A SHIFT IN GEO-CYBER STABILITY & SECURITY

By Jody R. Westby, Esq.

For

ANSER Institute of Homeland Security Conference"Homeland Security 2005: Charting the Path Ahead"

May 6-7, 2002College Park, Maryland

I. INTRODUCTION AND BACKGROUND

"In summary, we have here a political force committed fanatically to the belief that with the US there can be no permanent modus vivendi, that it is desirable and necessary that the internal harmony of our society be disrupted, our traditional way of life destroyed, the international authority of our state be broken. . . ."1

The foregoing sentence could have been written on September 12, 2001. Instead, it was written on February 22, 1946, by George Kennan in his now infamous "Long Telegram" from Moscow, where he was serving as charge d'affaires. Grappling with post-war shifts in U.S.-Soviet relations and powerful ideological, cultural, and historical influences, Kennan shared his insights and laid the groundwork for his political "containment" policy, which was articulated in a subsequent Foreign Affairs article in July 1947.2

On the heels of World War II, America was faced with a new kind of enemy: the Cold War, socialism, and threats of nuclear strikes. In response to concerns about Soviet scientific supremacy after their launch of the Sputnik, the first artificial earth satellite, President Eisenhower founded the Defense Department's Advanced Research Projects Agency (ARPA), now DARPA, to coordinate all U.S. technological research.3 J.C.R. Licklider of MIT was hired to head up the computer research program. A few months before, he had published a series of memos discussing a "Galactic Network" of interconnected computers that enabled shared access to programs and files. Vint Cerf, Bob Kahn, and some of the other "Fathers of the Internet" later noted that, "In spirit, the concept was very much like the Internet of today."4

About that same time, the Air Force, concerned about its ability to maintain command and control operations following a nuclear attack, commissioned RAND to do a study on a survivable military network that could provide "minimum essential communications."5 The RAND work (1962-1965) concluded with a report by Paul Baran describing how a packet switched computer network could provide this capability.6 Simultaneously (and unbeknownst to the RAND group), three MIT engineers were discussing the concept of networked computers and packet switching.7 In late 1966, one of the MIT engineers, Lawrence Roberts, moved over to DARPA "to develop the computer network concept."8 Jody R. Westby is President of The Work-it Group, a risk management consulting company specializing in the legal and organizational considerations pertaining to information/infrastructure security, cybercrime, e-commerce, continuity of business operations and disaster recovery. She is also Sr. Manager, Information & Communication Technology for the National Fraud Center. Copyright held by Jody R. Westby, April 25, 2002, all rights reserved.

03/26/10 1

The rest is history. In 1971, the ARPANET, as the Internet was first called, had 23 hosts connecting government research centers and universities across the nation. By 1981, it was called the Internet, and by 1991 the World Wide Web came into existence. But corporations wanting to use the Internet for commercial business were blocked from accessing the backbone through the National Science Foundation's (NSF) NSFNET. Later that year, the NSF lifted the restriction and e-commerce was born. In 1995, NSF turned access to the Internet backbone over to four commercial companies, and, by 1996, there were nearly 10 million hosts online and the Internet spanned the globe. Within three decades, the Internet grew "from a Cold War concept for controlling the tattered remains of a post-nuclear society to the Information Superhighway."9

Today, there are no U.S. Government controls or geographical boundaries on the Internet. Policies are determined by the Internet Society (ISOC) and other international bodies.10 Since the NSF unleashed the Internet in 1995, it has experienced explosive growth, increasing from 50 million users in 1996 to around 600 million today,11 served by over 15 million hosts around the globe.12 There are, however, negative repercussions to the Internet boom. Viruses, worms, trojan horses, network attacks, intrusions, web defacements, economic espionage, and interceptions of data are commonplace -- and originate from all over the world.

