I've been thinking about this story over the morning and, no matter how I look at it, it seems like a pretty bad idea. A New Scientist article has a laywer/professor calling for ISPs to be liable for distributed denial of service (DDoS) attacks emanating from their networks:
Internet service providers (ISPs) should be made legally liable for the damage caused by "denial of service" (DoS) attacks carried out via their networks, a leading internet lawyer says.
At a conference called Blocking Denial of Service Attacks on the Internet, to be held in London on 13 November, Lilian Edwards, an internet lawyer based at the University of Southampton, UK, will argue that legal measures must be taken if these attacks are to be stemmed. Edwards notes that ISPs currently have no legal obligation to check data relayed to and from internet users. She thinks, however, that governments could require them to do so.
Where to begin? Let's start with the fact that once you accept a government mandate that ISPs are somehow responsible for some harmful traffic (DDoS packets), what's to stop ISPs from being held responsible for all harmful traffic, such as the transmission of (wait for it…wait for it…) child pornography (that's right, I'm doing this for the kids)? Furthermore, the definition of "harmful" is important. I think traffic on peer-to-peer network protocols should be treated by default as benign, but I'm sure Big Content would think otherwise. How about "hate literature," or propaganda from the terrorist enemy of the day? You see where I'm going with this: the ISP marketplace can only function if the job (as defined by the government) is that of a neutral carrier of traffic, shuffling every packet with equal disinterest.
Moreover, the marketplace is actually fielding the kind of services Ms Edwards describes. Both AT&T and Verizon, to cite just two examples, tout security in their backbones, including the ability to detect and defuse DDoS attacks before they hit their customers' network gateways. DDoS attacks are, ultimately, an economic problem—they degrade network performance, and can halt online business—and the victims can and should treat it as a business risk to be mitigated through technological means. There are plenty of ways for them to do so without the government mandating that ISPs carry the bag.
It's a curious choice of target for the involuntary assigment of liability and risk transfer. Surely the ISPs of the world aren't the most responsible party in a DDoS attack? What of the companies who provide vulnerable operating systems? The customers who misuse, misconfigure, or undermaintain those systems, making them ideal zombie targets? ISVs whose software defects render systems vulnerable? And, of course, we have the criminals conspiring to commit these crimes themselves. There's enough blame to go around that it seems strange to focus the blunt instrument of government regulation on ISPs in particular.
Tags: DDoS, ISP, liability, regulation, security