 October 2016) <http://www.dailymail.co.uk/sciencetech/article-3859500/Widespread-
internet-havoc-major-attack-takes-websites-offline-Spotify-Twitter-sites-suffer-outages.html> accessed 6 May 2017.
Nart Villeneuve, „Inside a Crimeware Network‟ (Infowar Monitor, 2010)
<http://www.nartv.org/mirror/koobface.pdf> accessed 30 April 2018.
Nicky Woolf, „DDoS attack that disrupted internet was largest of its kind in history, experts say‟ (The Guardian,
San Francisco, 26 October 2016) <https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-
botnet> accessed 7 December 2016.
Paul, „Update: Let`s Get Cyberphysical: Internet Attack shuts off the Heat in Finland‟ (The Security Ledger, 8
November 2016) <https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland>
accessed 19 September 2017.
Pauline Kael Quotes, (Brainy Quote) <https://www.brainyquote.com/citation/quotes/pauline_kael> accessed 7
September 2018.
Phil Muncaster, „Mirai-Busting Hajime Worm Could be Work of White Hat‟ (infosecurity, 20 April 2017)
<https://www.infosecurity-magazine.com/news/mirai-busting-hajime-worm-could/> accessed 1 May 2018.
Pierluigi Paganini „Massive DDoS attack hit the Danish state rail operator DSB‟ (security affairs, 15 May 2018)
<https://securityaffairs.co/wordpress/72530/hacking/rail-operator-dsb-ddos.html> accessed 19 May 2018.
Pierluigi Paganini „Three Dutch banks and Tax Agency under DDoS attacks…is it a Russian job?‟ (security affairs,
30 January 2018) <https://securityaffairs.co/wordpress/68428/hacking/dutch-banks-ddos.html> accessed 19 May
2018.
Press Release of Europol, „2017, The Year When Cybercrime Hit Close to Home‟ (Press release, 27 September
2017) <https://www.europol.europa.eu/newsroom/news/2017-year-when-cybercrime-hit-close-to-home> accessed
22 November 2017.
Robert S. Mueller III, Director Federal Bureau of Investigation (RSA Cyber Security Conference, San Francisco, 01
March, 2001) <https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-
terrorists-hackers-and-spies> accessed 18 November 2017.
Roberto Sanchez, „What is TCP/IP and How Does It Make the Internet Work?‟ (HostingAdvice.com, 17 November
2015) <https://www.hostingadvice.com/blog/tcpip-make-internet-work> accessed 9 August 2018.
Shodan <https://www.shodan.io> accessed 5 July 2018.
The General Secretariat of the Council, „EU to beef up cybersecurity‟ (Press release, 20 November 2017)
<http://www.consilium.europa.eu/en/press/press-releases/2017/11/20/eu-to-beef-up-cybersecurity/#> accessed 22
November 2017.
Tu Thanh Ha, Barrie Mckenna, „The hacker who talked too much‟ (The Globe and Mail, 20 April 2000)
<https://www.theglobeandmail.com/news/national/the-hacker-who-talked-too-much> accessed 29 April 2018.
79
Vitaly Kamluk, „Inside the Massive Gumblar Attack‟ (Viewing InfoSec from the Trenches, 2009)
<http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-
gumblar> accessed 19 May 2018.
Vivek Wadhwa „Laws and Ethics Can`t Keep Pace with Technology‟ (MIT Technology Review, 15 April 2014)
<https://www.technologyreview.com/s/526401/laws-and-ethics-cant-keep-pace-with-technology/> accessed 13 June
2018.
Working papers, reports, conference proceedings and other sources
„HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable of Attack‟ (Hewlett-Packard Development
Company, 2014) <http://www8.hp.com/ca/en/hp-news/press-release.html?id=1744676> accessed 10 May 2018.
„Securing the Internet of Things Opportunity: Putting Cybersecurity at the Heart of the IoT‟ (Capgemini Consulting,
2015) <https://www.capgemini.com/consulting/resources/security-in-the-internet-of-things/> accessed 10 May
2018.
A. Lewis, quoting C.P. Snow, New York Times, 15 March 1971, p.37
<https://timesmachine.nytimes.com/timesmachine/1971/03/15/issue.html> accessed 11 December 2016.
Admir Tuzovic, „The Internet of Your Things Microsoft`s Vision for IoT‟ (2015).
