Are You Ready For An FBI Server Takedown?
The FBI's recent scareware-busting raids and server seizures knocked 120 unrelated companies' websites offline--a scenario that most hosting customers don't anticipate.
By Mathew J. Schwartz InformationWeek
Dear customer: The FBI has taken our servers, hence your website--among about 160 others, including our own--is offline. And we don't know when they will be restored.
That's the gist of what happened on June 21, 2011, when FBI agents seized hardware in an early morning raid on data center space in Reston, Va., leased by Switzerland-based DigitalOne.
According to DigitalOne, the agents were supposed to remove only three servers, but many more were seized. "For reasons that we do not understand and have not yet been explained, the investigating authorities also seized 59 unrelated servers, although these were returned to our company within 24 hours," reads the statement released by DigitalOne (translated from German).
"During this seizure, however, various modules and cable connections and also our company's backup system were affected, resulting in massive disruptions to a considerable number of client servers, our email system, and our support system."
An FBI spokesman declined to comment on the DigitalOne outage, or the purpose of the raids. An unnamed source told The New York Times that the raids related to an investigation into the LulzSec hacker group. However, the day after the raids, the FBI issued a press release announcing its breakup of
two international scareware rings.
The FBI-led operation, dubbed Operation Trident Tribunal, involved searches, seizures, and arrests--apparently occurring from June 20 to June 21--not only in the United States, but also in 11 other countries: Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the United Kingdom. In and of itself, that level of cross-border cooperation, especially given
the lack of widespread cybercrime treaties, is impressive. But in the DigitalOne raid, FBI agents apparently did remove more servers than needed, although DigitalOne said the FBI returned the 59 other servers within 24 hours.
This incident poses two interesting questions. First, why didn't the removal of DigitalOne's servers trigger
any automatic disaster recovery protocol, for example, from an offsite facility? The short answer is that DigitalOne didn't have offsite redundancy, although that could change. "After these events, we will probably begin to offer to the clients the backup of their data in [another] independent data center," DigitalOne's CEO, Sergej Ostroumow, told me via email.
Second question: If the FBI raids a data center, seizes servers, and knocks unrelated customers of that data center offline, would DigitalOne--or its customers--have any recourse against the feds? "Assuming that the seizure was undertaken pursuant to a properly issued order, there is little recourse available to DigitalOne as to restoration of data," attorney Kenneth K. Dort, who specializes in IT and intellectual property law issues for Drinker Biddle & Reath in Chicago, told me.
"In particular, I would have to assume that the underlying hosting agreement DigitalOne has with the hosting entity--i.e., the entity actually visited by the FBI, and from whose facilities the servers were taken--has clear backup or disaster recovery provisions protecting the data," Dort said. "The reason this point is relevant is that all responsible agreements should have such protections in place--and the FBI seizure is operationally no different."
In other words, hosting providers need to plan for the possibility that their facility may be rendered inoperable by an earthquake, hurricane, or law enforcement raid. "Any decent agreement should operationally contemplate and address the current situation [i.e. the FBI raid]--thus eliminating any 'damage' from the seizure," Dort said. That's the hosting side of things. But legally speaking, any DigitalOne customers with data on the seized servers would likewise have no recourse against the bureau, "as long as the seizure was reasonable, within the scope of the seizure order," he said.
