http://www.nytimes.com/library/review/022000internet-security-review.html
Policing the Internet: Anyone but Government
By STEVE LOHR
The attacks on eBay, Yahoo, E*Trade and other big Web sites earlier this
month showed the Internet to be surprisingly vulnerable to a few
laptop-toting cyber-vandals. This is a pressing public concern, surely, as
the nation increasingly comes to rely for commerce and everyday
communication on this chaotic, global computer network.
But when President Clinton met last week with more than two dozen
representatives of the Internet community, a big role for government was
not on the agenda. The president asked what could or should the Government
do. Not a lot, the Internet elite told him. The message: It's an industry
issue.
"No one in that room was asking the government to fix this problem," said
Nicholas Donofrio, senior vice president for technology at I.B.M., who
attended the meeting.
The gathering epitomized the main thrust of Government policy in the
Internet arena. Government, the theory goes, should offer a forum and be a
cooperative partner, so as to facilitate the rapid rise of Internet
commerce. That stance was set in a July 1997 policy document on E-commerce
written by Ira Magaziner, a senior White House policy adviser at the time.
His document extolled the "breakneck speed of change in the technology" and
stated, "Government attempts to regulate [the Internet] are likely to be
outmoded by the time they are finally enacted."
The hands-off approach, however, will be challenged more and more as the
<snip>
To: farber@cis.upenn.edu
From: edyson@edventure.com (Esther Dyson)
Subject: Re: IP: Policing the Internet: Anyone but Government
Cc: Steve Lohr <lohr@nytimes.com
Date: Sun, 20 Feb 2000 07:05:14 -0500
What should we do to avoid repeats of the recent denial-of-service (DOS)
attacks on Websites such as Yahoo! and eBay?
As I've said, the Net gives economies of scale to individuals - even to
criminals. And a further creepy aspect of these attacks is that they came
from the machines of unsuspecting third parties whose machines had earlier
been compromised by the attackers. That is, some people's poor security was
used to attack third parties - whose security was not compromised but whose
machines couldn't function because of the volume of traffic sent their way.
Thus, we can't just say that the victims deserved it because of their own
loose security.
Most of the solutions suggested for such security problems (and future ones)
involve strong government regulation and surveillance. And many of the
reactions to the solutions justifiably point out the dangers to individual
freedom if we create a Police Net - the virtual equivalent of a police state.
But we don't necessarily need to make a one-dimensional choice between
security and freedom. A more fruitful approach is to look at public as a
kind of public health/safety problem, and ask how we can improve public
hygiene/safety. For starters, people - at companies, universities, and any
other organization that uses computers - need to be encouraged to secure
their machines, both for their own safety and so they cannot be compromised
to launch an attack on someone else.
How to make this happen? Regulations would probably set a minimum and a
clear target that criminals would take delight in working around. And
government surveillance, limitations on anonymity, required registration of
all users…..the cure might be worse than the disease.
Instead, there are a number of paths to pursue; there's no single solution.
To start, consider what the insurance industry and liability laws did for
fire safety. The insurance companies should get involved, since every large
company has been calling its insurance company this month (or looking for
one). And they *will* get involved, since it's a nice line of business. Of
course, the point is for them to take the trouble to *reduce* the risks
rather than simply charging high premiums for high risks. Insurance
companies need to get the expertise to assess their clients' security
systems. And they will probably also turn to all those consultants and
experts who no longer have Y2K to worry about/bill for. Security consulting
is a nice new line of business - and it's socially responsible!
And a final step, one which could benefit from government/regulatory action:
Require that companies disclose their security practices and potential
liabilities in financial statements. ISPs and computer vendors would have to
disclose the security provisions of the systems and services they sell, and
could also be sued for negligence.
Then we could let the market (and yes, the lawyers!) take care of it, far
more flexibly than formal regulations and requirements could. Yes, it's a
pity to bring in lawyers and liability, but that is an easier cost to bear
than the loss of freedom.
In short, we need to understand that electronic security costs money, just
like regular security (locks, guards, alarm systems). Power implies
responsibility; if you buy a computer that can be used as a weapon, you need
to make sure that it is designed and installed safely. Of course your
average user doesn't know how to set up a safe system, but he needs to
demand service from someone who does. Smaller businesses (who don't file
financial statements with the public) need to understand that they are
liable, just like the guy who doesn't bother to shovel his sidewalk after
the snowstorm.
Yes, it's a pity to rely on the legal system, but better that than
government surveillance. Government-sponsored *education* (and due-care
precedents set in court) could be very valuable, but self-interested
companies will also provide education in the form of advertising outlining
the dangers and their solutions. May the best solutions evolve to match the
evolving risks!
Esther Dyson Always make new mistakes!
chairman, EDventure Holdings
chairman, Internet Corp. for Assigned Names & Numbers
edyson@edventure.com
1 (212) 924-8800 -- 1 (212) 924-0240 fax
104 Fifth Avenue (between 15th and 16th Streets; 20th floor)
New York, NY 10011 USA
http://www.edventure.com http://www.icann.org
PC Forum: 12 to 15 March 2000, Scottsdale (Phoenix), Arizona
Book: "Release 2.1: A design for living in the digital age"
High-Tech Forum in Europe: October 2000 - probably Barcelona
**************************************************************************
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues
Send a blank message to: freematt@coil.com with the words subscribe FA
on the subject line. List is private and moderated (7-30 messages per month)
Matthew Gaylor,1933 E. Dublin-Granville Rd., PMB 176, Columbus, OH 43229
Archived at http://www.egroups.com/list/fa/
**************************************************************************
This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:03:57 MDT