Subscribe via RSS
Archives by Date
June 2009
May 2009
April 2009

See all Archives
Archives by Category
'Canes
Afghan Update
Ammo and Munitions
Armor
Around the Globe
Av Week Extra
Axe in Iraq (and Elsewhere)
Bizarro
Blimps
Blog Bidness
Body Armor Blues
Bomb Squad
Brownshoes in Action
Bubbleheads, etc.
Cammo Green
Catch the "Buzz"
Chem-Bio
Civilian Apps
Cloak and Dagger
Commandos
Comms
Contingency Ops
Cops and Robbers
Cyber-warfare
Data Diving
Defense Tech Poll
Defense Tech Radio
Dissent Tech
Door Kickers
Drones
DT Administrivia
Eat DT's Dust
Extra! Extra!
Eye on China
Fast Movers
FCS Watch
Fire for Effect
FOS Files
Friday Funnies
Gadgets and Gear
Going Green
Grand Ole Osprey
Ground Vehicles
Guns
Homeland Security
In the Weeds with Eric
Info War
Iraq Diary
Jarhead Jazz
JSF Watch
Just War Theories
Lasers and Ray Guns
Less-lethal
Logistics
Los Alamos and Labs
M4 Monopoly
Medic!
Mercs
Missiles
Money Money Money
Most Wanted
MRAP Edge
Net-Centric
Nukes
Old Skool
Our Shrinking Planet
Planes, Copters, Blimps
Podcast
Politricks
Polmar's Perspective
Popular Mechanics
Rapid Fire
Raptor Watch
Red Team
Retro-Futuro
Robots
Roll Your Own
Sabra Tech
Ships and Subs
Snipertech
Soldier Systems
Space
Special Ops
Star Wars
Strategery
Stray Trons
Tactical Development
Terror Tech
The Deadlies
The Defense Biz
The Peoples' Site
The Sunday Paper
The Tanker Tango
The View from Av Week
Those Nutty Norks
Training and Sims
Trimble on the Case
Video Lounge
War Update
Ward'z Wonderz
You can run...

See all Archives
Newsletters

Edited by Christian Lowe | Contact

Legal Risk of Cyber Outage

gavel2.jpg

New analysis indicates that critical infrastructure operators are ill prepared to deal with cyber attacks. That reinforced the Government Accountability Office (GAO) report earlier this year that found Tennessee Valley Authority, the nation's largest public power company serving over 8.7 million people, is vulnerable to cyber attacks. One just released study asked respondents to indicate the state of readiness to defend against IT threats in eight different industries. The results showed that 50 percent of respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping industries were not prepared. The energy sector emerged as the most vulnerable target. So it is no wonder the Department of Homeland Security (DHS) is once again moving to address the threat to our nation's critical infrastructure.

DHS is looking for public input as it prepares for next year's release of a revised version of the National Infrastructure Protection Plan (NIPP), thus updating the 2006 version of the plan. The federal government has sought to actively engage the private sector in a number of industries to address the threat of cyber attacks. Originally, the federal government identified seventeen critical infrastructure areas and designated federal agencies to be in charge of creating plans as well as overseeing collaborative efforts to protect those areas. It should be noted that earlier this year DHS announced that it also had designated critical manufacturing as an additional sector.

One industry insider speaking to me on the promise of anonymity said: "Utility executives are not going to spend money on defending their systems against cyber attacks. When they do, they decrease the financial performance of the company and that subtracts from the executives bonuses." So is this yet another group of businesses that are going to the Federal Government looking for a hand out?

Cyber attacks against utilities are just not theoretical, they are real. Earlier this year there were dozens of reports that stated CIA senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish and Dutch government officials, engineers and security managers from electric, water, oil & gas and other critical industry asset owners that "Cyber Attack Caused Multi-City Power Outage." Cyber attacks against utilities are now a foreseeable risk.

Foreseeable Risk and Threats - (a legal term) - A danger which a reasonable person should anticipate. Foreseeable risk is a common affirmative complaint put up in lawsuits for negligence (a tort).

We sought out a legal opinion and got one.

"The significant media attention being given to the threat of cyber attacks, as well as the fact that a number of high ranking government officials have warned about this threat, suggest that corporations have a duty to assess their exposure to this risk and create a cyber risk mitigation strategy. Failure to do so could constitute negligence due to the fact that in this day and age, cyber attacks are reasonably foreseeable," said Attorney Fred Rice specializing in corporate legal issues.

FACT: Tort litigation costs have reach nearly $300 billion annually.

