Liability and computer security


in Economics, Geek stuff, Internet matters, Law, Security

One of the major points of intersection between law and economics is liability. By setting the rules about who can sue brake manufacturers, in what circumstances, and to what extent, lawmakers help to set the incentives for quality control within that industry. By establishing what constitutes negligence in different areas, the law tries to balance efficiency (encouraging cost-effective mitigation on the part of whoever can do it most cheaply) with equity.

I wonder whether this could be used, to some extent, to combat the botnets that have helped to make the internet such a dangerous place. In brief, a botnet consists of ordinary computers that have been taken over by a virus. While they don’t seem to have been altered, from the perspective of users, they can be maliciously employed by remote control to send spam, attack websites, carry out illegal transactions, and so forth. There are millions of such computers, largely because so many unprotected PCs with incautious and ignorant users are connected constantly to broadband connections.

As it stands, there is some chance that an individual computer owner will face legal consequences if their machine is used maliciously in this way. What would be a lot more efficient would be to pass part of the responsibility to internet service providers. That is to say, Internet Service Providers (ISPs) whose networks transmit spam or viruses outwards could be sued by those harmed as a result. These firms have the staff, expertise, and network control. Given the right incentives, they could require users to use up-to-date antivirus software that they would provide. They could also screen incoming and outgoing network traffic for viruses and botnet control signals. They could, in short, become more like the IT department at an office. ISPs with such obligations would then lean on the makers of software and operating systems, forcing them to build more secure products.

As Bruce Schneier has repeatedly argued, hoping to educate users as a means of creating overall security is probably doomed. People don’t have the interest or the incentives to learn and the technology and threats change to quickly. To do a better job of combating them, our strategies should change as well.

Report a typo or inaccuracy

{ 3 comments… read them below or add one }

R.K. September 25, 2007 at 11:50 pm

That is to say, Internet Service Providers (ISPs) whose networks transmit spam or viruses outwards could be sued by those harmed as a result.

How much would this increase the cost of web access for consumers?

Anon September 26, 2007 at 12:15 am

Click fraud is another notable use for botnets.

. September 28, 2007 at 5:01 pm


Virtually clean
Sep 28th 2007

Putting a stop to online infection

“HACKING used to be done by kids for kicks or bragging rights. Nowadays, it’s big business for organised crime, often out of reach of the law, on the far side of the world. Connect an unprotected personal computer to the internet for more than 15 seconds and it will almost certainly be attacked by a virus or worse. That’s how ruthlessly effective the army of malicious robots, dispatched by criminals to scour the net for vulnerable computers, has become.

Security firms reckon some 2.3m “bots” are currently on the prowl. While suppliers of anti-virus (A-V) software have every reason to magnify the claim, the fact remains that only four out of five computers connected to the internet have A-V software installed. And less than half those have their software bang up to date.

Even among those that do, the software typically catches no more than 70% of the viruses, worms, Trojan horses and key-stroke loggers probing them continuously. Malware—MALicious softWARE designed to take over computers—mutates faster than A-V software. Insiders reckon protection is generally one to two months behind. “

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

{ 1 trackback }

Previous post:

Next post: