Dear customer: The FBI has taken our servers, hence your website--among about 160 others, including our own--is offline. And we don't know when they will be restored.
That's the gist of what happened on June 21, 2011, when FBI agents seized hardware in an early morning raid on data center space in Reston, Va., leased by Switzerland-based DigitalOne.
According to DigitalOne, the agents were supposed to remove only three servers, but many more were seized. "For reasons that we do not understand and have not yet been explained, the investigating authorities also seized 59 unrelated servers, although these were returned to our company within 24 hours," reads the statement released by DigitalOne (translated from German). "During this seizure, however, various modules and cable connections and also our company's backup system were affected, resulting in massive disruptions to a considerable number of client servers, our email system, and our support system."
An FBI spokesman declined to comment on the DigitalOne outage, or the purpose of the raids. An unnamed source told The New York Times that the raids related to an investigation into the LulzSec hacker group. However, the day after the raids, the FBI issued a press release announcing its breakup of two international scareware rings.
The FBI-led operation, dubbed Operation Trident Tribunal, involved searches, seizures, and arrests--apparently occurring from June 20 to June 21--not only in the United States, but also in 11 other countries: Ukraine, Latvia, Germany, Netherlands, Cyprus, France, Sweden, Lithuania, Romania, Canada, and the United Kingdom. In and of itself, that level of cross-border cooperation, especially given the lack of widespread cybercrime treaties, is impressive. But in the DigitalOne raid, FBI agents apparently did remove more servers than needed, although DigitalOne said the FBI returned the 59 other servers within 24 hours.
This incident poses two interesting questions. First, why didn't the removal of DigitalOne's servers trigger any automatic disaster recovery protocol, for example, from an offsite facility? The short answer is that DigitalOne didn't have offsite redundancy, although that could change. "After these events, we will probably begin to offer to the clients the backup of their data in [another] independent data center," DigitalOne's CEO, Sergej Ostroumow, told me via email.
Second question: If the FBI raids a data center, seizes servers, and knocks unrelated customers of that data center offline, would DigitalOne--or its customers--have any recourse against the feds? "Assuming that the seizure was undertaken pursuant to a properly issued order, there is little recourse available to DigitalOne as to restoration of data," attorney Kenneth K. Dort, who specializes in IT and intellectual property law issues for Drinker Biddle & Reath in Chicago, told me.
"In particular, I would have to assume that the underlying hosting agreement DigitalOne has with the hosting entity--i.e., the entity actually visited by the FBI, and from whose facilities the servers were taken--has clear backup or disaster recovery provisions protecting the data," Dort said. "The reason this point is relevant is that all responsible agreements should have such protections in place--and the FBI seizure is operationally no different."
In other words, hosting providers need to plan for the possibility that their facility may be rendered inoperable by an earthquake, hurricane, or law enforcement raid. "Any decent agreement should operationally contemplate and address the current situation [i.e. the FBI raid]--thus eliminating any 'damage' from the seizure," Dort said. That's the hosting side of things. But legally speaking, any DigitalOne customers with data on the seized servers would likewise have no recourse against the bureau, "as long as the seizure was reasonable, within the scope of the seizure order," he said.
"In this case, the order likely permitted the taking of servers housing the DigitalOne data, so that unless that data was segregated from any other companies' data, it would be reasonable to expect such servers to include that data," he said. "Thus, the FBI would not be expected to download the data onsite." But the bureau would be required to return the data or servers--after having downloaded the required data--in a timely manner, and indeed it did return the other servers within 24 hours.
In other words, assuming that the seizure order holds up--and really, who wants to take bets here?--the outage is down to DigitalOne. "As noted above, they should not suffer any operational problems if they had the proper disaster procedures in place," Dort said. "Therefore, the only real concern they should have would be over the FBI's preservation of confidentiality of that information, which the FBI usually observes very carefully."
DigitalOne apparently didn't envision that a law enforcement raid might seize so many of its servers, likewise when it came to crafting its service-level agreement with customers. "As the SLA was created, nobody thought of such an event," said DigitalOne's Ostroumow. Asked if the FBI's raid counted as an unforeseen event that fell outside the DigitalOne SLA, he said, "Yes, it can be qualified as an 'unforeseen event,' but we are working on compensation measures."
Security monitoring, incident response, and forensics are essential, even in the cloud. But the cloud by definition implies relinquishing at least some control, which can make these practices problematic. In this report, we identify the challenges of detecting and responding to security issues in the cloud and discuss the most effective ways to address them. Download our report now. (Free registration required.)