The information infrastructure is increasingly under attack by cyber criminals. The number, cost, and sophistication of attacks are increasing at alarming rates. Worldwide aggregate annual damage from attacks is now measured in billions of U.S. dollars. Attacks threaten the substantial and growing reliance of commerce, governments, and the public upon the information infrastructure to conduct business, carry messages, and process information. Most significant attacks are transnational by design, with victims throughout the world.

Measures thus far adopted by the private and public sectors have not provided an adequate level of security. While new methods of attack have been accurately predicted
by experts and some large attacks have been detected in early stages, efforts to prevent or deter them have been largely unsuccessful, with increasingly damaging consequences. Information necessary to combat attacks has not been timely shared. Investigations have been slow and difficult to coordinate. Some attacks are from States that lack adequate laws governing deliberate destructive conduct. Such international cooperation as occurs is voluntary and inadequate. Some significant enhancement of defensive capabilities seems essential. Cyber crime is quintessentially transnational, and will often involve jurisdictional assertions of multiple States. Agreements on jurisdiction and enforcement must be developed to avoid conflicting claims.

The need and methods for effecting international cooperation in dealing with cyber crime and terrorism were the subject of a conference sponsored by the Hoover Institution, the Consortium for Research on Information Security and Policy (CRISP) and the Center for International Security and Cooperation (CISAC) at Stanford University on December 6-7, 1999 (the "Stanford Conference"). Members of government, industry, NGOs, and academia from many nations met at Stanford to discuss the growing problem. A clear consensus emerged that greater international cooperation is required, and considerable agreement that a multilateral treaty focused on criminal abuse of cyber systems would help build the necessary cooperative framework. (A synthesis of the Stanford Conference papers and discussion will be published by the Hoover Press.) This monograph summarizes and presents the Stanford Draft International Convention to Enhance Security from Cyber Crime and Terrorism (the "Stanford Draft" or the "Draft") and commentary on the Draft. The Draft acknowledges and builds upon the draft Convention on Cyber Crime proposed by the Council of Europe (the "COE Draft").

Societies are becoming more dependent on computer networks and therefore more vulnerable to cyber crime and terrorism. Measures to protect information systems are receiving increasing attention as the threat of attack grows and the nature of that threat is better understood. The primary purpose of this article is to determine what legal standards should govern the use of such measures and what nontechnical constraints are likely to be placed, or should be placed, on them. The article demonstrates that policing of computer networks poses a real threat to privacy, protection against self-incrimination and unwarranted searches and seizures, and the right to due process of law. Technological realities and the differences in national values and rules concerning the intrusiveness of law enforcement, protection of citizen's rights, and international cooperation can complicate the observance of these rights and allow misuse of systems set up for preventing, tracking, or punishing cyber crime. Another purpose of this article is to show that while technologies of crime and punishment are undergoing a rapid and profound evolution, the legal and normative principles discussed here will endure, because they are independent of specific technology. As such, they can provide a framework for building a global infrastructure and policy environment that can balance the needs for crime-free business, government, and personal communications, with the protection of property, privacy, and civil liberties. The article concludes that ensuring civil liberties in the course of legal and technological cooperation against cyber attacks is essential.

How much security is enough? No one today can satisfactorily answer this question for computer-related risks. The first generation of computer security risk modelers struggled with issues arising out of their binary view of security, ensnaring them in an endless web of assessment, disagreement, and gridlock. Even as professional risk managers wrest responsibility away from the first-generation technologists, they are still unable to answer the question with sufficient quantitative rigor. Their efforts are handicapped by a reliance on non-quantitative methodologies originally developed to address the deployment and organizational acceptance issues that plagued first-generation tools.

In this report, I argue that these second-generation approaches are only temporary solutions to the computer security risk-management problem and will eventually yield to decision-focused, quantitative, analytic techniques. Using quantitative decision analysis, I propose a candidate modeling approach that explicitly incorporates uncertainty and flexibly allows for varying degrees of modeling detail to address many of the failings of previous modeling paradigms. Because quantitative modeling requires data, I also present a compilation and critique of publicly available computer security data. I highlight the importance of data collection, sharing, and standardization with discussions of measurement, relevance, terminology, competition, and liability. I conclude with a case study example, demonstrating how uncertain data and expert judgments are used in the proposed modeling framework to give meaningful guidance to risk managers and ultimately to answer the question: How much is enough?

This article sets out the constraints of the Posse Comitatus Act of 1878 (the “Act”), which generally prohibits active enforcement of civilian laws by the military, and describes the discretion of the military commander to assist civilian law enforcement in protecting America’s information infrastructure against computer-assisted attack. A primary purpose of this article is to help legal advisors to commanders and DoD civilian officials better understand the boundaries of command discretion so that commanders and officials can feel free to exercise proper command discretion to assist law enforcement according to military interests and their professional and personal ethics and ideals. Another primary purpose of the article is to appraise Congress of the Act, its prohibitions, and its application to assist in framing the policy debate about how to constrain or expand the discretion of commanders and other officials to most productively serve the American public.

