Coordinator in chief (C4ISR Journal)

Coordinator in chief

What experts say Obama's cybercoordinator must do to succeed

By Ben Iannotta
July 01, 2009

http://www.c4isrjournal.com/story.php?F=4119078

When America's first national cybersecurity coordinator arrives at the White House, he or she will have to settle long-standing questions about the precise roles of the military, private companies and federal regulators in protecting the country's electrical systems, water supplies and other services from a hacker's computer keystrokes.

President Barack Obama said he would personally choose and meet regularly with the coordinator, a position he announced in a May 29 speech at the White House. He said this person will have an office and staff in the White House, and will draft a "comprehensive" national cyberstrategy in "partnership" with the U.S. computer industry and government agencies. The coordinator — White House officials are not using the term "czar" — would work closely with White House budget officials on spending decisions and coordinate U.S. responses in the event of a cyberattack, he said.

Obama spoke in the East Room before a cast of 120 mostly civilian VIPs, an exception being Marine Corps Gen. James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, whose job is to set the military's buying priorities. Also in the East Room were corporate CEOs and independent analysts who participated in the administration's "Cyberspace Policy Review," a fact-finding mission led by Melissa Hathaway, a former Bush administration intelligence official and now the top cyberofficial at the National Security Council. Hathaway and her staff met with networking companies, independent analysts and defense officials over the course of 60 days.

By placing responsibility for cybersecurity within the White House, and announcing a partnership with the industry, Obama set the U.S. on a different path than that of the Bush administration, which had relied on a combination of free market forces, presidential directives and the leadership of the Department of Homeland Security (DHS) to protect the private infrastructure. Instead of DHS leading the way, a White House official would be in charge, and this official would have a direct line to the White House Office of Management and Budget (OMB), which assembles spending requests from U.S. agencies into the annual budget requests to Congress. "It's going to be very important for the coordinator to work with OMB to ensure cybersecurity is adequately funded," said an OMB official in the East Room.

Neither Obama nor the 38-page Hathaway report spelled out precisely what actions the new spending authority and partnership with the industry would produce.

Would the government work with computer and software companies to draft regulations defining the security standards for the software underlying the U.S. infrastructure? Electrical hubs, for example, now have Internet Protocol addresses, which helps managers run electrical grids more efficiently, but also makes them vulnerable. Would better cybersecurity at such sites remain voluntary, as was the case under the Bush administration? Would the government cover the costs of beefed up cybersecurity in the private sector? For its part, the Hathaway report called for refining "government procurement strategies" and improving "market incentives" as the answer, but it did not define those steps any further. Would the coordinator's decisions affect the 2010 budget, which is currently before Congress, or wait until 2011 for impact?

Obama also did not discuss the controversial issue of America's offensive cyberattack planning, nor the precise role of the intelligence community and military in securing the U.S. private-sector infrastructure.

Military efforts

In recent months, military officials have been engaged in their own effort to reorganize themselves for cybersecurity. In May, for example, the U.S. Air Force announced it would establish a 400-person cyberheadquarters and operations center at Lackland Air Force Base, Texas, to coordinate cyberdefense with other services and, when necessary, launch offensive cyberactions. Originally, the Air Force planned on establishing its own cybercommand but backed away when critics said the service should focus on working with the other services instead of trying to lead in the cyberdefense domain.

Air Force Maj. Gen. William Lord, the service's top cybercommander, said "six verbs" would govern the work of the new 24th Air Force, the group focused on cyberspace: "establish, operate and maintain, defend, and exploit and attack." He spoke in late March at the National Space Symposium, before the service announced the location of the cyberheadquarters and operations center.

Lord said U.S. offensive cyberactions could turn out to be critical in future wars: "If you think about not warfare today, but warfare maybe 20 or 50 years from now, maybe it's not about the kinetic destruction of people or facilities. Maybe it's about so confusing a technologically advanced force by scrambling their technology that they don't have the ability to conduct warfare."

