Although this is not the kind of liability I’ve been advocating, it might be of some use:

The Cyber-Security Enhancement and Consumer Data Protection Act of 2006, introduced this week by House Judiciary Chairman James Sensenbrenner (R-Wis.), would punish companies for failing to notify the Secret Service or the FBI of an electronic database breach if that archive holds information on 10,000 or more people or data on federal employees. Under the bill, violations would be punishable by fines and prison sentences of up to five years.

Bill Would Criminalize Failure to Report Breaches, Brian Krebs on Computer Security, WashingtonPost.com, 11 May 2006

This bill, H.R. 5318 could produce some useful data, but, as the article notes, it’s not clear what good it will do if the feds don’t do anything with the data.

The article notes that the FBI has bumped cybercrime up on its priority list, and there have been some high profile convictions of bot herders lately. Those are both good things.

However, government funding for such investigations and prosecutions is still a drop in the bucket compared to the military budget, and there’s still no real liability for vendors of the software that enables most of the exploits bot herders use. And the article makes another general point.

There’s only so much the U.S. can do alone.

These types of prosecutions, while laudable and necessary, are unlikely to affect the operations of cyber criminals much higher up in the fraud chain — the foreign spam sponsors, software pirates, illicit data brokers and identity thieves who ply their trade with the help of these ubiquitous bot networks.

The ugly truth is that U.S. law enforcement will not begin to make significant progress in preempting and/or punishing cyber criminals until it can convince more nations that it is in their best interest to help battle online crime. U.S. law enforcement officials can gain valuable anti-cyber-crime muscle abroad via existing mutual legal-assistance treaties and through FBI agents stationed at U.S. embassies abroad, but those contacts only go so far. In countries where many of the world’s biggest cyber criminals currently reside — China, Russia and several Eastern European and South American nations — an unholy mix of factors exacerbate the epidemic: rampant poverty and corruption; little chance of getting caught; a disdainful view of American culture, arrogance and wealth; and comparably little investment in the international infrastructure that supports the global Internet.

Until some of these factors begin to change, the bulk of the world’s most-wanted cyber criminals will remain safely ensconced in regions that are largely beyond the arm of domestic law enforcement.

This reminds me of that McNamara quote that I keep mentioning:

“A nation can reach the point at which it does not buy more security for itself simply by buying more military hardware.  We are at that point. The decisive factor for a powerful nation already adequately armed is the character of its relationships with the world.”

Perhaps if the U.S. really wanted to solve this problem it could get serious about liability for the biggest producers of exploitable bugs, which are based in the U.S., about finding other leverage points inside the U.S., and about convincing other countries to help.

Risk management works best with collective action; even the most powerful country in the world can’t solve Internet crime alone.

-jsq

PS: Thanks to Wendy Nather for this one.