MASHANTUCKET, Conn. -- Downstream liability sounds like a cable TV fishing show gone awry. But it's something enterprises need to quickly become aware of, especially in light of recent security incidents like the outbreak of the SQL Slammer worm and the attack on the Internet's root DNS servers.
Essentially, downstream liability is all about the liability an enterprise could incur if its unsecured systems are used as part of a distributed denial-of-service attack.
The topic came up during this week's CyberCrime Conference & Exhibition, where former Department of Justice cybercrime prosecutor Marc J. Zwillinger of Sonnenschein, Nath & Rosenthal declared that, indeed, enterprises can be liable for damages incurred during a DDoS attack.
Zwillinger theorizes that breach of contract is no longer the only basis for liability; now enterprises will be held accountable if they are negligent in patching systems, for example. This is the commission of a tort, Zwillinger said. Negligence is the crux of downstream liability, according to a paper written by Scott C. Zimmerman, CISSP, a research associate with the Software Engineering Institute at Carnegie Mellon University; Ron Plesco, director of policy for the Pennsylvania state police; and Tim Rosenberg, president and CEO of White Wolf Security.
Negligence, meanwhile, consists of four parts, according to the law: duty, breach, causation and harm. Zwillinger and Zimmerman said that all four are closely linked and, in order to gain damages, a victim must demonstrate all four.
Duty, for example, is the reasonable expectation that an enterprise with IT assets linked to the Internet keep its systems secure. "Does an owner of IT assets on the Internet have a duty to keep his systems secure and not to be used to hurt another? We believe the answer to this question is a resounding yes," wrote Zimmerman, et al.
A breach of duty is the failure to live up to that obligation. For example, leaving unpatched systems exposed to the Internet and ripe for exploitation would constitute a breach of duty. Next, a victim must prove this breach caused the damages. Finally, the victim must demonstrate he suffered harm, like loss of assets, loss of business opportunities, or damage to reputation, Zwillinger said.
Slammer took advantage of vulnerable Microsoft SQL Servers and generated massive amounts of traffic that clogged Internet service providers and backbones worldwide. Code Red and Nimda exploited holes in Microsoft Internet Information Services (IIS) Web servers to bring the Internet to a screeching halt in 2001. While Internet performance slowed to a crawl in all three instances, businesses were also left inaccessible, at times resulting in expensive downtime.
Now that victims are justified in pursuing damages via lawsuits, they must determine just who is liable, Zwillinger said.
Zwillinger identified potential defendants: the perpetrator; the owners of unsecured systems; Internet service providers; and the victim.
The perpetrator, Zwillinger said, has violated the law [the Computer Fraud and Abuse Act that covers DoS attacks, virus outbreaks, ping floods and more]. But the difficulty in prosecuting the attacker is finding the person. Often, the attacking computer does not belong to the attacker.
That raises the specter of holding the owners of vulnerable systems liable. They would not be liable under breach of contract because usually there is no direct contact between this person and the victim. But they could be guilty of committing a tort by being negligent in not patching systems. Challenges here involve pursuing the owners of 100 systems involved in a DDoS, for example. All 100 would have to be investigated, and a portion of blame would have to be determined in each instance, Zwillinger said. "It's daunting, but it's not a disincentive," he said.
ISPs, on the other hand, would be liable by contract. There is a reasonable expectation that service providers have measures in place to deny bad traffic and keep customers online, Zwillinger said.
Victims also could be held liable. In addition to pursuing damages, victims could be forced to pay up if their systems are used to attack another.
"It's time to recognize that this is a reality," Zwillinger said. "Enterprises need to determine best practices, adhere to regulation [HIPAA, Gramm-Leach-Bliley], hire consultants, adopt an incident response plan and stay current on information security and evolve with it."
FOR MORE INFORMATION:
- FEEDBACK: What are your thoughts on downstream liability?
Send them to News Editor Michael S. Mimoso.