Don’t rely on a firewall to keep you out of court if you’re involved in a hacker’s attack, legal experts say. If you become the inadvertent host of a distributed denial of service (DDoS) attack, be prepared for tough questions about what you did to protect your system.

The New York Law Journal recently asked specialists in computer law if distributed attacks like those seen in February could lead to negligence suits against the systems that hosted the attacks. Their unanimous verdict: Yes.

And don’t expect February’s distributed denial of service attacks on eBay, Yahoo!, and other big-name companies to be the last you hear about DDoS attacks. Companies are finding the agents for a DDoS attack lurking on their systems nearly every day, according to the CERT Coordination Center, a research and response program located at Carnegie Mellon University in Pennsylvania.

Are you a risk taker?
What can CIOs, CTOs, and other high-level executives do to stay out of court?

The first step is to understand why you could be held legally accountable for someone else’s actions.

David Loundy is an adjunct Cyberspace law professor at John Marshall Law School in Chicago. In a recent interview, he explained the legal basis for a possible DDoS-related lawsuit.

“If you get sued, the argument is going to be that you had a duty to protect this information and you breached that duty. What hasn’t been decided yet is what is the duty,” Loundy said. “The concern is going to be that you are causing me damage as a result of your lack of action.”

The current standard has been a firewall, but if legal challenges arise, expect judges to question whether your company should have taken other steps, Loundy said. The courts may ask if you kept your software updated and if you were aware of common types of hacking.

But a bigger issue, according to Loundy, is whether you’re legally obligated to provide logs and other information that could trace the hacker.

“I have clients who were attacked in the past. The people who were involved seemed to know it wasn’t the fault of the people who were staging the attacks,” he said. “The bigger concerns end up getting into the privacy area.”

Jed Pickel, a technical coordinator for the CERT Coordination Center, said CIOs and other high-level tech executives should address Internet-related security issues before an attack happens.

“It’s a matter of risk management. How much risk are you willing to tolerate,” Pickel said. “Not paying proper attention to security could have financial and legal impacts.”

Pickel said CERT, which monitors Internet security, regularly receives reports from companies who find distributed programs lurking on their systems. The agents aren’t always aimed at denial of service attacks, he said. Distributed software is also being used to disseminate sniffers across the Internet. Sniffers extract sensitive data from servers and return the information to the hacker.

The DDoS attack is just one example of the security weaknesses on the Web.

“What this kind of attack points out is that security on the Internet is dependent upon things outside your control. It’s dependent on other people’s security,” Pickel said.

What should you do?
Loundy advises his clients to take reasonable precautions for the circumstances. At a minimum, you should install a firewall, monitor bug fixes, and keep your software up-to-date. But if you’re hosting information that is especially valuable, he advises additional steps.

“If you are an online banking institution, you’re going to want to have very good security, you’re going to make sure that you’re monitoring for bug fixes, you’re probably also going to want to hire someone to break into your system and tell you about any vulnerabilities they find,” he said.

In November, CERT hosted a conference with 30 international security experts to determine the best method for dealing with distributed systems.

“From a management perspective, it’s realizing that allocating some money to do that may save you money in the long run,” Pickel said.

Here are a few of the CERT recommendations for CIOs and other tech managers:

  • Require security briefings from your staff.
  • Talk with your company’s lawyer immediately about limiting liability.
  • Give your staff the time and resources they need to make security a priority.
  • Establish who is responsible for enforcing security standards, cutting off users when accounts have been compromised and disconnecting uncontrolled Internet connections.
  • Communicate security plans and issues to other managers.
  • Budget for security; this is not a part-time job. Consider the cost of a salary versus the costs of a court case.
  • Work with other organizations to promote Internet security.

The full report from CERT’s November 1999 conference is available online. The report outlines the steps that executives, systems administrators, ISPs, and response teams can take to prevent and halt distributed systems attacks.
Come together…Over IT
Cyber attacks and other forms of computer-related crime are a growing threat. On May 22, the Computer Security Institute released its “2000 Computer Crime and Security Survey.” Ninety percent of survey respondents had detected a computer security breach within the past 12 months.

While statistics on the distributed denial of service attacks were not available, CSI’s director, Patrice Rapalas, said 158 respondents identified denial of service attacks. Financial losses from computer breaches are increasing, too. Seventy-four percent reported financial losses totaling more than $265 million.

The IT community should not wait for the courts to solve this problem for them, Loundy said.

“There needs to be more industry cooperation,” he said. “Without sharing of information and [being] willing to help each other, the legal system simply cannot catch up. It’s too slow and cumbersome to be able to address the attacks as they’re happening.”
If a hacker used your system for an attack today, would you be ready? What type of policies do you have in place for protecting against hackers and lawyers? What else do you think should be done? E-mail us your thoughts or post a comment below.