Part of the Obama strategy is likely to focus on technologies for identifying cyberattackers without violating the privacy of Internet users, something defense officials said would not be technically easy. "Two years ago in April, a million computers from 75 different nations attacked Estonia. Who do you go to war with?" he said. "Most of that attack came from [unknown people in] the United States. We're friends with Estonia," he said. "So figuring out: One, who the enemy is, and second, what's the intent of an enemy, in this domain, is very, very challenging."

Lord said the Air Force advised the Hathaway panel indirectly about the Air Force's plans and views on major cyberissues through the Pentagon's Joint Staff and the Office of the Secretary of Defense. Lord said reacting quickly to a cyberattack would be one of the great challenges confronting the country.

"What happens when you track back an IP address to you-name-the-country? How do you get law enforcement to that address, that physical address and using the laws of that country say, 'Stop that stuff?' That process takes weeks today. And we've got figure out how to make it occur more quickly," he said.

As far as military management of cyberdefense, Lord said defense officials were discussing the possibility of establishing a "sub-unified command" under U.S. Strategic Command to coordinate cyberwork among all the services. At about the time of Obama's announcement, The New York Times and The Associated Press reported that the U.S. was on the verge of establishing a new Cyber Command.

Though much is left to be sorted out, industry officials, by and large, said they were pleased that the White House had set a tone of partnership and will establish a high-level authority to define the national cyberstrategy under which the government, in all likelihood, would spend billions of dollars to improve security.

"It's encouraging to watch the United States and President Obama take the lead here in trying to innovate," said David DeWalt, CEO and president of McAfee, the computer security giant. DeWalt was one of those invited to gather in the East Room.

He said the importance of the word partnership, meaning with the industry and government, should not be discounted. "We believe the lack of partnership in the past has actually enabled the criminal behavior and terrorist behavior to emerge quicker, and with more force than had we had this interlock," he said.

Gregory Q. Brown, president and CEO of Motorola, also was in the East Room. "My team has met with [Hathaway], and we're very supportive," he said. He said Motorola is ready to help advise the government about how to keep networks secure, particular during emergency responses.

Budget link

Obama's most significant move, several attendees said, might have been when he underscored the cybercoordinator's relationship with the White House Office of Management and Budget.

"The way you get anyone to do anything is through the budget," said Alan Paller, director of research and defense at the SANS Institute, which researches information security technology. "That's what was wrong before. DHS didn't have any leverage" over spending at other agencies involved in cybersecurity, he said. "DHS could say anything they wanted and everyone could ignore them because there were no consequences."

Agencies have to listen to OMB or risk losing spending for other priorities, he said. "If you ignore OMB, the consequences are very sharp," he said.

Obama said he will designate cybersecurity one of "my key management priorities" and that the office of the cybercoordinator would set cyberpriorities and work "closely" with OMB "to ensure agency budgets reflect those priorities."

How much time the government should take before spending money under the new plan could emerge as an area of disagreement between the government and the industry. The Hathaway review describes refinement of government procurement strategies and establishment of market incentives as "Mid-Term" actions. Even at that, they are listed in line No. 14 of a table showing 14 mid-term actions.

Even so, Paller predicted the Obama administration would begin using the procurement process, in particular the defense process, in the near term "because it's the lever. It's the one you can move."

Also unclear in the Obama announcement was whether the emerging cyberstrategy would affect spending in the 2010 budget, which the administration sent to Capitol Hill three weeks before Hathaway's finding were made public and Obama announced the cybercoordinator office.

DeWalt of McAfee said it would be unwise to wait until the 2011 budget request to start applying funds under the administration's emerging cyberpolicy. "My opinion is, every day that we wait is another day that we're completely vulnerable. And I think, again, this activity [in the White House East Room] was a step in the right direction," he said.

DeWalt said the government already has billions of dollars of cyberdefense money in play because of the Bush administration's cyberinitiative. In 2008, with attempts to penetrate U.S. networks on the rise, the Bush administration launched the largely-classified Comprehensive National Cyber Security Initiative, which was defined by two executive directives, Presidential Directive 54 and Homeland Security Directive 23.

Former-Homeland Security Director Michael Chertoff announced the initiative and his agency oversaw the effort. Observers expect the Obama team to rework much of the Internet monitoring and intelligence-gathering policies contained within the Bush initiative. Obama, for example, said this cyberoffice "will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people."

