The information infrastructure is increasingly under attack by cyber criminals. The number, cost, and sophistication of attacks are increasing at alarming rates. Worldwide aggregate annual damage from attacks is now measured in billions of U.S. dollars. Attacks threaten the substantial and growing reliance of commerce, governments, and the public upon the information infrastructure to conduct business, carry messages, and process information. Most significant attacks are transnational by design, with victims throughout the world.

Measures thus far adopted by the private and public sectors have not provided an adequate level of security. While new methods of attack have been accurately predicted
by experts and some large attacks have been detected in early stages, efforts to prevent or deter them have been largely unsuccessful, with increasingly damaging consequences. Information necessary to combat attacks has not been timely shared. Investigations have been slow and difficult to coordinate. Some attacks are from States that lack adequate laws governing deliberate destructive conduct. Such international cooperation as occurs is voluntary and inadequate. Some significant enhancement of defensive capabilities seems essential. Cyber crime is quintessentially transnational, and will often involve jurisdictional assertions of multiple States. Agreements on jurisdiction and enforcement must be developed to avoid conflicting claims.

The need and methods for effecting international cooperation in dealing with cyber crime and terrorism were the subject of a conference sponsored by the Hoover Institution, the Consortium for Research on Information Security and Policy (CRISP) and the Center for International Security and Cooperation (CISAC) at Stanford University on December 6-7, 1999 (the "Stanford Conference"). Members of government, industry, NGOs, and academia from many nations met at Stanford to discuss the growing problem. A clear consensus emerged that greater international cooperation is required, and considerable agreement that a multilateral treaty focused on criminal abuse of cyber systems would help build the necessary cooperative framework. (A synthesis of the Stanford Conference papers and discussion will be published by the Hoover Press.) This monograph summarizes and presents the Stanford Draft International Convention to Enhance Security from Cyber Crime and Terrorism (the "Stanford Draft" or the "Draft") and commentary on the Draft. The Draft acknowledges and builds upon the draft Convention on Cyber Crime proposed by the Council of Europe (the "COE Draft").

Societies are becoming more dependent on computer networks and therefore more vulnerable to cyber crime and terrorism. Measures to protect information systems are receiving increasing attention as the threat of attack grows and the nature of that threat is better understood. The primary purpose of this article is to determine what legal standards should govern the use of such measures and what nontechnical constraints are likely to be placed, or should be placed, on them. The article demonstrates that policing of computer networks poses a real threat to privacy, protection against self-incrimination and unwarranted searches and seizures, and the right to due process of law. Technological realities and the differences in national values and rules concerning the intrusiveness of law enforcement, protection of citizen's rights, and international cooperation can complicate the observance of these rights and allow misuse of systems set up for preventing, tracking, or punishing cyber crime. Another purpose of this article is to show that while technologies of crime and punishment are undergoing a rapid and profound evolution, the legal and normative principles discussed here will endure, because they are independent of specific technology. As such, they can provide a framework for building a global infrastructure and policy environment that can balance the needs for crime-free business, government, and personal communications, with the protection of property, privacy, and civil liberties. The article concludes that ensuring civil liberties in the course of legal and technological cooperation against cyber attacks is essential.

How much security is enough? No one today can satisfactorily answer this question for computer-related risks. The first generation of computer security risk modelers struggled with issues arising out of their binary view of security, ensnaring them in an endless web of assessment, disagreement, and gridlock. Even as professional risk managers wrest responsibility away from the first-generation technologists, they are still unable to answer the question with sufficient quantitative rigor. Their efforts are handicapped by a reliance on non-quantitative methodologies originally developed to address the deployment and organizational acceptance issues that plagued first-generation tools.

In this report, I argue that these second-generation approaches are only temporary solutions to the computer security risk-management problem and will eventually yield to decision-focused, quantitative, analytic techniques. Using quantitative decision analysis, I propose a candidate modeling approach that explicitly incorporates uncertainty and flexibly allows for varying degrees of modeling detail to address many of the failings of previous modeling paradigms. Because quantitative modeling requires data, I also present a compilation and critique of publicly available computer security data. I highlight the importance of data collection, sharing, and standardization with discussions of measurement, relevance, terminology, competition, and liability. I conclude with a case study example, demonstrating how uncertain data and expert judgments are used in the proposed modeling framework to give meaningful guidance to risk managers and ultimately to answer the question: How much is enough?