ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]
Owen DeLong
owen at delong.com
Wed Jun 9 11:14:53 UTC 2010
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> To cut through the noise and non-relevant discussion, let's see if we can
> boil this down to a couple of issues:
>
> 1. Should ISPs be responsible for abuse from within their customer base?
>
Yes, but, there should be an exemption from liability for ISPs that take
action to resolve the situation within 24 hours of first awareness (by
either internal detection or external report).
> 1a. If so, how?
>
Unless exempt as I suggested above, they should be financially liable
for the cleanup costs and damages to all affected systems.
They should be entitled to recover these costs from the responsible
customer through a process like subrogation.
> 2. Should hosting providers also be held responsible for customers who
> abuse their services in a criminal manner?
>
Absolutely, with the same exemptions specified above.
> 2.a If so, how?
>
See my answer to 1a above.
> I think anyone in their right mind would agree that if a provider see
> criminal activity, they should take action, no?
>
Yes.
> If that also holds true, then why doesn't it happen?
>
Because we don't inflict any form of liability or penalty when they fail to do so.
Owen
More information about the NANOG
mailing list