History repeats itself. Today, 40 years after the founding of DARPA, America once again faces new threats, and our ability to maintain our communications, command and control (C3) capabilities against attacks from terrorists and nation states has become a national priority. September 11 changed our concept of national security, stood our military strategy on its head, and heightened our sensitivity to vulnerabilities in our communications infrastructure and computer systems. We are faced with unprecedented asymmetrical challenges to our Homeland Security, yet we still must analyze the same geo-political13 factors Kennan examined and accord them great weight. We must also consider the Internet.

The fact that the Internet is no longer "controlled" by the U.S. Government and that Americans are now a minority of the global online population must be factored into the geo-political equation and any consideration of the correlation of forces a nation can bring to bear. As the online population increases and becomes more diversified and control of the Internet becomes more attenuated, we are experiencing a shift in geo-cyber stability and our ability to secure and control our infrastructure, systems, and information. If left unattended, by 2005 geo-cyber security will pose a significant threat to our national and economic security interests and our crisis management capabilities.

The author defines "geo-cyber" as the relationship between the Internet and the geography, demography, economy, and politics of a nation and its foreign policy. "Geo-cyber stability" is defined as the ability to utilize the Internet for economic, political, and demographic benefit and to influence the policies, laws and regulations governing the Internet, while minimizing the risks and threats to economic and national security. "Geo-cyber security" is the ability to protect the infrastructure, systems, and information of a nation from intrusion, attack, espionage, sabotage, unauthorized access or disclosure, or other forms of negative or criminal activity that could undermine its national and economic security.

03/26/10 2

It is no longer a question of our maintaining "essential minimum communications:" it is a question of how we can maintain geo-cyber stability and security so our communications network cannot be used as a weapon against us. The irony is that the brainchild of the Cold War era now presents one of the most daunting challenges to Homeland Security.

II. GEO-CYBER STABILITY AND SECURITY

Stability and security of our communications networks has always been a national security issue. Restrictions upon foreign ownership of broadcast and common carriers have been on the books since 1934.14 Irrespective of how much regulatory control we exert over communications providers, the Internet is now beyond the grasp of the U.S. Government. Thus, control must come from within our borders through technological solutions, public-private cooperation, and policy leadership and vision.

It would be wrong-headed to try to limit the continued growth of this wonderful innovation that has connected populations from continent to continent, spawned globalization, facilitated the sharing of information, increased productivity, generated billions of dollars, and driven the U.S. economy. The challenge is not in restricting who can come online, but in (1) understanding the economic, national security, and legal/policy implications that are shifting geo-cyber stability and (2) in determining how to manage them. Vint Cerf and other founding fathers of the Internet recently noted that, "The most pressing question for the future of the Internet is not how the technology will change, but how the process of change and evolution itself will be managed."15

Being Outnumbered

In 1996, 80 percent of the online population was English-speaking.16 In April 2000, the U.S. Department of Commerce noted in its Digital Economy report that for the first time ever in the history of the Internet, the English speaking people comprised less than half (49%) of the world's online population of then almost 300 million people.17 Still, that online population accounted for less than 5% of a world population of 6 billion and 90% of those Internet users were located in the developed world.18 Today, two years later, there are approximately 600 million people online, with the English-speaking populations comprising only 40.2% of the world online population.19 The following countries are considered English-speaking: U.S., Britain, Ireland, Canada, Australia, New Zealand, South Africa, Philippines, and part of India.20

Currently, there are approximately 175 million Americans online, but only about 160 million of them access the Internet in English.21

03/26/10 3

Consider the following statistics:22

Language % of World Online % World Economy Online Population English 40.2% 33.4% 228 m out of 567mEuropean Languages 33.9% 30.3% 192m out of 1,218m Asian Languages 26.1% 26.6% 146m out of 4,415m

It is clear that the U.S. is fast approaching a saturation point for Internet users. Out of a total population of 270 million, 65 percent of the American population is connected. After excluding very small children, elderly people, and others that likely will not be Internet users, there are not many people left to connect. The reverse is true for the rest of the world. Only 16 percent of the European-speaking population is connected, and a mere 3 percent of Asian-speaking people are online.23 Already, non-English speaking users outnumber English-speaking users by more than two-fold (67%).

