Gorelick testifies before Senate, unveils new executive order

[Duncan Frissell]

David Sternlight writes:

> Here's the problem in a nutshell: Everyone who has looked at our systems,
> from Cliff Stoll

A *famous* security expert.

>on to blue ribbon scientific commissions, 

The last of which recommended that crypto be entirely deregulated.

> Serious studies have shown that the kinds of protections to make the
> systems we depend on robust against determined and malicious attackers (say
> a terrorist government, or one bent on doing a lot of damage in retaliation
> for one of our policies they don't like), have costs beyond the capability
> of individual private sector actors.

Defense is cheaper than attack in encryption because it is easier to make
coherent information incoherent (see Usenet) than it is to make incoherent
information coherent.

> In such a case, where public benefits from government action greatly exceed
> public (taxpayer) costs, and the private sector cannot (or will not) act
> unaided, the classical basis for government action in the interests of the
> citizenry exists. It's the economist's "lighthouse" argument.

But since the Internet and the WANs and LANs that you are talking about are
all "private value-added networks," the benefits of enhanced security a
fully captured by the users of those networks and there is no "public goods"
problems.  (BTW, there were private lighthouses too.)  

Note too that major money center banks disagree with you.  There was a
recent article about the fact that they are not reporting computer
intrusions and just fixing the problems themselves.  They don't seem
interested in official security "help" with all the disadvantages (publicity
and security leaks) that it brings. 

DCF