In the last eight years, every significant public policy initiative to address the safety and security of U.S. national information infrastructure has recommended a significant, largely voluntary, role for the private sector, owing in large part to the dominant ownership stake of private entities in the infrastructure. Notably absent from much of the policy discourse and underlying research has been a careful examination of the stakeholder incentives to adopt and to spur the development of security technologies and processes. We believe that the lack of progress to date in achieving a secure and robust cyber infrastructure is in large part the direct result of a failure by public policy to recognize and to address those incentives and the technological, economic, social and legal factors underlying them.

We advocate a new approach for the analysis and development of coherent policy in which the interaction of economic incentives among stakeholders is explicitly considered. By economic incentives, we mean the full array of economic and technological factors that shape infrastructure decision-making, not merely government subsidies or tax credits. We provide an initial framework for understanding the technology dependencies and economic incentives associated with cyber security, along with illustrative examples of the key players and their motivations. We argue that the successful development of a secure cyber infrastructure will require more than improved technology and that it could be accelerated by careful consideration of the evolving economic and legal issues that shape stakeholder incentives.

The nuclear programs of the Democratic People's Republic of Korea (DPRK), Iran, and Pakistan provide the most visible manifestations of three broad and interrelated challenges to the nuclear nonproliferation regime. The first is so-called latent proliferation, in which a country adheres to, or at least for some time maintains a façade of adhering to, its formal obligations under the Nuclear Nonproliferation Treaty (NPT) while nevertheless developing the capabilities needed for a nuclear weapons program. That country can then either withdraw from the NPT and build actual weapons on short notice, or simply stay within the NPT while maintaining the latent capability for the rapid realization of nuclear weapons as a hedge against future threats. This was the path followed by the DPRK with its plutonium program and one that is likely being followed by Iran and more subtly by others. The second broad challenge is first-tier nuclear proliferation, in which technology or material sold or stolen from private companies or state nuclear programs assists nonnuclear weapons states in developing illegal nuclear weapons programs and delivery systems. The third challenge--the focus of this article--is second-tier nuclear proliferation, in which states in the developing world with varying technical capabilities trade among themselves to bolster one another's nuclear and strategic weapons efforts.

This article grew out of a week-long study in August 2002 to assist ongoing efforts inside and outside the government to remedy some vulnerabilities of the international shipping system on which US and a great deal of world prosperity depend. The study's objective was to identify the most important research initiatives and the major policy issues that need to be addressed in order to improve security of imports using shipping containers, particularly against the importation of nuclear materials and weapons, while maintaining an open trading system. To be effective, a system to detect nuclear weapons or special nuclear material before they reach U.S. ports must be international in scope and reach. It must also be economically acceptable both in terms of total cost and with respect to how these costs are allocated; degrade gracefully when subjected to attack; produce actionable intelligence in a timely manner; treat false alarms realistically; be adaptable to a variety of local physical and political conditions; be auditable, secure yet accessible to the needed foreign and domestic security agencies, and have clear lines of oversight and responsibility. Finally, the system should be flexible enough to allow for regular updates as users and operators gain experience and system performance is reviewed. This study identified a sample technical approach that is feasible technically and operationally and involves components already in the early deployment stage. The approach involves container certification; monitoring at ports of embarkation, debarkation, and continuously during shipment and storage; and continuous data fusion. Specific recommendations regarding system characteristics made by the study include rigorous testing during deployment and in the field, international coordination of standards and protocols, careful analysis of the system for compatibility with pertinent governmental policies and business and labor agreements, and early provision for forward-looking research and development.

Testimony before the U.S. House of Representatives' Select Committee on Homeland Security

There is a serious but reparable vulnerability in the biometric identification system of the US-VISIT Program, which is our last line of defense for keeping terrorists off U.S. soil. A minor software modification that allows the watchlist rule to vary with image quality can increase detection from 53% to 73%. I have provided details to officials who oversee the US-VISIT operations, and this should be implemented as soon as possible. The use of more than 2 fingers for low-quality images can achieve a detection probability of 95%. Although switching from a 2-fingerprint to a 10-fingerprint system may be costly and disruptive, there is no excuse for a 10-billion dollar program to settle for performance below this level. Indeed, our results are not inconsistent with the warning in the November, 2002 NIST report that a 2-finger search was not sufficient for identification from a large watchlist. If slower 2-finger matching algorithms cannot approach 95% detection for poor-quality images, then the US-VISIT Program should be reconfigured with 10-fingerprint scanners as soon as possible.

Our recommendations hinge on the assumption that terrorist organizations as sophisticated as Al Qaeda will eventually attempt to defeat the US-VISIT system by employing terrorists with poor quality fingerprints.