It is useful to categorize Internet users by language instead of country because people tend to use the Internet in their own language. By looking at statistics of Americans who access the Internet in a foreign language, we can also get some sense of the linkages between non-English speaking populations in the U.S. and those in their native countries.

POPULATION OF AMERICANS FROM NON-ENGLISH SPEAKING COUNTRIES24

Language Population in U.S.25 No. of That Population That Accesses Internet in Native

LanguageSpanish 35.3 m not availableChinese 2.4m 1.9mFrench 1.9m .1mGerman 1.5m .75mItalian 1.3m .52mVietnamese 1.12m not availableKorean 1.08m .45mPolish .72m .29mJapanese .8m .28mPortuguese .43m .17mGreek .39m .16mArab26 not available .5mHungarian .15m .06m

By 2005, it is projected that the number of English-speaking Internet users will rise to 300 million -- 53% of the total English-speaking population, but they will account for only 29% of the projected total online population of over 1 billion. If Americans account for 225 million of the projected total 300 million English-speaking Internet users, they will account for only 21% of the world's online population. Non-English speaking users will more than double by 2005 from 338 million to 750 million, but they will represent a mere 12% of the total non-English speaking population of 5,733 million.27 However, they will account for 71% of the world's total

03/26/10 4

online population. It should be noted that there are a limited number of people in non-English speaking countries who primarily access the Internet in English, which could cause some slight variations in the percentages discussed herein.

PROJECTED ONLINE INTERNET POPULATION FOR 200528

Language Total Pop. For Language

% Online for Language

% of Global Online Pop.

% of Total Global Pop.

English 300m 53% 29% of 1,030m 4% of 6,400mNon-English29 750m 12% 72% of 1,030m 12% of 6,400m

PERCENTAGE OF ENGLISH-SPEAKING POPULATION ONLINE OUT OF TOTAL ONLINE POPULATION

1996-200530

Lang 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005Eng. 80% 61% 60% 60% 49% 43% 40% 34% 31% 29%

PERCENTAGE OF U.S. POPULATION ONLINE1995-200531

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 200510% 18% 27% 35% 40% 50% 57% 61% 67% 71% 75%

In sum, we are being outnumbered. Increased foreign language Internet users around the globe are shifting our geo-cyber stability because (1) the Internet increases the ability of terrorists and nation states to launch asymmetrical attacks against our homeland and economic interests, (2) the international developing legal framework is pulling policy and legal control of the Internet away from the U.S., and (3) tracking and punishing perpetrators of cybercrime in developing countries is difficult. Economic Implications

It appears certain that U.S. users are less than five years away from becoming a small minority of the total online population. An increase in the number of users online who are non-English speaking has clear economic implications. Today, the U.S. accounts for more than half (63%) of total global e-commerce sales of $2.2 trillion. By 2004, that number is projected to drop to 47%, with all of North America accounting for only 50.9% of total e-commerce sales of $6.8 trillion. The Asia-Pacific region is expected to grab 24.3% and Europe will take 22.6% of total e-commerce sales. Latin America will remain the laggard with only 1.2% of world e-commerce.32

Content will also impact e-commerce sales. Currently, only 68.4% of web content is English, with the remaining 31.6% spread among other languages, with no language accounting for more than 5.9%.33 Considering that 80% of European-based business sites are presently multi-lingual and most U.S. sites are English-only, it is reasonable to believe that Europe has a

03/26/10 5

better chance of snagging the international online market. Indeed, Forrester Research predicts that the U.S. and North American majority hold on e-commerce sales will shift over the next several years toward Asian and European nations.34 The U.S. can no longer arrogantly expect the rest of the world to speak English and continue to ignore foreign languages in primary and secondary school curricula.

All of this, of course, is based upon the assumption that the foregoing projections for online populations and e-commerce are accurate. They may be low for two reasons:

1. Populations in developing countries may come online sooner than projected, and

2. U.S. Government funding in ICT research and development post-September 11 and breakthroughs in wireless and nano technologies will spur the "second wave" of the digital revolution, causing another surge in online users.