The Cross-Industry Working Team (XIWT), with the support of Stanford University Consortium for Research on Information Security and Policy (CRISP), sponsored a symposium on cross-industry activities aimed at improving the reliability, dependability, and robustness of the information infrastructure. The purpose of this meeting was to identify the steps required to get to a reliable and dependable information infrastructure serving the needs of society. The emphasis in the meeting was on cross-industry and potentially cross-sector (government, industry, and academia) activities to accomplish that goal. The symposium dealt with the following generic topics: organizational activities to identify and pursue critical issues, issues in data transport and communications, issues in applications and services, and potential research and development activities.

The presentations and discussions of the meeting identified several potential cross-industry activities that could further the effort toward a more reliable and trustworthy information infrastructure. These activities fell into four general categories:

• Information Exchange Activities
  
• Consensus Activities
  
• Collaborative Operational Activities
  
• Collaborative R&D Activities
  

Two specific activities were discussed in some detail.

Government Sharing of Best Practices

It was observed that many of the government agencies have undertaken extensive efforts to improve the trustworthiness of their information systems, enabling them to withstand both failures and attacks. There is an opportunity for these agencies to be exemplars for the community— sharing what they have learned in the process of trying to make their systems more robust. This was felt to be an example of how the government and industry could work together to improve the trustworthiness of the overall information infrastructure.

Collaborative Experimental Environments

A potentially very productive collaborative R&D activity was discussed, involving industry, academia, and government. Universities and university consortia are investigating new techniques for building reliable systems of unreliable components, and for dealing with large complex systems. There is a need to evaluate, validate, and assimilate such research results into the industry environment. To that end, a collaborative, multi-industry experimental environment was discussed. This environment, distributed across multiple organizations, could provide such an evaluation, validation, and assimilation opportunity.

A number of other potential cross-industry activities were also mentioned throughout the meeting, and are discussed briefly in the proceedings.

Attendees agreed (based on a follow-up survey and informal comments) that the symposium was well worthwhile, and that continued dialogue is important to achieving the shared goal of a trustworthy information infrastructure. XIWT plans on helping foster such dialogue as well as collaborative activities toward that goal.

On December 7, 1998, a cross-industry group of professionals interested in information security met to discuss perspectives on information security and prospects for multilateral cooperative activity to advance information and infrastructure security. Participants reviewed the information-security activities of their respective organizations, identified areas of mutual concern, and generated ideas for future group efforts.

The third Stanford-Livermore workshop in the series examining the protection of critical national infrastructures against cyber attack was held at Lawrence Livermore National Laboratory on February 26-27, 1998. The first two workshops were intended to provide informed inputs to the work of the President's Commission on Critical Infrastructure Protection, and the third, which came soon after the publication of the Commission's report to the President (entitled Critical Foundations), was directed toward a critical review of that report and to developing suggestions for steps to implement its findings in four areas that are considered particularly important: criteria and priorities to guide near-term actions; creation of a public-private partnership; legal issues, with some emphasis on understanding impediments to cooperation; and facilitation of research and development planning, with a subtheme on the robustness of complex systems.

If high-performance computing (HPC) export control policy is to be effective, three basic premises must hold:

This study applies and extends the methodology established in Building on the Basics [1]. Its objective has been to study trends in HPC technologies and their application to problems of national security importance to answer two principal questions:

· Do the basic premises continue to be satisfied as the 20th century draws to a close?

· In what range of performance levels might an export-licensing threshold be set so that the basic premises are satisfied?

The study concludes that export controls on HPC hardware are still viable, although much weaker than in the past. In particular, while applications of national security interest abound, it is increasingly difficult to identify applications that strongly satisfy all three basic premises, i.e. are of extreme national security importance and would likely be effectively pursued by countries of national security concern and would be severely retarded without levels of computing performance that could be effectively controlled.

In July 1996, President Clinton established the Commission on Critical Infrastructure Protection (PCCIP), with a charter to designate critical infrastructures, to assess their vulnerabilities, to recommend a comprehensive national policy and implementation strategy for protecting those infrastructures from physical and cyber threats, and to propose statutory or regulatory actions to effect the recommended remedies. The charter gave examples of critical infrastructures (most notably telecommunications, electrical power, banking and finance, and transportation systems), and the types of cyber threats of concern (electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures).

Some of the infrastructures are owned or controlled by the government, and hence the government can harden and restructure these systems and control access to achieve a greater degree of robustness. However, the President's Executive Order recognized that many of the critical infrastructures are developed, owned, operated, or used by the private sector and that government and private sector cooperation will be required to define acceptable measures for the protection and assurance of continued operation of these infrastructures.

To assist in planning for the implementation of the Commission's recommendations, this paper starts by revisiting some of the Commission's central premises, and suggests that while there is reason to believe that the Commission's concerns over the long term are valid, more work is needed on these issues to fully support the PCCIP recommendations. Next, the Commission's recommendations are examined from the standpoint of priority, in order try to provide a clear focus for early implementation efforts. Of the 72 recommendations, ten are identified as important first steps. Due to the private ownership of most infrastructure systems, the Commission proposes new partnership relationships between the public and private sectors to accomplish the goal of protection.

This paper questions and extends the Commission's thinking regarding the implementation of such arrangements. It concludes that the sharing of information between the public and the private sector will have to be carefully designed to protect the interests of all the parties involved. It also notes that while the nature of infrastructure systems makes them global in their operation, the Commission's Report treats the problem almost exclusively from a domestic viewpoint. This will work against organizing the international partners who will, of necessity, be an important part of the solution.