Like it or not, the world today is a very different place from the world of Sept. 10. Much of the planet is now entangled in a completely new kind of armed conflict, in which civilians and civilian infrastructure are both targets and weapons, “front lines” dont exist, and identifying the enemy is 99 percent of the battle. The distinction between military and civilian is tenuous at best, and deceptive at worst.
In this new world, private and commercial information security take on an entirely new significance. While by no stretch of the imagination comparable to the kind of devastation visited on Manhattan, carefully planned and executed attacks on network infrastructure and sensitive data could cause enormous damage to an already fragile economy. Alteration or destruction of financial and credit data could render critical transactions unreliable. Widespread theft could exact a toll on consumers and industry alike. Extended interruption of network services could impose unpredictable costs upon struggling businesses.
In other words, the defense of individual networks has ceased to be a matter of individual corporate interests, and become a matter of collective public concern.
Under these circumstances, it is now critical to take action that the high tech industry has always considered anathema; the government must step in and take a much more active role in securing the public Internet.
This is not to say that the state should monopolize the field, hamper any research, or take any legislative steps lightly. As network security becomes a matter of national security, however, the time has come to acknowledge that existing market forces have utterly failed to drive the development of defenses sufficient even to slow down a concerted system-wide attack.
Perhaps the best starting point for government action would be the provision of targeted financial support and incentives to companies and ISPs genuinely lacking the resources to adequately secure their own networks. As markets waver and companies struggle to remain in business, any expense not contributing directly and immediately to the bottom line becomes a luxury; security will be among the first on that list. This phenomenon could easily become an uncontrollable downward spiral as economic downturns increase vulnerability to attack, which in turn cause further economic pain.
While a financial carrot is a good beginning, a legal stick is probably also necessary to move the industry in the right direction.
Most developers find it simply unprofitable to subject their software to rigorous security testing before releasing it on the public. The state must permit civil and possibly criminal courts to hold these developers responsible for the security of their products. Firms often decide that their own costs associated with a potential security breach are less than the costs of providing the security necessary to stop it; lax defenses in one network can threaten many others, however. The state should accelerate the development of civil law designed to ensure that companies bear the full cost of their own insecurity.
In the wake of the nightmare that was Sept. 11, a few glimmers of hope appeared; perhaps the most important was a re-emergence of a sense of community, and a recognition that individual interests are not always paramount. We need to learn to apply this lesson in many different ways if we are to adapt to our new world.