As to the first point, additional non-English speaking Internet users may come online in greater numbers than expected due, in part, to efforts by the donor community and G-8 countries to (1) rapidly bring developing countries online, and (2) use information and communications technologies (ICTs) as a development tool and economic driver. Plus, many countries have undertaken initiatives of their own to boost their connectivity and use of ICTs. In particular, they are interested in countering "brain drain" by attracting foreign direct investment (FDI) in software programming and other outsourced services, such as call centers, data bank development, remote systems administration, and data storage operations.35 Forrester Research predicts that by 2007, 70% of software programming will be performed in developing countries.36 Initiatives by donor organizations to facilitate the development of favorable legal/regulatory frameworks, liberalize telecommunications, strengthen schools and academic institutions, and fund competitiveness initiatives may well make this projection attainable. One thing is certain: developing countries see the Internet and ICTs as their way toward industrialization, and they are actively competing for donor funds to help them get there.

Other economic implications arise from the ability of bad actors, terrorists, organized crime, and other nation states to use the Internet and ICTs for negative purposes. A few years back, someone hacked into the database of a U.S. manufacturer of specialty strength steel used for bridge construction and changed the formula for the steel. Fortunately, this was discovered and corrected, but unfortunately, the hacker was never caught.37 Needless to say, the economic stakes for the hacked company were quite high, and the gain to be had by the terrorists or other bad actors that wanted to weaken our nation's infrastructure could have been enormous. Although there is no evidence that this act was committed by a non-English speaking Internet user, the incident is illustrative of how the manipulation of a computer network and system could have very serious consequences. It is also fair to point out that many viruses, acts of economic espionage, and web defacements originate in foreign countries, many of them developing countries.

When evaluating the economic implications of online activity, one needs also to remember the impact of September 11 on communication networks, the New York Stock Exchange, and our nation's economy. Verizon's building was next door to 7 World Trade

03/26/10 6

Center, which collapsed several hours after the attacks. The loss of electricity in the area disrupted 300,000 phone lines and 3.6 million high-capacity data circuits.38 Mayor Guiliani had to move his command center, the Port Authority of New York and New Jersey (which controls many bridges and tunnels) had to move its command center to Newark, power to the subway went out, and the FBI, Joint Terrorist Task Force, and FEMA all lost most of their phone lines. 39

Information and communication technologies are important to all companies today. Consider that advanced security systems on buildings usually control access by inserting a magnetic or encoded card into a reader that is controlled by a computer system. Manufacturing processes, from robotic assembly, to delivery of parts to assembly lines, flows of gases and chemicals, and control of complex processes are managed by information technology (IT) systems. Employees from the loading dock and mailroom to the executive suites are empowered with technology to perform their jobs. Data is no longer kept in paper form; the days of filing cabinets and the secretary holding the key are gone. Executives depend upon personal appliances such as cell phones, Palm Pilots, and pagers to manage their communications, calendars, appointments, and contact information.

The ability to breach or attack data and networks poses new risks to any user of ICTs, irrespective of whether they are in a developing or highly industrialized country. Computer systems can be compromised for any number of reasons, including (a) to allow access to unauthorized persons into a facility, (b) to steal or sabotage data, (c) to manipulate design process systems and critical infrastructure to cause a catastrophic event, or (d) to intercept data and communications. This means almost all companies are vulnerable and that their systems can be manipulated for economic purposes. Acts taken against their computers and networks can potentially disrupt operations and impact their reputation and share price. When Amazon.com, Ebay, and Yahoo suffered denial of service attacks, their stock dropped 17-23% in the weeks following the attack. An analyst from Salomon Smith Barney noted:

"To put these losses in context, in a three-week period between February 8th and February 22nd, Ebay lost $4.56 billion in market cap, Amazon lost $6.67 billion and Yahoo lost $17.24 billion. While the broader market (S&P 500) was down about 6% over the same period, in our opinion, investors punished these stocks in reaction to the company specific events surrounding the hacking incidents."40

