ISP Responsibilities [WAS: Re: Nato warns of strike against cyber attackers]

Owen DeLong owen at
Wed Jun 9 11:14:53 UTC 2010

On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:

> Hash: SHA1
> To cut through the noise and non-relevant discussion, let's see if we can
> boil this down to a couple of issues:
> 1. Should ISPs be responsible for abuse from within their customer base?
	Yes, but, there should be an exemption from liability for ISPs that take
	action to resolve the situation within 24 hours of first awareness (by
	either internal detection or external report).

> 1a. If so, how?
	Unless exempt as I suggested above, they should be financially liable
	for the cleanup costs and damages to all affected systems.

	They should be entitled to recover these costs from the responsible
	customer through a process like subrogation.

> 2. Should hosting providers also be held responsible for customers who
> abuse their services in a criminal manner?
	Absolutely, with the same exemptions specified above.

> 2.a If so, how?
	See my answer to 1a above.

> I think anyone in their right mind would agree that if a provider see
> criminal activity, they should take action, no?

> If that also holds true, then why doesn't it happen?
Because we don't inflict any form of liability or penalty when they fail to do so.


More information about the NANOG mailing list