IP: an excellent comment on -- Policing the Internet: Anyone but Government

[Dave Farber <farber@cis.upenn.edu>]

>To: farber@cis.upenn.edu
>From: edyson@edventure.com (Esther Dyson)
>Subject: Re: IP: Policing the Internet: Anyone but Government
>Cc: Steve Lohr <lohr@nytimes.com>
>Date: Sun, 20 Feb 2000 07:05:14 -0500
>
>What should we do to avoid repeats of  the recent denial-of-service (DOS)
>attacks on Websites such as Yahoo! and eBay?
>
>As I've said, the Net gives economies of scale to individuals - even to
>criminals.  And a further creepy aspect of these attacks is that they came
>from the machines of unsuspecting third parties whose machines had earlier
>been compromised by the attackers. That is, some people's poor security was
>used to attack third parties - whose security was not compromised but whose
>machines couldn't function because of the volume of traffic sent their way.
>Thus, we can't just say that the victims deserved it because of their own
>loose security.
>
>Most of the solutions suggested for such security problems (and future ones)
>involve strong government regulation and surveillance. And many of the
>reactions to the solutions justifiably point out the dangers to individual
>freedom if we create a Police Net - the virtual equivalent of a police 
>state.
>
>But we don't necessarily need to make a one-dimensional choice between
>security and freedom.  A more fruitful approach is to look at public  as a
>kind of public health/safety problem, and ask how we can improve public
>hygiene/safety.  For starters, people - at companies, universities, and any
>other organization that uses computers - need to be encouraged to secure
>their machines, both for their own safety and so they cannot be compromised
>to launch an attack on someone else.
>
>How to make this happen? Regulations would probably set a minimum and a
>clear target that criminals would take delight in working around.  And
>government surveillance, limitations on anonymity, required registration of
>all users?..the cure might be worse than the disease.
>
>Instead, there are a number of paths to pursue; there's no single solution.
>To start, consider what the insurance industry and liability laws did for
>fire safety. The insurance companies should get involved, since every large
>company has been calling its insurance company this month (or looking for
>one). And they *will* get involved, since it's a nice line of business.  Of
>course, the point is for them to take the trouble to *reduce* the risks
>rather than simply charging high premiums for high risks. Insurance
>companies need to get the expertise to assess their clients' security
>systems. And they will probably also turn to all those consultants and
>experts who no longer have Y2K to worry about/bill for. Security consulting
>is a nice new line of business - and it's socially responsible!
>
>And a final step, one which could benefit from government/regulatory action:
>Require that companies disclose their security practices and potential
>liabilities in financial statements. ISPs and computer vendors would have to
>disclose the security provisions of the systems and services they sell, and
>could also be sued for negligence.
>
>Then we could let the market (and yes, the lawyers!) take care of it, far
>more flexibly than formal regulations and requirements could. Yes, it's a
>pity to bring in lawyers and liability, but that is an easier cost to bear
>than the loss of freedom.
>
>In short, we  need to understand that electronic security costs money, just
>like regular security (locks, guards, alarm systems).  Power implies
>responsibility; if you buy a computer that can be used as a weapon, you need
>to make sure that it is designed and installed safely. Of course your
>average user doesn't know how to set up a safe system, but he needs to
>demand service from someone who does.  Smaller businesses (who don't file
>financial statements with the public) need to understand that they are
>liable, just like the guy who doesn't bother to shovel his sidewalk after
>the snowstorm.
>
>Yes, it's a pity to rely on the legal system, but better that than
>government surveillance. Government-sponsored *education* (and due-care
>precedents set in court) could be very valuable, but self-interested
>companies will also provide education in the form of advertising outlining
>the dangers and their solutions. May the best solutions evolve to match the
>evolving risks!
>
>
>At 06:48 am 02/20/2000 -0500, Dave Farber wrote:
> >http://www.nytimes.com/library/review/022000internet-security-review.htm
> >
> >Policing the Internet: Anyone but Government
> >
> >
> >
> >By STEVE LOHR
> >
> >
> >he attacks on eBay, Yahoo, E*Trade and other big Web sites earlier this
> >month showed the Internet to be surprisingly vulnerable to a few
> >laptop-toting cyber-vandals. This is a pressing public concern, surely, as
> >the nation increasingly comes to rely for commerce and everyday
> >communication on this chaotic, global computer network.
> >
> >But when President Clinton met last week with more than two dozen
> >representatives of the Internet community, a big role for government was
> >not on the agenda. The president asked what could or should the Government
> >do. Not a lot, the Internet elite told him. The message: It's an industry
> >issue.
> >
> >"No one in that room was asking the government to fix this problem," said
> >Nicholas Donofrio, senior vice president for technology at I.B.M., who
> >attended the meeting.
> >
> >The gathering epitomized the main thrust of Government policy in the
> >Internet arena. Government, the theory goes, should offer a forum and be a
> >cooperative partner, so as to facilitate the rapid rise of Internet
> >commerce. That stance was set in a July 1997 policy document on E-commerce
> >written by Ira Magaziner, a senior White House policy adviser at the time.
> >His document extolled the "breakneck speed of change in the technology" and
> >stated, "Government attempts to regulate [the Internet] are likely to be
> >outmoded by the time they are finally enacted."
> >
> >The hands-off approach, however, will be challenged more and more as the
> >
> ><snip>
> >
> >
> >
>
>
>Esther Dyson                    Always make new mistakes!
>chairman, EDventure Holdings
>chairman, Internet Corp. for Assigned Names & Numbers
>edyson@edventure.com
>1 (212) 924-8800    --  1 (212) 924-0240 fax
>104 Fifth Avenue (between 15th and 16th Streets; 20th floor)
>New York, NY 10011 USA
>http://www.edventure.com                    http://www.icann.org
>
>PC Forum: 12 to 15 March 2000, Scottsdale (Phoenix), Arizona
>Book:  "Release 2.1: A design for living in the digital age"
>High-Tech Forum in Europe: October 2000 - probably Barcelona