Today the 14th US District Court ordered ECS-CERT
to withdraw their CyMoTrol alert from their web site pending the final decision
of the Court on the suit
filed by the company. The company claims that ECS-CERT is unfairly
characterizing features of their motor control systems as cybersecurity
vulnerabilities and thus damaging their reputation and affecting sales of the reportedly
affected devices.
Judge Phantly R. Bean wrote in the restraining order that
CyMoTrol had provided prima facia evidence of damage by government claims in
the alert and that justified ordering the removal of the alert from the
ECS-CERT web site pending full resolution of the law suit.
Wilhelm Pieck, spokesperson for CyMoTrol, told reporters
that the action taken today by the Court will ensure that ECS-CERT stops their
campaign to stop the company from providing necessary services and support to
their customers. “ECS-CERT has never attempted to prove the claims made by the
criminal hacker cYbrg0D and does not even possess one of the devices that they
reported to be defective.” Pieck said.
Reporters have not been able to identify cYbrg0D, the
researcher who reported the vulnerability claims to ECS-CERT. In a TWEET®
issued after the court order was released, cYbrg0D said: “Judge Bean does not
understand the purpose of ECS-CERT alerts and advisories – They are designed to
protect owner operators from cybersecurity vulnerabilities that were undetected
when bought.”
A second TWEET from cYbrg0D contained what may have been a
threat, stating: “Perhaps what Bean and his cronies need is a demonstration of
the dangers of the CyMoTrol ‘feature’.”
Immanuel C. Securitage, spokesperson for ECS-CERT, reported
that the alert in question had been removed from the ECS-CERT web site in
accordance with the Judge’s order. In a statement released by the agency,
Securitage said: “We have no comment on the ongoing litigation.”
Junior Butts, a lawyer who has successfully represented hackers
before Judge Bean, told this reporter that he suspects CyMoTrol will argue that
ECS-CERT has not been given specific authority by Congress to publish negative
information about control system software and equipment. “Lacking specific
authorization, it would be argued, that ECS-CERT will have to show that it is
not protected from libel and slander suits.” Butts explained; “ECS-CERT will
have to show that it took reasonable care to validate the claims by cYbrg0D and
other researchers and performed their due diligence responsibilities before
publishing derogatory information about CyMoTrol or its products.”
Rep Rebecca Pinter (D,MA), a Congress person with an
interest in cybersecurity legislation responded to Butts comments. She said: “Junior
may have a point. When we gave ECS-CERT the responsibility for coordinating
disclosures of control system vulnerabilities, Congress did not provide any specific
authority to publish alerts or advisories about those vulnerabilities,
especially when the vendor involved did not agree that the reported vulnerabilities
actually existed. Perhaps we need to look at what requirements should be
applied to such situations.”
No comments:
Post a Comment