Welcome to Volume 4, Issue 3 of The Internet Security Conference newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
CERT Advisory CA-2002-03 - Numerous vulnerabilities in multiple SNMP implementations may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior.
It was simply a matter of time. This advisory provides a timely segue for today's column on legal liability and DDOS attacks, by Jeff Matsuura. You may recall that we published an excerpt from Jeff's book, Security, Rights, and Liabilities in E-Commerce, last November. It's a really good read.
Speaking of good reads, I've updated the TISC Resources Pages, adding over a hundred new links (I only add what I read), and fixing all those 404's - ever notice that big site administrators move pages no less than seasonally? You'll note several article titles in greyshade - these are good reads I can no longer find on-line. Remarkable how many were hosted by @homeÖ If you know where to find them, please mail me the URL.
Before I leave you to enjoy today's column, I have to share a comment from Marcus Ranum posted to the Firewalls Wizards mailing list on the subject of SNMP:
"The original Gauntlet didn't recognize the existence of SNMP at all. It's such a disastrously bad protocol, from a security standpoint, that the original designers of Gauntlet never thought anyone would want to let it through a firewall at all!"
Laugh or cry? Your call.
The threat of distributed denial of service (DDOS) attacks poses a significant potential source of legal liability for Internet service providers. Two of the key legal bases for that liability are contract law and tort law. This article summarizes the scope of that potential liability and highlights some of the basic actions ISPs can take to reduce their risk of liability and to enforce their rights.
Contracts are legally enforceable promises, in either written or verbal form. ISPs commonly have contract relationships with their customers, through formal written agreements or through standard terms of service. All promises and assurances regarding service quality, including security, presented in those agreements, should be met. Failure to meet those obligations can be a basis for legal liability under a breach of contract claim.
In the context of DDOS attacks, ISPs could face breach of contract liability from Web site operators or other ISP customers harmed by the attack. That liability would be present if there is a contract relationship between the ISP and the site operator that required a level of security not met by the ISP. If found liable for a breach of contract as to security, an ISP can be forced to pay the injured party an amount established by the court as compensation for the harm caused by the ISP's failure to perform its contract obligations fully. If an ISP makes a contract commitment for security or service quality and if that commitment is not met as a result of a DDOS attack, the ISP may face breach of contract liability for damages suffered by the customer as a result of the attack.
Recognize that breach of contract claims can be raised even if there is no formal written contract. If, for example, an ISP makes promises as to security in marketing or promotional material, but fails to meet those promises, customers who reasonably relied on those assurances may have a valid and enforceable legal claim for breach of contract. The most effective way for ISPs to reduce their risk of contract law liability for DDOS attacks is to be careful about the security and service quality promises they make to their customers. No security assurances that exceed the ISPs ability to perform should ever be presented to customers. The best rule of thumb is to treat your agreements and promotions as promises that must be fully performed.
Tort law permits parties injured by negligent or deliberately malicious conduct by others to recover monetary compensation for their injuries and for the consequences of those injuries. In the context of a DDOS attack, tort claims can be raised against ISPs by Web site operators and others harmed by the attacks. Tort claims can also be raised by ISPs against parties who are responsible for damage to their networks. Those parties could include the perpetrators of DDOS attacks and authorized users of the ISP network, to the extent that negligence as to security measures on the part of those authorized users contributed to the harm caused to the ISP by the attack.
ISPs can face tort liability if they fail to meet their duty of care, and if that failure is a cause of harm to another party. A failure to meet a required duty of care is described as, "negligence." In the context of a DDOS attack, the ISP can be liable to Web site operators or other network users who suffer harm as a result of the attack, if the attack was facilitated by failure of the ISP to provide adequate security. Failure to provide a reasonable level of security against DDOS attacks is negligence. The level of security the ISP must provide to meet its duty of care depends on the circumstances. One important aspect of the duty of care is a reasonable level of diligence applied to security measures. For example, ISPs will likely be expected to make use of current security technology and to apply reasonably effective security policies and practices. Failure to meet these expectations is likely to be viewed by courts as failure to meet the duty of care as to security. ISPs should strive to create a record of evidence demonstrating that their security policies, systems, and practices are consistent with best available technologies, strategies, and standards. In this way, ISPs can more effectively support an argument that they met their duty of care for security, and were not negligent in their conduct.
Both contract law and tort law also provide protections for ISPs. ISPs can apply those legal theories to users of their networks, as well. ISPs can, and should, include conduct obligations in their service agreements with customers that require those customers to cooperate fully with the security measures employed by the ISPs. ISPs may also want to consider contract provisions requiring customers to implement reasonable defensive measures for their computers that reduce the risk that the customer equipment will be used, intentionally or unintentionally, to facilitate DDOS attacks. Failure by the customers to comply with those contract terms can create an enforceable breach of contract claim for the ISP, against the customer.
