As I write this article in mid-February 2000, Internet users are suffering the consequences of distributed denial-of-service (DDoS) attacks on several major e-commerce sites. These attacks involved two types of victims: the initial and the final.
The final victims are the sites receiving a flood of fraudulent and useless packets that can crash servers and saturate inbound bandwidth.
Amazon, Buy.Com, CNN and eBay users experienced serious delays in getting service from these Web sites. Investors in these companies' shares may have lost over a billion dollars in paper value of their stocks.
However, the floods of packets originate from hundreds of other victims whose integrity has been compromised by criminal hackers. The DDoS attacks involve tools such as trin00, Tribe Flood Network (TFN), Stacheldraht and TFN2K, widely available on the Internet due to the irresponsibility and stupidity of programmers with less social conscience than the average bacterium. In each case, the criminal hacker takes as long as required to break into ill-secured computer systems to install programs known as soldiers or as slaves. These slave programs respond to instructions sent in encrypted form from a master program directly under the control of a criminal hacker. The slaves serve as amplifiers for the denial-of-service attacks, allowing criminal hackers to put together an unauthorized parallel-processing system to abuse their victims.
Tracing an attack back to one of the slaves is not much of a problem; however, going back to identify the person who installed the slave programs is very difficult. So far, there is no news from law enforcement officials, including the FBI, of any arrests; however, the usual rag-tag band of lunatics have crawled out of the woodwork to claim responsibility for this disruption of Internet commerce. Some of these fools have even claimed a political agenda; supposedly spewing useless packets at their victim is a demonstration of their feelings about the commercialization of the Internet.
But regardless of who is causing these DDoS attacks, there's an issue that has concerned security specialists and tort lawyers for many years: the question of whom to sue for damages when an attack is launched from a site that has itself been victimized by criminal hackers.
Now, I am not a lawyer, and this article is not legal advice; for legal advice, consult an attorney qualified to discuss tort law. That said, I have been following cyberspace law developments for a long time. At several professional meetings, I have heard attorneys specializing in the law of cyberspace discuss the concept of downstream liability in hacking incidents. Simply put, whom would you rather sue: some impecunious wretch sitting in a basement cackling over his latest DDoS attack or a real business with assets? In my opinion, if DDoS attacks become a significant impediment to e-commerce, there are bound to be lawsuits against the owners and administrators of the first-line infected hosts harboring the DDoS slaves. I guess that the argument presented by tort lawyers will be that the OS slave-infected systems demonstrate contributory negligence by the people who ought to have secured their systems so that the slaves could not have been implanted in the first place. Conceivably, a victim might sue all of the hundreds of infected sites in the hope of collecting settlements or awards from several of them.
What arguments would the plaintiffs' attorneys use in laying blame on the first rank victims? A strong case could be made using expert witnesses who would show that the vast majority of security breaches on sites linked to the Internet derive from out-of-date software and from inadequately configured defenses. The witnesses would testify that fixes for well-known vulnerabilities have been available for years at no cost from software manufacturers, security firms, and from volunteers freely exchanging solutions. If subpoenaed, some of the network administrators from the slave-infested sites would testify that they knew that their sites were vulnerable, they knew where to get the fixes, but they just didn't have time to get the fixes installed. At that point, a clever attorney would ask, "Why not?"
Why not? Because there are well-known, respected firms where a single overworked network administrator is responsible for hundreds or even thousands of nodes with capital value estimated in the million-dollar range; where despite regular pleas from desperate people trying to get their work done, managers consistently refuse to allocate adequate resources to develop and implement sound security policies.
And why would anyone be stupid enough to leave their production systems unprotected against obvious threats in today's Internet environment? Because today's business culture has allowed managers with no sense of human decency to focus on the quarterly bottom line to the exclusion of long-term success for their employers. We have seen in these last ten years a pernicious instrumental exploitation of human beings for short-term gain; managers whose primary focus is on looking good by keeping the quarterly profits high have put off expenditures that have no obvious profitability when measured in the short term. Investing in security is difficult to justify in purely economic terms anyway; we lack adequate actuarial information for normal risk-management methodologies. Worse still, because the threats come from a pathological subculture that modifies the threats all the time rather than coming from insensate natural forces, spending money on known solutions does not guarantee complete safety. Combine this uncertainty with a culture that treats people as fungible and you get managers who move from job to job like vultures moving from cadaver to cadaver. Why risk your reputation by spending money on security if you plan to be gone next year after you cash in your stock options?
And so we are back to downstream liability. If it makes sense to sue the organizations whose computer systems harbor slave programs for contributory negligence rather than to pursue the hackers who infected them, doesn't it make sense to sue the managers who decided to leave their systems inadequately secured rather than pursue the network administrators who tried and failed to do their job in the face of managerial malfeasance?
M. E. Kabay, PhD, CISSP is Security Leader in the INFOSEC Group of Adario; he can be reached by e-mail at [email protected] and by phone in his Vermont office at 802-479-7937.