NAS investigates networking security legal solutions

A possible solution to computer security vulnerabilities may be to widen the scope of parties that could be held liable for the damage they do, according to a report released by the National Academy of Sciences.

The report, however, did not advocate that additional parties, such as vendors or service providers, be held liable for any damage their computers, software or networks may cause, said Marc Zwillinger, who is one the report's authors, as well as a partner with law firm Sonnenschein Nath & Rosenthal.

But NAS found that "the threat of liability does motivate actors, and there are a variety of additional actors upon whom liability could be placed," Zwillinger said in a briefing March 12.

Zwillinger said the companies the committee surveyed responded that they are not making investments in protective measures to secure computers, but would do so if held liable for being used by another party in a malicious act.

"The reason for the low investment is that it is not effective compared to the cost," he said.

Such systems are frequently used in network attacks, such as denial of service attacks, which use unsecured computers to bring down Web sites. Improperly patched database servers also spread viruses, such as the Slammer virus that infected the Internet earlier this year. Thus far, the law hasn't addressed liability in these circumstances as it has in other areas. Zwillinger used the example of a landlord, who when renting a property has legal responsibilities for which he is liable. But such responsibilities are not so clear in network security.

Zwillinger said there are computer crime statutes and federal and state laws that cover cyberspace, as well as torts brought about from intentional wrong acts or negligence.

"If you break into a computer system for any purpose, say to commit fraud or cause damage to the systems, you are violating federal statutes," Zwillinger said.

However, the parties with equipment that was used in an illegal act, such as those who own systems or produce system, are rarely prosecuted, in part because it is hard to prove negligence.

"We've seen very little litigation over unsecured computer systems," Zwillinger said.

The report, "Critical Information Infrastructure Protection and the Law: An Overview of Key Issues," was released this month by NAS' Computer Science and Telecommunications Board for the National Academy of Engineering.

The authors outlined the legal and business issues of protecting information infrastructures, with the goal of finding ways to use criminal and liability laws to improve network security. They also looked at how antitrust laws and the Freedom of Information Act affect corporations' willingness to help the government in the securing the national infrastructure through sharing of information.

The National Academy of Sciences was established by Congress in 1863 to advise the government in scientific and technical matters.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.