William Jackson | Rx for cybersecurity: Let the user beware?
- By William Jackson
- Dec 21, 2007
Cybereye columnist William Jackson
If you are looking forward to finding a new PC under the tree Christmas morning, here is a sobering thought to consider while setting up your high-speed Internet connection. Estonia's defense minister recently floated the idea that legal liability could be a helpful tool for ensuring some minimum standards for security by end users.
What does the Estonian minister of defense have to do with your computer? Ask, rather, what your computer has to do with Estonia. Last spring, the Baltic country became the first to experience a nationwide online attack, with traffic volumes 400 times greater than normal interrupting service to government Web sites, online news services and online banking. Defense Minister Jaak Aaviksoo estimated financial damage at $1 million to $5 million.
Aaviksoo said the attacks appeared to have been coordinated and financed by 'our big neighbor.' (Hint: Russia.) But the traffic came from a botnet of as many as 1 million compromised computers in 50 countries worldwide. He estimated that as many as 100,000 of those computers could have been in the United States.
In a talk at the Center for Strategic and International Studies in Washington, he called for more cooperation on cybersecurity at national and international levels. But he also speculated about what it might take to improve security at the individual level.
Millions of computers worldwide have been quietly infected by malicious code, putting them under the control of a herder who can organize them into botnets and rent them out for nefarious purposes at 10 to 50 cents each. The user continues to surf the 'net, unaware that his computer is spewing spam and attack packets or hosting embarrassing or illegal files.
Ignorance might be bliss for the user, but it is a major headache for those on the receiving end of the attacks.
What is the responsibility of the user in ensuring a healthy Internet ecosystem? The technology and information exists to provide pretty good security for PCs, but awareness and will often are lacking. Maybe a dose of liability could help cure that.
After all, firearms and automobiles are regulated. Manufacturers are required to include minimum levels of security in the form of seatbelts, airbags and safety catches. Owners are expected to exercise a level of responsibility in using these products. If they do not, they can be held liable for damage they cause. Even swimming pools pose a liability for owners if not properly protected. Why not minimum security requirements for PCs, Aaviksoo asked, with appropriate liability for those who fail?
'The question so far is unanswered,' he said. 'It is all speculative so far.'
There are some obvious difficulties with the idea. With a gun or a car, for instance, there usually is a one-to-one relationship between the instrument and the damage. One car runs into yours, or one gun shoots you, giving you a clear target for assigning liability. But what do you do if there are a million computers attacking you? Sue each owner for $1 apiece? That's not very practical. And there is the question of deep pockets. A driver might well be a deadbeat, but his insurance company can afford to pay me millions if his car puts me in the hospital. Who is insuring the security of computers?
But if the notion of legal liability for individual users has problems, some requirements for a minimum level of security make sense. The technology exists, already built into many operating systems and applications. Antivirus and firewalls come loaded onto many PCs out of the box, and service providers can filter traffic coming from and going to those computers.
Regulation is a slippery slope, and enforcement is so complex that it could be more trouble than it is worth. But if end users and service providers do not consistently adopt best security practices on their own, those damaged by their negligence might come in search of deep pockets.
William Jackson is a Maryland-based freelance writer.