,
The Slammer worm was successful because thousands of users didn't patch Microsoft's security holes. Should we sue them all?
In the aftermath of the SQL Slammer worm, companies have once again claimed massive financial losses as a result of malicious code. As with the Code Red and Nimda worms, the Melissa virus and the Mafiaboy distributed denial of service attack, the press has reported widespread system disruption with "losses" in the hundreds of millions -- if not billions -- of dollars worldwide.So... where are the lawsuits?
If there was a preventable disaster that caused billions of dollars of loss, wouldn't you expect trial lawyers to be all over it like pigs to... well, like pigs to whatever pigs are attracted to? If such devastating losses occurred, wouldn't you expect companies to go out of business as a result -- or at least make a notation in their quarterly SEC filings stating that revenues would be materially affected by this tremendous loss?
If there were billions of dollars of losses, wouldn't you expect companies to be studying the fine print in their general business liability and business continuation insurance policies, and filing claims for compensation? At least you would expect major insurance filings for the new brand of "cyber-insurance" policies offered by companies like AIG.
But there is no evidence of any of this. It appears that, once again, companies simply absorb the "losses" as a cost of doing business, and continue on as if nothing has happened. Have trial lawyers gone soft? Is the law out of step? Do we need reverse tort reform?
It was recently reported that a number of South Korean Internet users were considering suing Microsoft or others for "product liability" for selling SQL server software that contained vulnerabilities. This appears to have been the result of a chain of threats whereby the Korea Internet PC Culture Association, an organization among some 24,000 Korean Internet café owners, demanded that Korean ISPs KT and Dacom reimburse them for damages resulting from the SQL Slammer worm. In the meantime, a loose affiliation of Korean computer users and civic organizations called the People's Solidarity for Participatory Democracy said it was considering filing suit against Microsoft for not doing enough to prevent the worm from spreading.
No lawsuits have yet been filed. It is unlikely that they will be.
Too Many Defendants?
There are several reasons for this litigation resistance. First and foremost, many of the "losses" reported are either overstated, or amorphous. To be sure, each of the incidents noted have resulted in major disruptions of company Internet access. Each case required a substantial rededication and reallocation of resources. All of these technically count as "losses" under both civil compensation statutes as well as the federal and state computer crime statutes.
But they aren't really the kind of losses that traditionally affect the bottom line of most companies. Yes, to be sure, some companies have been driven out of business as a result of computer attacks -- most notably, a company called Omega in New Jersey that was crippled by an insider "logic bomb" attack two years ago. But worms that do nothing more than spread and consume bandwidth have not yet come to the level of inflicting "material" losses on any individual company -- at least not as that term is used by securities lawyers.
Of course, even if Slapper had caused real damage, you're left with the question of who to sue.
Let's say you were not running an SQL server on your system, but nevertheless were affected by the slowdown because other users failed to patch the known vulnerability. You have two choices of defendants: you can sue Microsoft for releasing an inherently dangerous and insecure product (despite the patch and its availability), or you could sue the entities that failed to install the patch (interestingly, this would still include Microsoft, but I'll ignore that wrinkle in my analysis).
To be successful in suing Microsoft, you would have to establish that they had a duty to people other than those they sold their product to, much as an automobile manufacturer may be liable for damages that result if an unsafe car strikes a pedestrian. Such a theory is plausible, as Microsoft clearly knows how its software is being used. Then you would have to get past any disclaimers of warranties in the shrinkwrap license - not too difficult, since you, as a third party victim never saw or agreed to the license.
Unclean Hands
The difficult hurdle is to demonstrate that Microsoft is legally responsible for what is a criminal misuse of a vulnerability. Sure, the SQL server shouldn't have been vulnerable -- but with hundreds of products comprising billions of lines of code, should Microsoft be required to discover and prevent every single vulnerability before releasing the product?
A corporate defense attorney would argue that it's reasonable for them to simply release a patch when becoming aware of a vulnerability. It's a tough call. The thing about negligence law is that it is what lawyers call "technology forcing." In other words, the law tends to require companies to take "reasonable steps" to prevent harm, but what steps are considered reasonable is determined in light of the current state of technology.
In the 1920's most ships did not have SOS radios, a new and rare technology. But in a seminal case at the time, the courts found it was still unreasonable for a ship not to have used the technology to prevent disaster.
Alas, suing the people who failed to patch is more problematic. Sure, they should patch, and patch quickly. The installation of any single patch on any single machine is not unusually difficult or expensive. But administrators in large organizations -- the only ones worth suing -- must patch hundreds or thousands of machines, must vet and test the patches, and must do so with hundreds of patches a year.
Moreover, the potential plaintiff in the SQL Slammer case would have to sue hundreds of thousands of companies, since no individual company's failure to patch could be solely responsible for the loss. And of course, the company suing may find that it too failed to install a host of patches, and therefore has "unclean hands."
Given the complications, it's not surprising that nobody has yet sued over Slapper or its predecessors.
But I don't doubt for a second that if all companies were held legally responsible for their security failures -- software manufacturers, hardware makers, and users -- they would all take security much more seriously. Unfortunately, if they had to absorb the costs of constant litigation, software would probably become even more expensive than it is now. But that's not really a problem for the trial lawyers, is it?