NAS investigates networking security legal solutions

A possible solution to computer security vulnerabilities may be to widen the scope of parties that could be held liable for the damage they do, according to a report released by the National Academy of Sciences.

The report, however, did not advocate that additional parties, such as vendors or service providers, be held liable for any damage their computers, software or networks may cause, said Marc Zwillinger, who is one the report's authors, as well as a partner with law firm Sonnenschein Nath & Rosenthal.

But NAS found that "the threat of liability does motivate actors, and there are a variety of additional actors upon whom liability could be placed," Zwillinger said in a briefing March 12.

Zwillinger said the companies the committee surveyed responded that they are not making investments in protective measures to secure computers, but would do so if held liable for being used by another party in a malicious act.

"The reason for the low investment is that it is not effective compared to the cost," he said.

Such systems are frequently used in network attacks, such as denial of service attacks, which use unsecured computers to bring down Web sites. Improperly patched database servers also spread viruses, such as the Slammer virus that infected the Internet earlier this year. Thus far, the law hasn't addressed liability in these circumstances as it has in other areas. Zwillinger used the example of a landlord, who when renting a property has legal responsibilities for which he is liable. But such responsibilities are not so clear in network security.

Zwillinger said there are computer crime statutes and federal and state laws that cover cyberspace, as well as torts brought about from intentional wrong acts or negligence.

"If you break into a computer system for any purpose, say to commit fraud or cause damage to the systems, you are violating federal statutes," Zwillinger said.

However, the parties with equipment that was used in an illegal act, such as those who own systems or produce system, are rarely prosecuted, in part because it is hard to prove negligence.

"We've seen very little litigation over unsecured computer systems," Zwillinger said.

The report, "Critical Information Infrastructure Protection and the Law: An Overview of Key Issues," was released this month by NAS' Computer Science and Telecommunications Board for the National Academy of Engineering.

The authors outlined the legal and business issues of protecting information infrastructures, with the goal of finding ways to use criminal and liability laws to improve network security. They also looked at how antitrust laws and the Freedom of Information Act affect corporations' willingness to help the government in the securing the national infrastructure through sharing of information.

The National Academy of Sciences was established by Congress in 1863 to advise the government in scientific and technical matters.