The differences in philosophy are huge, but the money and momentum remain. "This isn't starting from scratch with nothing," DeWalt said. "There is been some budget laid out from the previous administration. There is some opportunity to leverage that into the new programs," he added.

Industry officials said they expect the Obama strategy to focus less on spying on individual Internet users and more on securing private-sector networks related to critical infrastructures, and improving early-warnings of attempts to spread viruses and computer worms.

Federal regulations

One of the great debates among industry officials and analysts has been about the appropriate role for federal regulations, and whether it would be wise for an administration and Congress to create a new regulatory law that would require certain security software and procedures for private-sector networks. Such an act could be patterned after the U.S. Sarbanes-Oxley law that defines the kind of records financial institutions must make public, DeWalt said.

The topic of regulations was a hotly contested one during a series of meetings in 2007 through 2008 organized by the Center for Strategic and International Studies (CSIS), a think tank based in Washington. CSIS officials wanted to recommend a cyberstrategy for the incoming president. The experts met periodically over the course of more than a year, and in December, the group released its report, "Securing Cyberpspace for the 44th Presidency."

"We deliberated for about 14 months on that issue," said Phyllis Schneck, McAfee's director of threat intelligence for the Americas, and a member of the CSIS panel.

In the end, the CSIS panel was not shy about recommending federal cyber-regulations. The panel blasted the Bush administration's 2003 National Strategy to Secure Cyberspace for relying on market forces and ruling out federal regulation as a major player.

"In pursuing the laudable goal of avoiding overregulation, the strategy essentially abandoned cyber defense to ad hoc market forces. We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit, to survive, to supply this public good in adequate amounts," the CSIS panel said.

Obama stopped well short of embracing the CSIS wording: "My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity," he said.

Schneck said the Obama administration will need to find incentives. "How do we take a private-sector company that at the end does need to make money, and enable them to not only protect their infrastructure, but do things in the public good, and still remain profitable?" she said.

In the coming months, those in the East Room said one passage in Obama's 16-minute speech makes them certain that cybersecurity will remain a priority for the administration. Obama said that between August and October 2008 — the final stretch of the U.S. election campaign — "hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans." He said his campaign hired security consultants and met with the FBI and the Secret Service.

"It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities," he said.

Cyberactions plan (C4ISR Journal)

Cyberactions plan

July 01, 2009

http://www.c4isrjournal.com/story.php?F=4117007

The "Cyberspace Policy Review" developed a 10-point "near-term action plan" for U.S. cybersecurity efforts:

• Appoint a cybersecurity policy official responsible for coordinating the nation's cybersecurity policies and activities; establish a strong National Security Council directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the National Economic Council, to coordinate interagency development of cybersecurity-related strategy and policy.

• Prepare for the president's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of Comprehensive National Cybersecurity Initiative activities.

• Designate cybersecurity as one of the president's key management priorities and establish performance metrics.

• Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

• Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities and the application of agency authorities for cybersecurity-related activities across the federal government.

• Initiate a national public awareness and education campaign.

• Develop U.S. government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies and opportunities associated with cybersecurity.

• Prepare a cybersecurity incident response plan; initiate a dialogue to enhance public-private partnerships with an eye toward streamlining, aligning and providing resources to optimize their contribution and engagement.

• Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories and identifying solutions.

• Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

Defend America, One Laptop at a Time (NY Times)

Defend America, One Laptop at a Time

By JACK GOLDSMITH

Cambridge, Mass.

http://www.nytimes.com/2009/07/02/opinion/02goldsmith.html

OUR economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks. These networks are poorly defended and vulnerable to theft, disruption or destruction by foreign states, criminal organizations, individual hackers and, potentially, terrorists. In the last few months it has been reported that Chinese network operations have found their way into American electricity grids, and computer spies have broken into the Pentagon's Joint Strike Fighter project.

Acknowledging such threats, President Obama recently declared that digital infrastructure is a "strategic national asset," the protection of which is a national security priority.

