[126940] in North American Network Operators' Group
Re: ISP Responsibilities [WAS: Re: Nato warns of strike against cyber
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 9 07:18:09 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTilfdVSK16_rvrgfbEhZXHoQ19JjZ-jq4rH8pbys@mail.gmail.com>
Date: Wed, 9 Jun 2010 04:14:53 -0700
To: Paul Ferguson <fergdawgster@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 8, 2010, at 11:14 PM, Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> To cut through the noise and non-relevant discussion, let's see if we =
can
> boil this down to a couple of issues:
>=20
> 1. Should ISPs be responsible for abuse from within their customer =
base?
>=20
Yes, but, there should be an exemption from liability for ISPs =
that take
action to resolve the situation within 24 hours of first =
awareness (by
either internal detection or external report).
> 1a. If so, how?
>=20
Unless exempt as I suggested above, they should be financially =
liable
for the cleanup costs and damages to all affected systems.
They should be entitled to recover these costs from the =
responsible
customer through a process like subrogation.
> 2. Should hosting providers also be held responsible for customers who
> abuse their services in a criminal manner?
>=20
Absolutely, with the same exemptions specified above.
> 2.a If so, how?
>=20
See my answer to 1a above.
> I think anyone in their right mind would agree that if a provider see
> criminal activity, they should take action, no?
>=20
Yes.
> If that also holds true, then why doesn't it happen?
>=20
Because we don't inflict any form of liability or penalty when they fail =
to do so.
Owen
