The US inflated the $700,000 bill for damages it slapped on UFO hacker Gary McKinnon by stuffing it with costs incurred for patching the gaping holes the hacker had exposed in its computer security, according to a document filed with the Supreme Court.
The US had not taken reasonable steps to protect its security and now expects McKinnon to pick up the bill, said an expert witness statement made in McKinnon's ongoing appeal against a US extradition order.
Peter Sommer, professor of security at the London School of Economics, said damage assessments of computer security breaches should consider "whether the victims have taken reasonable steps to limit the damage".
Now, I've not seen the details of the US damages bill but I have seen lots of guesstimates of clean-up costs after security breaches - $700k doesn't seem too bad in comparison with the hideous over-estimates for virus damages - if you think about it in purely work-terms, it is a less than 3 man years for a medium-grade consultant. Add in opportunity costs for your normal IT geekery and you could easily get to a large figure. Remember that it is not just the 97 computers that he got in to but you also have to check the others to see whether or not he had been at or into those.
However, we then have our colonial colleagues disagreeing:
But security experts in the US said McKinnon should be liable for the full $700,000 of security checks performed in his wake.
Professor Eugene Spafford, founder of the Center for Education and Research in Information Assurance and Security at Indiana's Purdue University, said the victim of a cybercrime should not take the blame. If someone broke a door to rob a store, he said, it was usual to charge them the cost of the door.
Anthony Reyes, a former cybercrime detective who helped develop the US Cyber Counter Terrorism Investigations Program, said, "Just because security is weak, it doesn't give you a red flag to go into a computer system and start browsing around."
Spaff, a famous and capable security academic, however seizes the wrong analogy. If somebody opens an unlocked door to rob a store, it would be unusual to charge them for fitting an additional lock.
Reyes, who I have never heard of, is entirely accurate and completely irrelevant. I don't think that anybody is arguing that McKinnon did not do anything 'wrong'. (Ed notes: There are technical arguments as to whether what he did was illegal under the precise wording of various statutes - but what he did was illegal under the UK Computer Misuse Act where it is the unauthorised access that is illegal, regardless of the method you used to gain it, although the latter may be an additional offence.) The question at point is two-fold:
- How much of the $700k claimed is for work that the DoD should have done regardless of McKinnon's intrusion? To look at Spaff's analogy - if somebody opened an unlocked door and, with the investigation, you realised that you only had a three-lever mortice on it, should they be charged for the five-lever lock?
- Secondly, how much of the costs actually incurred should be mitigated because the DoD were negligent in their basic Information Assurance? To look at the insurance example - your contents insurance will have a clause in it about the house being unoccupied for an extended period, because this increases the risk. I am not a lawyer, and certainly not an American one, so I have no idea how this actually plays in the context of a criminal breach of US law. Badly, I suspect.