One of many hurdles to meeting this goal is that the private sector owns and controls most of the networks the government must protect. In addition to banks, energy suppliers and telecommunication companies, military and intelligence agencies use these private networks. This is a dangerous state of affairs, because the firms that build and run computer and communications networks focus on increasing profits, not protecting national security. They invest in levels of safety that satisfy their own purposes, and tend not to worry when they contribute to insecure networks that jeopardize national security.

This is a classic market failure that only government leadership can correct. The tricky task is for the government to fix the problem in ways that do not stifle innovation or unduly hamper civil liberties.

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

The government should also use legal liability or tax breaks to motivate manufacturers — especially makers of operating systems — to improve vulnerability-filled software that infects the entire network. It should mandate disclosure of data theft and other digital attacks — to trusted private parties, if not to the public or the government — so that firms can share information about common weapons and best defenses, and so the public can better assess which firms' computer systems are secure. Increased information production and sharing will also help create insurance markets that can elevate best security practices.

But the private sector cannot protect these networks by itself any more than it can protect the land, air or water channels through which foreign adversaries or criminal organizations might attack us. The government must be prepared to monitor and, if necessary, intervene to secure channels of cyberattack as well.

The Obama administration recently announced that it would set up a Pentagon cybercommand to defend military networks. Some in the administration want to use Cybercom to help the Department of Homeland Security protect the domestic components of private networks that are under attack or being used for attacks. Along similar lines, a Senate bill introduced in April would give the executive branch broad emergency authority to limit or halt private Internet traffic related to "critical infrastructure information systems."

President Obama has tried to soothe civil liberties groups' understandable worries about these proposals. In the speech that outlined the national security implications of our weak digital defenses, the president said the government would not monitor private sector networks or Internet traffic, and pledged to "preserve and protect the personal privacy and civil liberties we cherish as Americans."

But the president is less than candid about the tradeoffs the nation faces. The government must be given wider latitude than in the past to monitor private networks and respond to the most serious computer threats.

These new powers should be strictly defined and regularly vetted to ensure legal compliance and effectiveness. Last year's amendments to the nation's secret wiretapping regime are a useful model. They expanded the president's secret wiretapping powers, but also required quasi-independent inspectors general in the Department of Justice and the intelligence community to review effectiveness and legal compliance and report to Congress regularly.

Many will balk at this proposal because of the excesses and mistakes associated with the secret wiretapping regime in the Bush administration. These legitimate concerns can be addressed with improved systems of review.

But they should not prevent us from empowering the government to meet the cyber threats that jeopardize our national defense and economic security. If they do, then privacy could suffer much more when the government reacts to a catastrophic computer attack that it failed to prevent.

Jack Goldsmith, a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004, is writing a book on cyberwar.

U.S. Official: Cybersecurity Plans Not Just Talk (internetnews.com)

U.S. Official: Cybersecurity Plans Not Just Talk
By Kenneth Corbin
July 1, 2009

http://www.internetnews.com/government/article.php/3827936/US+Official+Cybersecurity+Plans+Not+Just+Talk.htm

NATIONAL HARBOR, Md. -- Amid all the recent talk in Washington about getting serious about cybersecurity, some skeptics have expressed concern that it might be just that -- all talk, followed by little action.

But a senior White House official this morning official promised an audience of security professionals that unlike past federal reviews, which have been criticized for making promises that policymakers didn't keep, this time is different.

Speaking at research firm Gartner's annual Information Security Summit, Christopher Painter, the National Cybersecurity Council's director of cybersecurity, outlined the steps the Obama administration is taking to move ahead with the recommendations of a 60-day review the president commissioned earlier this year.

In a speech accompanying the release of the review in May, Obama outlined a multi-prong plan to tighten up the nation's cyber defenses, including the formation of a new position to coordinate cybersecurity policy across the agencies, Congress and the private sector.

But despite Obama's assurance that the cybersecurity coordinator would have his full support and regular access to the Oval Office, critics have speculated that the position is too far down the bureaucratic pecking order to have any real clout. In practice, they warn, the role might end up little more than a glorified cheerleader.

