Societies are becoming more dependent on computer networks and therefore more vulnerable to cyber crime and terrorism. Measures to protect information systems are receiving increasing attention as the threat of attack grows and the nature of that threat is better understood. The primary purpose of this article is to determine what legal standards should govern the use of such measures and what nontechnical constraints are likely to be placed, or should be placed, on them. The article demonstrates that policing of computer networks poses a real threat to privacy, protection against self-incrimination and unwarranted searches and seizures, and the right to due process of law. Technological realities and the differences in national values and rules concerning the intrusiveness of law enforcement, protection of citizen's rights, and international cooperation can complicate the observance of these rights and allow misuse of systems set up for preventing, tracking, or punishing cyber crime. Another purpose of this article is to show that while technologies of crime and punishment are undergoing a rapid and profound evolution, the legal and normative principles discussed here will endure, because they are independent of specific technology. As such, they can provide a framework for building a global infrastructure and policy environment that can balance the needs for crime-free business, government, and personal communications, with the protection of property, privacy, and civil liberties. The article concludes that ensuring civil liberties in the course of legal and technological cooperation against cyber attacks is essential.

How much security is enough? No one today can satisfactorily answer this question for computer-related risks. The first generation of computer security risk modelers struggled with issues arising out of their binary view of security, ensnaring them in an endless web of assessment, disagreement, and gridlock. Even as professional risk managers wrest responsibility away from the first-generation technologists, they are still unable to answer the question with sufficient quantitative rigor. Their efforts are handicapped by a reliance on non-quantitative methodologies originally developed to address the deployment and organizational acceptance issues that plagued first-generation tools.

In this report, I argue that these second-generation approaches are only temporary solutions to the computer security risk-management problem and will eventually yield to decision-focused, quantitative, analytic techniques. Using quantitative decision analysis, I propose a candidate modeling approach that explicitly incorporates uncertainty and flexibly allows for varying degrees of modeling detail to address many of the failings of previous modeling paradigms. Because quantitative modeling requires data, I also present a compilation and critique of publicly available computer security data. I highlight the importance of data collection, sharing, and standardization with discussions of measurement, relevance, terminology, competition, and liability. I conclude with a case study example, demonstrating how uncertain data and expert judgments are used in the proposed modeling framework to give meaningful guidance to risk managers and ultimately to answer the question: How much is enough?

The war in the Democratic Republic of the Congo (DRC), which began in August 1998, is unprecedented-at times involving armies from eight African states. Soldiers from Chad are fighting alongside regiments from Namibia, Angola, and Zimbabwe in defense of President Laurent Kabila. And on offense, the two main rebel groups, the Congolese Assembly for Democracy (which is known by the acronym RCD) and the Movement for the Liberation of Congo (MLC), are backed by troops from Uganda and Rwanda. As Susan E. Rice, assistant secretary of state for African affairs, warned the House International Relations Committee in September 1998, "The fighting threatens regional stability, hampers economic progress, endangers the lives of millions of people, perpetuates human rights abuses, and impedes the democratic transformation of Africa's third-largest country." This war, Rice said, is potentially "among the most dangerous conflicts on the globe."

Yet, the war in Congo goes on almost unnoticed outside of Africa. While African heads of state spent much of the last year shuttling across the continent, wrestling with the crisis and searching for a peaceful solution, Congo has been largely missing from the agendas of the Western powers and multilateral organizations. Only in January, when the U.S. representative to the United Nations, Richard Holbrooke, taking advantage of his tenure as Security Council president to draw attention to Africa, did the war enter Western consciousness.

The conflict in the DRC is the first interstate war in sub-Saharan Africa since Uganda invaded Tanzania in 1978, and only the third since 1960. Although Africa is seen as a hotbed of violence and warfare, most conflicts have been intrastate in nature. Norms of sovereignty reinforced by clauses in the charter of the Organization of African Unity (OAU) and the constitutions of the various subregional organizations have effectively prevented cross-border conflict from the time of independence until now. The Ugandan and Rwandan-led invasion of Congo, as well as the presence there of the Southern African Development Community (SADC) intervention force, therefore represents a watershed in the recent history of African conflict. It appears that the forces preventing cross-border conflict since 1960 have become seriously weakened.

What are the implications of the rise of interstate war in Africa for peace and security on the continent? Why have Western powers been so reluctant to take an active role in resolving Africa's first "world war"? And what impact will the changing nature of warfare in Africa have on U.S. policy and the role of the United Nations there?