When there is a breach of contact, the innocent party (i.e., the non-breaching party) has a duty to try to minimize the harm it suffers as a result of the breach. In instances when an ISP may have breached contract obligations for security, ISP customers also have a duty to act reasonably to limit, or "mitigate," the damages resulting from the breach. Failure to cooperate with the ISP to mitigate damages arising from DDOS attack can lead to a reduced level of compensation for the customer, even if a court finds that the ISP breached a material contract obligation.
Similarly, tort law recognizes that an injured party has obligations to act in ways that would minimize the likelihood and the impact of injuries suffered as a result of the conduct of the defendant. Thus, in a DDOS setting, a user of an ISP's services must cooperate with the reasonable efforts of the ISP to prevent the attack and to reduce the damages caused by a successful attack. That cooperation includes working with the ISP to stop an ongoing attack or minimize the damage it causes, and it may also include an obligation, upon request in advance by the ISP, to implement and maintain defensive measures that can reduce the risk of DDOS attack.
For example, an ISP may ask its customers to install software or adopt usage practices that make it more difficult for an unauthorized system user to commandeer the customer's computers as "zombies" for use in a DDOS attack. A system user who fails to cooperate with the ISP under those circumstances may find it is barred from recovering tort damages or may have its damage recovery reduced by the court in the event of a DDOS attack, based on the tort law theory of "contributory negligence" or "assumption of risk." These tort principles limit the ability of an injured part to recover compensation to the extent that conduct by the injured party contributed to the injury or to the extent that the injured party recognized the potential for injury in advance and affirmatively accepted the risk of injury. In a DDOS liability setting, these principles could come into play if a customer of an ISP did not follow the ISP's directions as to protective measures in advance of the attack, or it did not cooperate fully with the ISP's efforts to stop the attack once it was underway. If the conduct of the network user resulted in additional harm to the ISP, the ISP could have its own tort claim against the user for those damages.
To reduce their risk of tort liability from DDOS attacks, ISPs should establish clear expectations regarding system security for their customers, and the ISPs should implement security measures that make use of current best practices. Both the expectations and the security measures should be continuously monitored and updated to meet changing threats and evolving security capabilities. Liability risk can best be minimized if ISPs adopt reasonable preventative measures to block DDOS attacks, in addition to remedial systems that limit the scope of damage after an attack has occurred. Reasonable security measures are those that make use of best commercially accessible security technology, and are consistent with generally accepted industry standards and practices.
An increasingly popular legal theory applied by ISPs to protect their rights is traditional property law. Under this approach, the computer equipment owned by the ISPs and used by them to provide service is their property, and property law provides enforceable rights to protect that property. Property law recognizes the right of a property owner to control the terms of access to, and use of, his or her property. A party who makes unauthorized use of the property of another is liable for the legal claim characterized as, "trespass to chattel." Clearly, an ISP would have enforceable property law claims against parties who engage in misuse of the ISP network, including those who initiate DDOS attacks. In addition, property law can provide enforceable rights against ISP customers who do not effectively cooperate with ISPs as they engage in reasonable efforts to prevent or to limit the effects of DDOS attacks. Customers of the ISPs are authorized users of the ISP property, but that authorization carries with it a duty to abide by the reasonable restrictions on use presented by the property owner, the ISP. Failure to abide by the use requirements imposed by the ISP can be a basis for a trespass to chattels claim against system user who was originally an authorized user.
ISPs should recognize their obligations and their rights regarding security against DDOS attacks and other misuse of their networks. They should express clearly the security standards that they commit to meet and the conduct obligations they require of their customers. ISPs should develop and diligently work to meet the security standards they establish, and they should create and maintain a record of evidence documenting their compliance with those standards. Perhaps most important, they should continuously monitor advances in security technology and developments in security best practices, and modify their policies, systems, and practices to incorporate those advances. ISP security obligations continue to change over time, and failure to recognize and accommodate the dynamic nature of those obligations will significantly increase the risk of liability.
Geng & Whinston, "Defeating Distributed Denial of Service Attacks" (2000)
Kenneally, "The Byte Stops Here: Duty and Liability for Negligent Internet Security" (2000)
Lawler, "Are You a Good Internet Neighbor" (2001)
Radin, "Distributed Denial of Service Attacks: Who Pays?" (2001)
Technologic Partners, "Giving DoS the Boot" (2001)
Jeffrey H. Matsuura is a lawyer with the Alliance Law Group (www.alliancelawgroup.com), a law firm located in Virginia that specializes in legal issues associated with technology. Mr. Matsuura is co-author of the book, Law of the Internet, and he is the author of the books, A Manager's Guide to the Law and Economics of Data Networks and Security, Rights, and Liabilities in E-Commerce. He has served as an advisor on technology policy issues for the Virginia legislature and for the National Task Force on Knowledge and Intellectual Property Management. Mr. Matsuura has served as a member of the adjunct faculty of Capitol College, the University of Maryland, and the Northern Virginia Community College, where he has taught and lectured on the legal and business aspects of technology policy.