September 11 also provided a somber wake-up call to corporations to get their business continuity and disaster recovery plans in place, especially those pertaining to their computer networks and databases.41 Today, 80 percent of corporate assets are digital.42 The companies who did not have these capabilities and lost their computer systems or had important files stored on hard drives of personal computers in the World Trade Center suffered significant economic losses due to these circumstances alone. An Ernst & Young survey conducted two months after the September 11 attacks indicated that only about 50% of the respondents had business continuity plans in place and even fewer had awareness and training programs.43

In everyday terms, cybercrime permeates nearly every large and small business today. The statistics are staggering, and they are everywhere. The Computer Security Institute (CSI) has compiled survey statistics for seven years with the participation of the San Francisco FBI

03/26/10 7

Computer Intrusion Squad.44 Ample evidence exists over this period of time that cybercrime is a threat to our nation's economic viability. The recently released 2002 CSI/FBI survey indicated that security breaches were detected by 90% of the respondents. Theft of proprietary information and financial fraud were the top categories for financial loss, and 85 percent of respondents detected computer viruses.45

Clearly, cybercrime, intrusions into computer systems and data, and attacks on infrastructure impact geo-cyber stability and security. Increased connectivity and Internet users around the globe compound the risks because, quite simply, there will be an increased pool of bad actors who can use technology to spread viruses and other forms of malware, commit fraud and economic espionage, hack into systems for a variety of purposes, conspire and communicate, launch attacks on networks and information, and commit acts of terrorism. Ronald Dick, Director of the FBI's National Infrastructure Protection Center, testified before the House Energy and Commerce Committee on April 5, 2001 and noted that "terrorist groups are increasingly using new information technology and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely."46

Recent projections indicate that by 2006 there will be 900 million to 2 billion devices on the Internet, including about 1 billion Internet-enabled mobile phones.47 With stricter immigration controls and increased monitoring of international movements, technology offers an attractive way to conspire and commit these acts from foreign lands without the need to apply for visas or set foot on U.S. soil. Counterfeiting, false identification, take-over of accounts, and communications fraud can also be performed in one country and transmitted to another. Global organized crime has been operating this way for years.48 Economic espionage by foreign competitors and nation states will certainly continue. The sheer economic power of the U.S. alone makes our companies likely targets.

Homeland Security Implications

Increased non-English speaking populations online also means terrorists and nation states have increased remote capabilities and more sophisticated infrastructures from which to launch attacks against our nation's infrastructure, severely impacting geo-cyber stability and security and potentially causing catastrophic consequences. Our Central Intelligence Agency and Defense Intelligence Agencies estimate at least twenty countries are developing infowar strategies that target our military and commercial networks49 and 100 countries are developing computer attack capabilities.50

The U.S. intelligence community has already warned that terrorist groups are actively using technology to support their operations and that attacks on infrastructure are likely. The Internet Black Tigers (reportedly affiliated with the Tamil Tigers) have engaged in attacks on foreign government web sites and e-mail servers.51 In October 2000, the FBI issued an advisory warning that, due to high activity between Palestinian and Israeli sites, U.S. Government and private sector sites could become potential targets. Less than a month later, a group of hackers named Gforce Pakistan defaced more than 20 web sites and threatened to launch an Internet attack against AT&T.52 Other direct acts of cyberterrorism include attacks by pro-Israeli and pro-Palestinian hackers on their opposing side's web sites. Pro-Palestinian hackers attacked

03/26/10 8

several Israeli government sites, including those of the Knesset (parliament), Bank of Israel, the Prime Minister's Office, and the Israeli Army.53 The hackers also broke into several American-Israel Public Affairs Committee ("AIPAC") databases, including one containing credit card numbers of members, then sent e-mails to 3,500 AIPAC members boasting of their intrusion.54

Since September 11, the U.S. Government has identified 192 groups, organizations or individuals linked to terrorism.55

