If a flash drive infects a network, who's to blame?

If a flash drive infects a network, who's to blame?

Summary: With a London borough's council facing a £500,000 bill because a user crippled the network with an infected flash drive, I ask who is to blame: the user or the IT staff?


Ealing Council, the local authority for a number of London boroughs, was infected by a virus which crippled the vast majority of the council's network.

The damage knocked out the housing department, the library service, telephone network and others, according to the BBC, as a result of plugging in an infected flash drive on a networked computer. But this raises a question of those who are still not yet fully IT literate.

If you plug in a flash memory drive and it infects a network, who is to blame - the user who doesn't know any better, or the IT staff responsible for the network?

Bruce Hughes from CNET seems to think it is those responsible for the network and the company. I'm inclined to agree.

In British (and I suspect in American) law, ignorance is not a defence. You cannot get away with ploughing someone in your car, reversing and going over them again because, "you didn't realise murder was a crime". If the judge said, "you'd forget your head if it wasn't screwed on, you little scamp. Go on, go free!", I would seriously wonder about the state of the justice system.

But in cases such as these, a legal aspect could easily be thrown into the equation. A bill reaching over £500,000 ($817k) needs to be pinned somewhere, and whether or not legal action could be taken is yet to be decided. At the end of the day, it will be the taxpayer who pays the brunt of the cost.

Even though the Conficker virus never "really" activated or caused damage per se, the proof of how powerful a virus can be in this day and age still exists. It infected as far wide as the French Navy, the German Bundeswehr, the UK Ministry of Defence, the UK Houses of Parliament and more universities than you could shake a stick at.

It is my professional opinion and belief that standard university network security is greater than the average security of businesses and corporate networks. As public machines on campus are all or often in buildings where the doors are opened with your university smart card, access is still limited to those within the establishment.

Not only that, in comparison to a local council or district governance, universities are themselves councils and governors of the campus. Students live and breathe on the campuses and the work that goes on within the network keeps the world ticking over - literally. For the fact they are all inter-connected in one way or another, in the UK at least, to limit spread of malware they have to be secure.

But ultimately it comes down to education, education and education: the do's and don'ts of computing security. You may not get booted out of university for accidentally offloading a payload of electronic sewage, but you can bet your arse in the real world - you could easily get fired.

So, if a user's flash drive infects a network, who is to blame?

Topics: Hardware, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I think the answer could be both are to blame...

    More more data i could give a clear cut answer such as 1. was there a policy in place that addressed flash drive useage. 2. Did IT limit flash drive useage with admin tools. So who's to blame i cannot say at this time.
    • Let's try using some analogies...

      If a flash drive infects a network, who's to

      If a cigarette burns down a gas station, who's
      to blame?

      If a space heater burns down an office
      building, who's to blame?

      Ultimately it's the person directly responsible
      for the one action that caused the incident.
      Granted, others may have contributed to a
      "unsafe" environment by not posting signs,
      setting policies, educating the ignorant, etc.
      But it all boils down to the one offender.
      Ignorance is not a valid excuse for anything.
      • Flawed Analogies

        Your analogies are flawed. In the case of the infected flash drive, that's like saying a person who had a live grenade planted on their person by a sneaky terrorist is responsible for the 15 lives that were lost when the grenade exploded, not the officer at the security checkpoint who should have intercepted the grenade in the first place.

        At the same time, an IT admin is charged with keeping the network safe. The real question here should be: Did the IT admin do his or her job to the best of their ability as expected of an IT admin of a government network? If yes, then the only person to blame is the writer of the virus, learn from the experience, and move on. If not, then the IT admin is to blame for not taking the proper precautions to secure the network.

        Like with the officer at the security checkpoint, if everything was done proper and as well as could have been expected, but the live grenade still found its way in, then I wouldn't put fault on the officer.
        • Your analogy is flawed.

          Poor example I'm afraid which supports the person carrying the bomb/virus, clearly as the person responsible. Which I believe you were trying to argue more obscurely that the writer of the virus was to blame. Sure they are but they are not identifiable, however the spread can still be prevented at two points, 1st with the person carrying the flash drive who didn't crawl out of the earth with data to plug into a network. In this day and age virus protection is like understanding about HIV contraction.

          Secondly, regardless the IT groupd has to put into place 2ndary checkpoints to detect and remove virus' before they affect a network and additionally education of their users so they practice safe data transfer.
          • Congratulation!

            I congratulate you. All parties have a responsibility to maintain the integrity of their equipment. In this situation, all parties failed. The flash drive own for not maintaining their system to the network people for the same. Precautions need to be taken by parties. And then there is another scenario. What if the user of the flash drive tried to infiltrate the network!
          • More info please

            Why wasn't there a virus program running ? and if there was - why didn't it catch that flash drive virus ? Could be the software mfg. is to blame. But the reality is your computers are to blame - They are the biggest joke of all time and You fools want to trust it. HA. HA. HA.
            I don't even put my name on my computer - It's
            that big of a Joke .
        • Lets assume you're completely wrong..

          Lets suppose the IT department haven't locked down the ports but have told everyone that they shouldn't be using memsticks.

          The point is that the user is ultimately responsible for picking up the virus. If it hadn't been somewhere unprotected or dodgy it wouldn't have happened.

          I'm not saying they should be sacked, yet, but clearly they are at fault for bringing a virus in from somewhere. Why should a USB stick be used across systems unless by a support person; and then again they should know better.

      • What if the building was made of flammable material?

