Sunday, 20 April 2025

Hack Attacks

By Mark Grossman
20 February 2004

I wrote this column back in early 2000. It rings all so true today! I thought it was worth republishing.

Unless you've spent the last few weeks in a cave, you've heard a lot about Yahoo, Buy.com, Cnn.com, eBay, E*Trade, Amazon, MSN.com, ZDNet, and others being brought down by hack attacks.

The doomsayers are predicting continuing calamity for the Net and the end of the e-commerce explosion. I say, "No way." I wish that they'd go back to hunting for Elvis (who I hear lives in a villa in Argentina with Franco and JFK).

Now that I've bashed the doomsayers, I will say that they'll be proved right if we ignore the troubling problems raised by the recent attacks. Businesses and governments will just have to spend more money to protect themselves. There really is no other answer.

How Embarrassing

The nature of the Net is such that hack attacks have the potential to originate from anywhere in the world. This makes the FBI, rather than any local police force, the obvious police agency to take the lead in dealing with these attacks.

You know that things are just a bit out of control when the FBI becomes the victim, as it was just last month. It turns out that the FBI had to shut down its website for several hours when it fell victim to the same type of attack as the one that brought down the brand name websites.

I would imagine that bragging rights were the motive for the attack, but it does illustrate that you must make computer security a priority. No website is immune from attack.

The attack on the FBI came just after the FBI proposed dealing with hackers as information-age organized criminals under Federal racketeering laws. These laws have traditionally been used to combat organized crime and drug cartels.

Quick support for the harsh punishment came from Sen. Kay Hutchison (R-Texas) who said, "America's prosperity has been harnessed to the Internet. Punishment of those who would disrupt our Internet economy must reflect this new reality." (Sort of like shooting horse thieves in the Wild West.)

A Very Abridged History of Hacking

Hacking is nothing new. What's new is our increased dependence on computers and the increased vulnerability wrought by the ubiquitous Internet. Here are a few lowlights.

In the early 1960s, huge university mainframe computers (you know -- the ones with computing power equivalent to that calculator you received free with your Time magazine subscription) became the staging ground for hackers. Things really have come full circle because large university systems were the unwitting participants in the latest round of Web attacks too.

In 1983, we had one of the first hacker arrests when the FBI arrested six Milwaukee teenagers. They were accused of hacking into about 60 computers including the Los Alamos National Lab (you know Los Alamos - they're the nuclear bomb guys and gals).

Since 1983, we've seen increased hacking and increased law enforcement.

In 1989, five West German spies were arrested on espionage charges. They were accused of systematic intrusions into U.S. government and university computers.

In 1991, the General Accounting Office admitted that Dutch teenagers broke into a Pentagon computer during the Gulf War. They accessed sensitive military information.

In 1997, the InterNIC domain name registry was hacked by a business rival.

In 1999, the U.S. Senate, the White House, and the U.S. Army websites were vandalized.

Measure and Countermeasure

In the world of security, you have to accept that for every measure, there's a countermeasure. Whether it's physical security in the form of armed guards, sophisticated locks, safes or forts, or online security like firewalls, passwords and virus protection, there's always a countermeasure.

The Net's doomsayers are wrong because when it comes to security, the Net is really no different from anything else in the world. Banks will never close their branches because people with guns can rob them. Stores won't close because shoplifters can steal. We'll continue to hand waiters our credit cards although they can copy the number and use it to make fraudulent credit card purchases.

Similarly, banks won't abandon online banking because of hackers. Don't expect Amazon.com to open a store in your local mall because they had a bad security day on the Web.

We have never and will never live in a world with perfect security. Security is a relative concept not an absolute one. If we required absolute security, we'd undoubtedly never let our children leave the house.

Yes, online businesses, including yours, must make security an even higher priority. This means more money spent on security, more internal education about security, better contracts with your hosting service and website developer and just a general increased awareness of the issue.

Sound Policies

Axent Technologies, Inc. (www.axent.com) is one of the leaders in the world of online security. According to their brief online course called "Security 101," it all starts with sound policies.

"A policy establishes who is authorized to access different types of information, and points to standards and guidelines regarding how much and what kinds of security measures are necessary….In some organizations the policy is not explicitly written, but has been established by tradition and the general performance of the business….By having a written policy, this gives an organization a basis for consistent understanding and enforcement, and provides the security staff with a specific set of guidelines for carrying out their duties."

Bring in the firepower that you need to establish and implement the policies and then look outward to those upon who you rely.

If you outsource your web hosting, talk to your hosting service. You need to inquire about the measures that they take to minimize the risk of electronic intrusion.

Have your attorney review your hosting agreement before you jump into a relationship. A typical security provision (assuming that the hosting company's form contract even addresses security) reads something like, "Hosting service will use commercially reasonable security measures to protect the integrity of your website."

No, no, no! That simply won't cut it anymore.

While, there may be little that you can do about a contract that's already in force, I'm suggesting that you insist on more in your future contracts. The hard part is determining what the "more" is.

I don't have any magic language canned and ready to go for the contracts I do. Developing the proper language requires a team effort.

I like to start by asking the hosting company to describe their current security procedures. In a perfect world, I then look to my side's security expert to evaluate those procedures and suggest required improvements.

The key is for the two sides to agree on appropriate security measures and then turn them into obligations under the hosting agreement.

No two sites are the same. No two security systems will be identical. Each one requires independent professional analysis.

Since I've been there and done this, I know that the hosting company will counter this "negotiation tactic" with an argument that goes something like this.

"Yours is only one of many sites that we host. We don't want to be locked into a specific set of security procedures because of the added cost of doing your security differently than everyone else's security. Further, we want to have the flexibility to change our security procedures as security methods improve and the risks change."

And, unfortunately, they're right.

The answer is to come to terms with the pricing issue if you're asking for something more than their norm. As for flexibility, your contract might be worded so that the specific security delineated in the agreement is deemed to be a "minimum standard" with the hosting company having the option of providing additional security.

You might also have a provision requiring you to be notified of any proposed change in security methods and then have an opportunity to disapprove of the change. If the host objects to your right to disapprove, an alternative might be that you reserve the right to terminate the contract early if they change the security in a way that you don't like.

These are just a few suggestions as to how you can proceed. There's no magic formula here. Just like your door locks have grown bigger and stronger over the years, so will your security to prevent electronic intrusion.

You're just going to have to focus resources on the issue, accept the expense of online security as a cost of doing business, and then use the online world as a way to help your business succeed.




Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.