Al-Alami, Haneen & Hadi, Ali & Al-Bahadili, H., „Vulnerability Scanning of IoT Devices in Jordan Using Shodan‟
(Information Technology Renewable Energy Processes and Systems (2017) IT-DREPS, University of Petra
<https://www.researchgate.net/publication/321588682_Vulnerability_Scanning_of_IoT_Devices_in_Jordan_using_
Shodan> accessed 10 July 2018.
Brian Foote, Don Roberts, „Lingua Franca‟, (1998) Fifth Conference on Patterns Languages and Programs PLoP
‟98 <http://laputan.org/pub/foote/lingua.pdf > accessed 10 July 2018.
Bryan Sullivan, „Preventing a Brute Force or Dictionary Attack: How to Keep the Brutes Away from Your Loot‟
(2007) SPI Dynamics <https://www.researchgate.net/publication/2> accessed 8 July 2018.
Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, Jeffrey Voas „DDoS in the IoT: Mirai and Other
Botnets‟ (2017) IEEE Computer Society
<https://www.researchgate.net/publication/318288727_DDoS_in_the_IoT_Mirai_and_other_botnets> accessed 15
February 2018.
Elisa Bertino, Kim-Kwang Raymond Choo, Dimitirios Georgakopolous and Surya Nepal „Internet of Things (IoT):
Smart and Secure Service Delivery‟ (2016) ACM Trans. Internet Technol. 16
<https://dl.acm.org/citation.cfm?id=3013520> accessed 16 July 2018.
Emerging Cyber Threats Report for 2009, Georgia Tech Information Security Center, (2008). Available at
https://smartech.gatech.edu/bitstream/handle/1853/26301/CyberThreatsReport2009.pdf.
ENISA, Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures,
November 2017 <https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot> accessed
19 February 2018
ENISA, Stocktaking, Analysis and Recommendations on the Protection of CIIs, 2016
<https://www.enisa.europa.eu/publications/stocktaking-analysis-and-recommendations-on-the-protection-of-
ciis/at_download/fullReport> accessed 12 May 2018.
80
ENISA, Threat Landscape Report 2017, 15 Top Cyber-Threats and Trends, January 2018
<https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport> accessed 4
July 2018.
Eric M. Hutchnis et al., „Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains‟ (2011) Proceeding of the 6th
International Conference on Information Warfare
and Security, Washington D.C <https://lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf> accessed 19 July 2018.
Ericsson Mobility Report, On the Pulse of the Networked Society, (2015) <https://www.ericsson.com/en/mobility-
report> accessed 10 May 2018.
Erik Wennerstrom, „EU-legislation and Cybercrime A Decade of European Legal Developments‟ (2010) Stockholm
Institute for Scandinavian Law <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2733634> accessed 11
December 2017.
European Network and Information Security Agency (ENISA), Botnets: Detection, Measurement, Disinfection &
Defence, (2011) <https://www.enisa.europa.eu/publications/botnets-measurement-detection-disinfection-and-
defence/at_download/fullReport> accessed 10 June 2018.
EUROPOL, IOCTA 2017, Internet Organised Crime Threat Assessment, Europol, EC3 European Cybercrime
Centre, 2017 <https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-
assessment-iocta-2017> accessed 25 January 2018
Jan Neutze, „Cybersecurity Policy for the Internet of Things‟ (2017) the 8th
Annual Internet of Things European
Summit, Brussels.
Janine S. Hiller, Roberta S. Russell, „The challenge and imperative of private sector cybersecurity: An international
comparison‟ (2013) Virginia Tech, Computer Law & Security Review 29 236-245
<https://www.sciencedirect.com/science/article/pii/S0267364913000575> accessed 19 July 2018.
Jim Owens, Jeanna Matthews, „A Study of Passwords and Methods Used in Brute-Force SSH Attacks‟ (2008)
Clarkson University <http://people.clarkson.edu/~owensjp/pubs/leet08.pdf> accessed 5 July 2018.
Lauren Turner, „Anonymous hackers jailed for DDoS attacks on Visa, MasterCard and PayPal‟ (Independent, 24
January 2013) <http://www.independent.co.uk/news/uk/crime/anonymous-hackers-jailed-for-ddos-attacks-on-visa-
mastercard-and-paypal> accessed 28 November 2017.
Luca Montanari, Leonardo Querzoni „Critical Infrastructure Protection: Threats, Attacks and Countermeasures‟
(TENACE Project, Universita degli Studi di Roma “La Sapienza”, 2014), p.5
<http://www.dis.uniroma1.it/~tenace/download/deliverable/Report_tenace.pdf> accessed 10 June 2018.