Painter promised otherwise.

"The cyber coordinator is going to be more than just a figurehead," he said. "We really have to deliver on the action plan."

The previous two administrations have made noise about cybersecurity, including a policy review President Bush ordered in 2001, which resulted in a strategy directive two years later. But Painter noted that those efforts didn't come with the mandate of a White House address, a jump-off point that he said elevated the issue to a chief policy priority.

"That's really a watershed event," Painter said of Obama's speech. "That really sets the tone, not only in this country, but around the world."

He added, "We had a strategy in 2003, but you didn't have the president coming out and giving a speech on this, and that's really, really important."

In that address, Obama made the case that defending critical infrastructure against online threats is as much an economic priority as it is a security issue.

That was reflected in the structuring of the cybersecurity coordinator position, which will serve on both the National Security Council and the National Economic Council. He has yet to fill the position.

Obama's efforts to bring cybersecurity into the mainstream fit with many of his other policy initiatives, where he is trying to apply technology solutions to areas like energy and health care. The idea of connecting the power grid to an interoperable network, while alluring for the energy savings it could yield, could have disastrous results if hackers were able to infiltrate the system and knock it offline. Similarly, the grand vision of an IT-based health care system where patients' records are digitized and doctors can provide treatment to patients in remote areas through robust networks could quickly unravel if the technology were compromised.

"It's really important to have security baked in from the beginning," Painter said.

That goes for government, too. Other members of Obama's tech team, particularly Aneesh Chopra and Vivek Kundra, who respectively fill the new positions of federal CTO and CIO, have been talking loudly about bringing new technologies to the federal computing apparatus to make it more efficient and collaborative.

[cob:Special_Report]As Chopra, Kundra and others tinker with new Web 2.0 technologies and moving the federal IT infrastructure to the cloud, Painter said they will work closely with the new cybersecurity coordinator to ensure that the government is leading by example.

"The cybersecurity coordinator is going to work very closely with [Obama's] CTO and CIO," he said. "The idea is, when we're thinking about these new technologies, we're thinking about security."

Painter stressed the need to partner with foreign countries to develop a coordinated approach to combat cyber threats. He spoke of the "weakest-link problem," where hackers will scour the globe to find a nation with lax cyber defenses, and route their attacks through servers in that nation to reach their ultimate target.

"It is clear that given the ubiquitous borderless nature of computer systems and computer networks that it doesn't matter if we do everything right" if other nations aren't on board, he said. "We need to have a dialogue with other countries."

He also spoke of the delicate balance of protecting privacy while maintaining a reasonable level of security in networks that are under continuous threat. Obama has said he will appoint a privacy official to the National Security Council's cybersecurity directorate to help ensure that the government's cyber policing efforts don't run roughshod over Americans' civil liberties.

The two aren't mutually exclusive, Painter said, pointing out that properly securing the systems that house personal information such as health records will keep people's sensitive data private.

"It's not a zero-sum game," he said. "If we're doing this right, we're enhancing privacy."

A Bustling Week for Cyber Justice (Washington Post: Security Fix)

A Bustling Week for Cyber Justice

http://voices.washingtonpost.com/securityfix/2009/07/a_bustling_week_for_cyber_just.html?wprss=securityfix

This past week has been a bustling one for cyber justice. The Federal Trade Commission announced a settlement in its ongoing case against scareware purveyors; a notorious hacker admitted stealing roughly two million credit card numbers; the Justice Department has charged a software developer from Arkansas with launching a series of debilitating online attacks against several online news sites that carried embarrassing stories about him. Finally, a federal appeals court decision gives security vendors added protection against spurious lawsuits by adware companies.

-- Last week, the FTC said it had settled with James Reno and his company ByteHosting Internet Services LLC. Both were named in the commission's broad sweep last year against purveyors of "scareware," programs that uses bogus security alerts to frighten people into paying for worthless security software.

The settlement imposes a judgment of $1.9 million against Reno and Bytehosting, yet the court overseeing the case suspended all but $116,697 of that fine, "based on the defendants' inability to pay the full amount."

