Security problems exist at all levels. Richard Clarke, counterterrorism adviser to the National Security Council during the September 11 attacks (and author of a book criticizing the Bush administration's record on terrorism), says that e-commerce is vulnerable because it generally rests on hastily deployed, jury-rigged systems that need a comprehensive rethink--one that builds security in, instead of trying to slap it on as an afterthought. Clarke, who now works for a Beltway consultancy called Good Harbor, cites the example of Microsoft Windows: Who would have imagined, ten years ago, that it would have so many hundreds of exploitable bugs, flaws, and holes?
Newer industries are just as hasty as their predecessors--and are just as likely to re-create the errors of the early Internet: the sloppiness, the hurried development, and the naive hubris of the techie pioneer who can't imagine that criminals, someday, might become as clever as he is. (For example, after users of Google's Web Accelerator complained that its caching technology allowed strangers to access password-protected sites, the company stopped offering the software, saying it could not support any more users.)
And finally, there's the ultimate threat: the possibility of a cyberterrorist attack that could bring down the Internet itself.
The Internet is global, law is local; that's a fundamental problem facing those who would combat the tidal wave of crime and sleaze. We're in a world where nation-states pit themselves against criminals who have no return address.
International organizations that ostensibly should be civilizing the Net--ICANN, WSIS, IETF, W3C--are so weak and obscure that most people don't even know what their acronyms stand for. (For the record, they are the Internet Corporation for Assigned Names and Numbers, the United Nations-affiliated World Summit on the Information Society, the Internet Engineering Task Force, and the World Wide Web Consortium.)
These outfits are in no position to do much about crime on the Net. They have no guns, badges, or jails. In theory, these groups and other organizations might be able to eliminate a lot of weaknesses in the Net's aging architecture: The National Science Foundation, for example, recently proposed a project to develop a next-generation Internet that would supercede the long-discussed IPv6 (Internet Protocol version 6)--which in turn is supposed to improve on today's IPv4. But the Net may now be too old, too big, and too anarchic for any single body to fix.
The lack of any immediate prospect for a global solution to the Internet's inherently global problem leaves officials at the national level to pick up the dropped baton. Nations have the means, the motive, and the opportunity to create and enforce law and order. They do have guns, money, and prisons. And when it comes to basic influence over the Net, the United States is the single superpower.
Anyone who doubts that has only to look at the federal government's recent annexation of ICANN's DNS root servers--the names-and-addresses core of the Internet, the central scheme that makes the Internet global. In August, just days before the launch of an ICANN-approved top-level domain (.xxx) intended to create a virtual red-light district for segregating pornographers, the U.S. Department of Commerce got ICANN to put the contract to run .xxx on hold. (Other countries weren't happy about the new domain either, but only the United States had the power to halt its implementation.)
As the most powerful force on the Net, the U.S. government actually has a high-level, official plan to make the Internet safer and more civilized: Clarke's "National Strategy to Secure Cyberspace," which, in addition to recommending basic security housekeeping and training, calls for the creation of a multiagency, rapid-response "cyber warning and information network" to handle emergencies. But the plan, while never formally discarded, hasn't been implemented, either.
Clarke says federal law enforcement is crippled by turf wars: Responsibility for cybersecurity is split between the Office of Management and Budget, which, says Clarke, has ability but no direct authority, and the young Department of Homeland Security, which has authority but lacks ability. Why hasn't this turf war been resolved? Clarke says a regulation-averse administration hesitates to empower a new cyberbody that might impose new regulations on private enterprise.
That's why the Office of Management and Budget looks like a mighty contender in federal security policy, even though the cops are in Homeland Security: The OMB can require that all federal agencies--as well as anyone who wants to do business with them--use secure software.