        This would be a better analogy and explain why MS is very much
        responsible here because they've made such an uniquely vulnerable and
        fragile platform.
        • Yours is a weaker analogy.

          [i]This would be a better analogy and explain why MS is very much responsible here because they've made such an uniquely vulnerable and
          fragile platform.[/i]

          Sorry, but that is incorrect.

          If you have a prison with holes in the wall, you can still keep it secure. Takes more resources, but you CAN still keep it secure.

          Likewise, an OS is only as secure as the people using/administering it.

          Who is to blame? Both. The IT should take more precaution, and the user should have as well. Ultimately, IT can not always foresee, and prevent users from doing stupid things, but the best practice is to never underestimate the power of users to mess things up.

          In the end, you hope for the best, and prepare for the worst.
      • wrong premise & deeply flawed logic

        You obviously have never worked in network administration - else you'd know your logic is tragically flawed.

        Networks should always, in principle, be designed to safeguard the end-users from themselves - to the highest degree practicable. The central idea behind sound network security conceptualization and planning is really quite simple: if a user can (inadvertently or not) ruin a network, they will. With that in mind, "secure-by-default" network design practice *must* be adhered to.

        Services that 'can' reasonably be seen as possible avenues for exploitation of a network have to be considered on a case by case basis: yes, that is how seriously systems security has to be.

        "Ignorance is not a valid excuse for anything."

        But it is exactly the reason *why* locking down / disabling highly vulnerable services on a network is a major part of security planning in regards network design. This should *never* be a task that is left 'to chance' - and certainly not at the 'whims' of end-users.

        Frankly, you've just made some things abundantly clear. You have a sheer lack of understanding of secure network planning or design. I would never want someone like you on my network administration team - you're thinking is flawed, misguided and idealistic: all tell-tale traits of a bad network admin'.

        • wrong premise & deeply flawed logic

          thx-1138 said : "Networks should always, in principle, "

          This is not a 'logical' argument, but a policy statement, that boil down to a philosophical position:
          Are individuals responsible of their acts and lack there-of ?
          Should a big brother entity decide in lieu and place of individuals what is good for them ?

          thx-1138 said:
          "Services that 'can' reasonably be seen as possible avenues for exploitation of a network have to be considered on a case by case basis: yes, that is how seriously systems security has to be."
          If you are serious about security, the first thing you do is not use Windows. "yes, that is how seriously systems security has to be."

          thx-1138 said:
          '"Ignorance is not a valid excuse for anything."
          But it is exactly the reason...'

          Talking about flawed logic, _that_ is a nice non sequitur.

          • wrong premise & deeply flawed logic

            Windows has nothing to do with it !The IT staff should have disabled the USB ports on all of their computers.This is a required thing because people can and will be stupid. I have never worked anywhere where the network computers do not have this feature disabled !!
          • What if...

            ...that machine required the USB to be enabled, like for a mouse or printer?
            If they really wanted it secured they would have used Solaris with Secure Extensions enabled, that way the USB device would have been ignored or sent to nul if it didn't match a pre-approved device. There is a reason that in secure environments, Windows requires an air gap if it resides on a secure network.
            Your statement is flawed because none of us have the details of what the infected machine was used for.
          • wrong premise & deeply flawed logic

            I think we're thinking about this wrong.

            Would you all agree that the network is a business asset? I think it's a reasonable statement.

            A network administrator then, is responsible for maintaining and protecting that asset.
        • Some people on here...

          think that all people have a right to do as they wish no matter where they are.

          They made the choice to work for the company, and as such, have the right to leave if the network security bothers them that much.

          I feel that in doing so, they will run out of options for employment soon. No one in their right mind will allow users to run freely on their network. It's just plain stupid.
          • Very Simply

            I agree. Very simply, if one is held responsible
            then one has total control.
        • Thinking (if any) is flawed

          You are being too polite! System adminstartors are by job description required to proctively PROTECT the system from ALL hazards. If evidence exists that the user was purposly and knowingly trying to bypass all known resonable protection schemes and eventually succeeded he must be held accountable. A simple act of using a device without knowing it was flawed can not be blamed for the incident.

          Anology - Electrical circuits are fused to prevent fires from faulty equipment, preveting catastrophic damage. Unfortunatly malicious viruses are more difficult to protect against but all reasonable effort is the reponsibility of the owner/administrator not the ignorant user.
          • As already stated, ignorance is no defence in law.

            Should it turn out that the USB user has broken either council employee policy or UK law, action can be taken, regardless of any 'awareness'.

            It might prove a very interesting case if it came to court.

            Similarly if action is taken against Ealing council....

            By the way has the USB employee fled the country?
        • disappointing and unecessary ending

          Sinceremente, I was very impressed with your clear and succinct arguments but your LAST PARAGRAPH was OFFENSIVE and UNECESSARY - there is no need to be abusive to get your point across - you owe the guy an apology - pity as it reduced the complete credibility of your comments.
      • Person Responsible?

        Quote: "Ultimately it's the person directly responsible for the one action that caused the incident."

        And the winner is:

        The original creators of the malware, without them none of this would have happened at all!

        The original question is flawed as it assumes either the IT department or the user is to blame and niether are to blame as neither created the original malware in the first place!

        Even under the law this would be true, and neither the IT department nor the user could be held responsible for this, as they had no hand in creaing the original offending maleware! All good lawyers would eventually figure this out and trace true blame back to the orginal maleware creators, and this is why malware creators are going to jail today, and it's very sad that we can't catch more of them!