Six other defendants allegedly involved in the scareware scams face pending charges from the FTC. One of the defendants, a San Francisco man named Sam Jain, is currently the subject of a federal criminal prosecution in California. According to Jain's attorneys, federal prosecutors in Illinois also are preparing to indict him on computer fraud charges related to the scareware distributed by his company, Innovative Marketing. Jain is currently a fugitive from justice.

-- From Wired.com's Kevin Poulsen comes what may be thepenultimate chapter in the prosecution of so-called superhacker Max Ray Butler, also of San Francisco. Butler, 36, faces up to 60 years in prison after pleading guilty to federal wire fraud charges that "he stole roughly two million credit card numbers from banks, businesses and other hackers, which were used to rack up $86 million in fraudulent charges."

Poulsen's story on Butler in Wired Magazine from December 2008 is a page-turner that chronicle's the hacker's successful bid to hack into, take over and ultimately consolidate several online forums dedicated to the theft and sale of stolen credit card numbers. One of the forums he hacked, called "Darkmarket," turned out to be a full-blown undercover sting operation set up by the FBI.

-- In a criminal complaint unsealed yesterday in a New Jersey federal court, the Justice Department charges a software developer from Arkansas with using botnets -- armies of hacked PCs -- to flood several targeted Web sites with so much data that they were at least temporarily unable to accommodate legitimate visitors.

The government alleges that between July 2007 and March 2008,Bruce Raisley launched a series of denial-of-service attacks against Rollingstone.com, and several other Web sites. Among those attacked was perverted-justice.com, a site dedicated to publicly exposing and shaming men who solicit sex from underage boys and girls online. Perverted-justice.com is perhaps best known for its connection to the Dateline NBC show "To Catch a Predator."

Charging documents note that Raisley apparently targeted those two sites and seven others for their publication of stories that retold an embarrassing chapter of his life. According to a July 2007 Rolling Stone article about perverted-justice.com founder Xavier Von Erck, Raisley himself was a former volunteer who helped perverted-justice members ensnare new targets.

At some point, the Rolling Stone article says, Raisley had a falling out with perverted-justice, and launched his own online campaign to depict the site's members as an out-of-control vigilante group. According to the Rolling Stone article, Von Erck "exacted a particularly sadistic form of revenge against" Raisley:

Posing as a woman named Holly, Von Erck began an online flirtation with Raisley, who was smitten enough to leave his wife and rent a new apartment. On the day Raisley went to pick up Holly at the airport, Von Erck sent a friend to snap his photo and posted it with a warning: "Tonight, Bruce Raisley stood around at an airport, flowers in hand, waiting for a woman that turned out to be a man. . . . He has no one. He has no more secrets. . . . Perverted-Justice.com will only tolerate so much in the way of threats and attacks upon us."

Raisley's court-appointed attorney could not be immediately reached for comment.

-- On Friday, the U.S. Ninth Circuit Court of Appeals in Seattle upheld a decision to dismiss a case brought in 2007 by Bellvue, Wash., based adware maker Zango. The company had sued anti-virus makerKaspersky, charging that Kaspersky interfered with its business by removing Zango's adware without first alerting the user.

The appeals court affirmed that Kaspersky's actions were shielded by the federal Communications Decency Act (CDA). That law contains a "good Samaritan" clause that protects computer services companies from liability for good faith efforts to block material that users may consider objectionable.

Eric Howes, director of malware research at computer security firmSunbelt Software, said admittedly, this decision is not nearly as consequential for anti-malware providers as it would have been three or four years ago, when adware vendors such as Zango and Direct Revenue were regularly threatening anti-spyware providers with legal action and peppering them with cease-and-desist letters on a weekly basis.

"It's a been a while since we received any serious legal threats, although we do still get the occasional protest from software developers whose apps we target as 'low risk,' potentially unwanted programs or tools," Howes wrote on the company's blog. "Nonetheless, the decision is a welcome one, as it extends to Sunbelt and other anti-malware providers the kind of legal cover we need in order to provide our customers and users with strong protection against unwanted, malicious software."

By Brian Krebs | July 1, 2009; 7:00 AM ET