Putting some teeth in cybersecurity
As you sit at your desk one morning, reading the news reports of the "denial of service" (DoS) attacks that brought down several of the largest sites on the Web the week before, your assistant comes in with a worried look. She tells you that several members of the FBI are in the outer office and believe that your computers were used by hackers as part of the attack on those sites.
You're stunned. How could that be? Your technical support people told you months ago that there was nothing to worry about, that your machines could never be used in this way.
Then before you have a chance to recover from this shock, your assistant returns with an even more worried look. She just opened a letter from a law firm representing one of the attacked Web sites. They plan to sue you for negligence because you didn't do a good enough job to make sure that your site could not be used by hackers.
So far, this scenario is fiction. But many who work in Internet security believe it's only a matter of time before somebody who has been attacked by hackers turns their sights on one of the organizations whose computers were used to attack it.
The possibility of this form of litigation following a DoS attack was first raised by Al Brill and Sam Porteous in an article in The (Toronto) Globe and Mail earlier this month. Mr. Brill and Mr. Porteous work for Kroll Associates, a worldwide firm that specializes in security and investigation, both online and off. Brill is director of computer forensics and high-technology investigation in New York; Porteous is director of intelligence in Canada.
"There is a legal concept known as an 'attractive
nuisance,' " Porteous says in a phone interview. "For instance, you have a swimming pool in your backyard, and you don't have a fence up. A kid walks by and sees the pool. He decides, 'Gee, I think I'll go for a swim.' So he wanders over to the pool, falls in, and drowns. Well, in many cases, you can be held responsible for his death.
"So, if you can do it for pools, it may also be possible that it can be done with computers."
For Brill, another factor that may lead to litigation is the large amount of information on the Internet and in the media about hacking tools. With so much information available, it's hard to use ignorance as a defense.
"There was information on the kind of programs that were used to undertake them available on the Internet for months. 'Packet Storm' [a site run by Kroll that provides free information about online security and privacy] actually ran a contest on what it all means and how to prevent DoS attacks and gave the winner $10,000. The attack software is there, but people just don't seem to want to do anything about it."
Some people, in fact, are doing something about it, but seem reluctant to share information with the general public about impending hacker attacks.
The Financial Services Information Sharing and Analysis Center (FSISAC) is a secretive United States organization set up to protect financial institutions from cyberattacks. No one knows where the center is located or who belongs to it. But participating banks received warnings of impending attacks at least four days before the assaults were launched at sites like Yahoo! and bid.now in February. Yet under the terms of membership, the banks were not allowed to share this information with anyone, including government regulators.
"It's because they are terrified to share information with competitors and the public about potential vulnerabilities," according to an Internet security expert who asked not to be identified because his company has done work for major banks. "When banks are trying to push more and more customers online in order to cut costs, what bank wants to admit to its customers that it's worried about security."
Since most people don't belong to organizations like FSISAC, or have the resources to join a monitoring network, or are too scared to openly deal with security problems, chances are they may be used at some point as a launch pad for hacker attacks. And that could eventually lead to a lawsuit.
"Here's the situation," Brill says. "If you trace the source of the hacker attack, it's very often that they are judgment-proof - either too young or they just don't have enough money. They aren't worth suing. Your site has had a huge amount of damage done, so that means you're going to turn to your insurer.
"Insurers may pay for a while, but sooner or later, somebody is going to start looking for somebody with deep pockets in order to pay for this. It's just a matter of time until somebody says that a site that was used to host a DoS attack or other kind of packet should have known better. Maybe a jury would say that they ought to have done a better job of making sure that their machines were protected."
Not all Internet security experts, however, believe that a site used to assist a hacker would be liable in a lawsuit. Greg Gilliom, president of Network Ice (which makes one of the best Internet security programs, according to experts), says the swimming pool analogy is wrong.
"A better one would be guns," says Mr. Gilliom." If you own a gun, and it's stolen, and used to commit a crime, are you negligent? Courts generally have decided that you're not. Well, if you own a computer, and it's 'stolen,' and you don't know that it's been stolen and is being used in a DoS attack, are you liable? I don't think so, and I don't think any court would say that you are."
One thing Brill, Porteous, and Gilliom all agree on is that businesses need to do more to protect themselves if they want to "work" on the Internet.
Brill and Porteous recommend several steps:
*Create a written policy that calls for a "firewall" to protect a company's connection to the Internet and establish guidelines for continual upgrading and updating of that firewall.
*Act on the policy by committing enough resources to it so you can detect attacks on your machine or know if you are being used to attack another machine.
*Think about hiring an outside firm to test your security (see story left).
*Investigate buying insurance coverage to protect against losses caused by hacking.
Brill and Porteous also recommend that people who own home computers with "always-on" connections to the Internet purchase personal firewalls.
The problem is serious. Secure-Me, a Web site that offers online security testing, says that of 400 Net-connected machines it tested in a five-month period last year, only 3 percent received perfect security scores.
Yet even with all the recent hacker activity and media coverage, many companies still think "that could never happen to me."
"Every time one of these incidents occurs, someone says it's a wake-up call," Brill says. "We have had lots of wake-up calls. It's like being in a hotel and you get a wake-up call, and then you roll over and go back to sleep."
"It's like there's a massive snooze button operating when it comes to Internet security," adds Porteous. "It's time to recognize what a wake-up call really is."
*Tom Regan is associate editor of The Christian Science Monitor's Electronic Edition. E-mail him at csmbandwidth@aol.com
(c) Copyright 2000. The Christian Science Publishing Society