The US inflated the $700,000 bill for damages it slapped on
UFO hacker Gary McKinnon by stuffing it with costs incurred for
patching the gaping holes the hacker had exposed in its computer
security, according to a document filed with the Supreme
Court.
The US had not taken reasonable steps to protect its security
and now expects McKinnon to pick up the bill, said an expert
witness statement made in McKinnon's ongoing appeal against a US
extradition order.
Peter Sommer, professor of security at the London School of
Economics, said damage assessments of computer security breaches
should consider "whether the victims have taken reasonable steps to
limit the damage".
McKinnon had used Remotely Anywhere, a software tool, to hack US
military computers in search of UFO secrets. The 42-year-old faces
extradition after being
accused of hacking
into 97 US government computers causing $700,000 of damage.
But Sommer said, "Every intrusion detection system I have come
across would flag up the installation of a remote control program
like Remotely Anywhere.
"Any firewall also ought to block the 'ports' [internet access
points on a computer] used by Remotely Anywhere. On this basis, the
costs claimed for are features that should have been there in the
first place."
Sommer, who once advised insurers underwriting the risks of
computer damage, said hackers could not be held accountable for the
"consequential loss" resulting from their intrusion into systems
unprotected by "preventative measures for reasonably foreseeable
hazards".
"Insurers will not insure computers or computer-dependent
businesses in the absence of reasonable levels of protection and
means of recovery," he said.
But security experts in the US said McKinnon should be liable
for the full $700,000 of security checks performed in his wake.
Professor Eugene Spafford, founder of the Center for Education
and Research in Information Assurance and Security at Indiana's
Purdue University, said
the victim of a cybercrime should not take the blame. If someone
broke a door to rob a store, he said, it was usual to charge them
the cost of the door.
Anthony Reyes, a former
cybercrime detective who helped develop the US Cyber Counter
Terrorism Investigations Program, said, "Just because security is
weak, it doesn't give you a red flag to go into a computer system
and start browsing around."
Read more
McKinnon hacking case relies on
hearsay
McKinnon faces extradition despite suicide risk
US Civil Liberties Union tells UK to defend McKinnon
McKinnon case thrown out by High Court