As far as FUD (that's fear, uncertainty, doubt) factors are concerned, downstream liability comes up more than its fair share of times. There's only one problem: To date, there haven't been any standard-bearing cases to wave under the nose of our bosses, so they tend to discount the possibility. The real kicker is that we know the potential is still there.
So how do we impress upon executive management the need to protect against something that is basically a very real figment of our collective imaginations? How do we justify funding to protect against this eventuality?
The key is not to overstate the case, because remember, there isn't one ... yet. But, there is a change going on with
Being generally negligent to the entire Internet, as rude as it is, has no real effect on the actions of many as we are reminded by our monthly "worm-go-round." On the other hand, companies who are specifically -- traceably -- negligent to a valued business partner are a different story. As demonstrated by Blaster in 2003, fast-spreading worms make a connected server or even a laptop a lethal weapon that can attack and spread throughout the entire "chewy interior" of any environment. This capability turns downstream liability into a business problem rather than a legal one.
The way to build a budget to thwart downstream liability is to measure the loss potential of the connections. You should already have a list of private connections, so the next step is to calculate their value. Sometimes calculating the value is as simple as asking the functional owner the value of the revenue stream. For example, a financial information provider that feeds organizations custom information and charges $100,000 a year loses that money if the client company cuts it off due to security concerns. On the "buy" side of the connection, more in-depth analysis is required to calculate the potential loss to the enterprise's business operations. For example, the speed of receiving the information is reduced, which makes financial trades minutes late, resulting in a reduction in revenue.
Let's look at a few other ways to measure business partner value (disregarding other risks for the moment):
- The costs of opening a fully-staffed offshore development operation rather than contracting with a consulting organization.
- The value of an annual financial audit to auditors connecting to the local network.
- The cost of the lag between just-in-time inventory systems and traditional ones. These costs may include warehouse costs and lost sales.
There are a number of intangibles that also lead to higher economic costs. Downstream liability is not so much about getting sued as it is the potential for being sued, because the relationship has broken down. Nobody really wants to go to court, but there are many ways to let wrath be known, particularly when one party is obviously at fault. The relative impact can be:
- Renegotiated terms. This is fewer or more dollars changing hands, with your enterprise on the losing end.
- Eliminated relationships. In cases where there is significant leverage on one side, usually due to competition or size, a severed connection is a reasonable expectation. Strong businesses today understand the technical side of downstream liability and will not stand for connections that increase risk.
- Embarrassment. In many industries or business communities, reputation is the key to success.
Now that you've considered the business value of the connection (do that first), it is time to return to the legal impact of downstream liability. Gather information about legal costs including hourly rates and operational expenses. Any large company typically has many regular active legal cases to draw from. Then get a legal opinion about what is considered "reasonable" precautions and what the duties are to reduce liability.
Downstream liability may never happen in the courts, but you can be sure its effects are felt already throughout the world of business partner relationships. Leading with business value and following with legal costs, you can make your best case for security spending.
About the author
Pete Lindstorm, CISSP, is research director for Spire Security and a columnist for SearchSecurity.com's sister publication Information Security magazine.
This was first published in January 2008