Lucian Vasiu, Ioana Vasiu, „Dissecting Computer Fraud: From Definitional Issues to a Taxonomy‟ (2004),
<http://ieeexplore.ieee.org/document/1265413/> accessed 11 January 2017.
Memorandum from the European Commission <http://europa.eu/rapid/press-release_MEMO-13-661_en.htm>
accessed 19 May 2018.
Michele De Donno, Nicola Dragoni, Alberto Giaretta, Angela Spognard, „Analysis of DDoS-Capable IoT
Malwares‟ (2018) Proceeding of the Federated Conference on Computer Science and Information Systems pp. 807-
816 <https://annals-csis.org/Volume_11/drp/pdf/288.pdf> accessed on 24 January 2018.
Nicola Dragoni, Alberto Giaretta and Manuel Mazzara, „The Internet of Hackable Things‟ (2016) Proceedings of the
5th
International Conference in Software Engineering for Defense Applications, SEDA16.
81
Nicole M., Eun A. Jo, Soesanto S., „Cybersecurity in the European Union and Beyond: Exploring the Threats and
Policy Responses‟ (2015) European Parliament,
<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536470/IPOL_STU(2015)536470_EN.pdf> accessed
10 May 2018.
OECD publishing, „Consumer Product Safety in the Internet of Things‟ (2018) OECD Digital Economy Paper
<https://www.oecd-ilibrary.org/science-and-technology/consumer-product-safety-in-the-internet-of-
things_7c45fa66-en> accessed 9 September 2018.
Pedro Miguel F. Freitas and Nuno Goncalves, „Illegal access to information systems and the Directive 2013/40/EU‟
(2015) International Review of Law, Computers & Technology <https://dl.acm.org/citation.cfm?id=2767890>
accessed 10 June 2018.
Q. Gu, P. Liu, „Denial of Service Attacks‟, (2007) in The Handbook of Computer Networks, Hossein Bidgoli et al.
(eds.), John Wiley & Sons, under second round revision
<https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118256107.ch29#references-section> accessed 15 August
2017.
R. Roman, P. Najera and J. Lopez, „Securing the Internet of Things‟ (2011) IEEE Computer vol. 44 p. 51-58
<https://www.computer.org/csdl/mags/co/2011/09/mco2011090051.html> accessed 15 May 2018.
S. T. Zargar, James Joshi, David Tipper, „A Survey of Defense Mechanisms Against Distributed Denial of Service
(DDoS) Flooding Attacks‟ (2013) IEEE <https://ieeexplore.ieee.org/document/6489876/> accessed 24 January
2018.
Stein Schjolberg, „The History of Global Harmonization on Cybercrime Legislation – The Road to Geneva‟ (2008)
Cybercrime Law <http://www.cybercrimelaw.net/documents/cybercrime_history.pdf> accessed 20 May 2018.
Test-Achats, „Which generic security and privacy principles to ensure a Trusted IoT environment? The consumer
view‟ (Competence Center Products & Services)
<https://ec.europa.eu/information_society/newsroom/image/document/2017-
11/generic_security_and_privacy_principles_to_ensure_a_trusted_iot_environment_the_consumer_view_by_test-
aankooptest-achats_0B8C19DD-E2B3-A0B3-4234275F9238BC24_43661.pdf> accessed 13 September 2018.
Thomas Dubendorfer, Arno Wagner, „Past and Future Internet Disasters: DDoS attacks‟ (2003) Security Protocols
and Applications seminar <http://www.insecure.in/papers/ddos_disasters.pdf> accessed 10 September 2018.
Usman Tariq, ManPyo Hong, Kyunk-suk Lhee, „A Comprehensive Categorization of DDoS Attack and DDoS
Defense Techniques‟ (2006) LNAI 4093 p.1025-1036 <https://link.springer.com/chapter/10.1007/11811305_112>
accessed 24 January 2018.
Vincent Weafer and the others, „McAfee Labs Threats Report April 2017‟ (Intel Security McAfee Labs, April 2017)
<https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017.pdf> accessed 6 May 2017.
Wiliam Hurst, Nathan Shone, Quentin Monnet, „Predicting the Effects of DDoS Attacks on a Network of Critical
Infrastructures‟ (2015) Thirteenth IEEE International Conference on DASC`15, Liverpool
<https://pdfs.semanticscholar.org/cf6c/41715347b703f4bd964425160010035ab957.pdf> accessed 25 January 2017.
WIND, Security in the Internet of Things Lessons from the Past for the Connected Future, 2015,
<https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
> accessed 19 February 2018.