ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

Owen DeLong owen at delong.com
Wed Jun 9 06:14:53 CDT 2010


On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> To cut through the noise and non-relevant discussion, let's see if we can
> boil this down to a couple of issues:
> 
> 1. Should ISPs be responsible for abuse from within their customer base?
> 
	Yes, but, there should be an exemption from liability for ISPs that take
	action to resolve the situation within 24 hours of first awareness (by
	either internal detection or external report).

> 1a. If so, how?
> 
	Unless exempt as I suggested above, they should be financially liable
	for the cleanup costs and damages to all affected systems.

	They should be entitled to recover these costs from the responsible
	customer through a process like subrogation.

> 2. Should hosting providers also be held responsible for customers who
> abuse their services in a criminal manner?
> 
	Absolutely, with the same exemptions specified above.

> 2.a If so, how?
> 
	See my answer to 1a above.

> I think anyone in their right mind would agree that if a provider see
> criminal activity, they should take action, no?
> 
Yes.

> If that also holds true, then why doesn't it happen?
> 
Because we don't inflict any form of liability or penalty when they fail to do so.

Owen





More information about the NANOG mailing list