But how far could the legal action go? I posed the following scenario to Edward Maggio, professor of criminal justice at the New York Institute of Technology. Scenario: A cyber attack directed against an electrical utility causes a power spike and outage. The spike and outages damage a piece of life support equipment resulting in the death of a patient relying on the device.

Given the above scenario, if the electrical utility did not take appropriate action to protect against such attacks, could the utility be held accountable?

"While culpability for the impact resulting from cyber attacks is a somewhat uncharted area of law, legal action against a power utility will be based on negligence. It is likely that hackers who engage in successful cyber attack against a power utility have likely made previous attempts against a chosen target. Such previous attempts would serve as evidence that a power utility had a duty to mitigate and protect itself from cyber attacks," Maggio said.

It is clear that any utility that fails to appropriately plan for or respond to the increased threat of cyber attacks are failing in their duty to protect the general public. Anyone harmed as a result of a cyber attack against a utility may have cause of action (lawsuit) when they were harmed due to the power utility's failure to increase its cyber security he went on to explain.

Will it take a major cyber attack with litigation before the necessary steps are taken to protect our critical infrastructure? It sure looks that way.

-- Kevin Coleman
November 17, 2008 02:15 PM | Cyber-warfare |  Bookmark and Share

Comments

ohwilleke

It can be both a DoD and DHS issue!

Posted by: Kevin at November 18, 2008 07:27 PM


Wouldn't this be a Homeland Security issues rather than a DOD issue?

Posted by: ohwilleke at November 18, 2008 11:05 AM


Chaimss

The Airforce got ahead of themselves on establishing a cyber command. At one point we had four being established and Sec Gates said enough and gave the planning and overall control to U.S. Strategic Command.

Posted by: Kevin at November 17, 2008 09:59 PM


My biggest question is why the AFCoS just downgraded Cyber Command to an NAF when it obviously needs to be seen as a greater responsibility.

Posted by: Chaimss at November 17, 2008 07:08 PM


Yes, I truly believe it will take a major incident before companies, especially utilities, think seriously about cyber security.

I have worked in the oil and gas industry and cyber terrorism is talked about as much as executives taking voluntary pay decreases...

In the early 90's many telecomm systems and even a dam were compromised by a hacker. He was known for his persistence, spending endless hours attacking again and again until he compromised a system, and then he moved on. He could have caused a lot of damage if he wanted to. The FBI finally caught up with him and found that he was a 20ish year old kid who had mental issues. I don't even think they brought charges against him, due to his mental condition and the FBI's fear of the public response.

Posted by: Ptsfp at November 17, 2008 04:54 PM


Another key doctrine of tort law is the notion of a superceding intervening cause.

In English, if the primary reason that you did something bad was a criminal act, you may be off the hook for liability, or you may be responsible for only a small percentage of the harm. A criminal act is a bit like a tornado, it may be foresseable, but a utility company if rarely held rsponsible for harm attributable to it.

Also, the precise type of attack matters. Could someone hack directly into shuting down the grid on an unsecure internet site? What if the attack was accomplished by sending a fake but real looking e-mail from the Director of Operations stating that due to a problem somewhere else that the human being on sight had to shut down the grid? In the e-mail case, liability may hinge on how reasonable it was for the employee to believe the e-mail under the circumstances.

In cases of collateral damage (like a patient dying in a hospital, or lost work from a bronwed out computer), one has to consider that a power company generally doesn't promise to provide, or have a legal duty to provide, power 24 hours a day without interruption or brown out, something that happens for reasons from bad equipment to bad weather. Typically, in really mission critical applications that require continuous power supply, the duty to prepare for interruptions is the consumers -- hospitals must have backup power for an ICU, computer users are expected to buy a UPS and backup often. Nobody sued the power company for failing to keep power on during Hurricane Katrina, even though some of the harm came from lack of power, rather than from direct impact from storm winds or flying debris.

Also, take that $300 billion figure with a grain of salt. The figure includes not just the dead weight loss of the tort system (legal costs, etc.), but also compensation paid by someone who caused to harm to someone injured by the negligent person's act. Those parts of the cost of the tort system are really costs of the incidents, and not the tort system itself. The question is who will bear those costs, the injured person or the person who caused the harm. Transferring responsiblity to the person who caused the harm from the person who suffered it is economically efficient in almost every legitimate economic model, unless litigation costs grow too larger relative to the transfer.

Posted by: ohwilleke at November 17, 2008 02:59 PM


Post a comment




Remember Me?


Please enter the code as seen in the image below to post your comment.