"Cyberwar is 'the third largest threat' to developed states, after chemical and bacteriological attack and nuclear weapons," according to Buchanan International, a Scottish company that specializes in tracking down Internet offenders.56 The likelihood -- and importance -- of information warfare and its relevance to national defense was highlighted by the U.S. government's attacks on, and subsequent domination of, Iraq's communications networks during the Gulf War, enabling the U.S. forces to swiftly crush Iraq's well-armed forces with minimal allied losses.57

Other than government systems, there are four levels of infrastructure vulnerable to attack, with serious risks associated with each:

Super-Critical Infrastructure - the networks, lines and equipment of private sector communications providers who support the three other levels of infrastructure. Communications infrastructure is vital to the operation of critical infrastructures and emergency preparedness and response capabilities. Additionally, they are essential to government operations; 95% of government data flows over private sector networks. Communications providers must:

Meet mandatory national security/emergency preparedness (NS/EP) requirements. This requires them to ensure their converging and next generation networks (NGN) offer the quality of service, reliability, protection and restoration features mandated by the NS/EP requirements. In this regard, communications providers must serve as a point-of-contact for expediting the restoration or initiation of emergency services.

Secure their external equipment, signaling operations, and networks and the data that flows over their lines.

Protect their own internal operational systems.

Ensure their systems are operable at all times, and assist their public and private sector clients in maintaining their communications.

Critical Infrastructure - the information infrastructure vital to our government operations, national and economic security: our financial, transportation, utility, oil/gas, water, and emergency response systems (including law enforcement and public health).

03/26/10 9

Consequential Infrastructure - The IT systems of private sector companies that, when manipulated, could cause a catastrophic event with enormous consequences, harming masses of civilians or wreaking economic chaos.

Common Infrastructure - The computers and networks of other businesses, both large and small, and individual systems.

Of these, the communications providers are far ahead of the rest of U.S. industry. This is due, in large part, to their participation in the National Security Telecommunications Advisory Council (NSTAC), which was established in 1982 by Executive Order 12382. Over the past 20 years, NSTAC has addressed a wide range of policy and technical issues regarding critical infrastructure protection, information assurance, and other national security and emergency preparedness issues. In 1984, NSTAC recommended the establishment of the National Coordinating Center (NCC) for Telecommunications to serve as the coordinating mechanism capable of assisting in the initiation, coordination, restoration, and reconstitution of NS/EP services and facilities under all conditions of crisis or emergency. Later, it was instrumental in expanding the NCC's responsibilities to function as an Information Sharing and Analysis Center (ISAC) -- the second ISAC to be formed following Presidential Decision Directive 63 and the first ISAC comprised of government and industry members.58

Nevertheless, Super-Critical Infrastructure remains one of our most vulnerable points. Vulnerabilities in the converging networks (public switched telephone networks linked to Internet Protocol and wireless networks) and the next generation networks (NGN) are a NS/EP concern. The terrorist attacks on September 11 seriously disrupted communications in Manhattan59 and stressed the wireless network along the East Coast from Washington to New York.60 Although President Clinton requested NS/EP requirements for wireless networks in 1995, they had not yet been developed. Acknowledging the value of cellular telephony in providing emergency communications to state, local and federal officials and responders, soon after September 11, the National Communications System, through its Wireless Priority Services Program Office, began working on a NS/EP Wireless Priority Service.61 The Government wants an Initial Operating Capacity for NS/EP Wireless Priority Service by the end of 2002.62 Other emerging technologies being studied for NS/EP capabilities include personal communication systems (PCS), wireless data, enhanced specialized mobile radio (ESMR), land mobile radio (LMR) Project 25/34, broadband satellite systems, and third generation (3G) wireless.63

Just as ARPA and the Air Force began looking at how to maintain command and control communications at the beginning of the Cold War, it is imperative for our Homeland Security that we develop NS/EP requirements for these technologies post haste. This will require considerable collaboration between the communications providers and the Government and will impose significant costs on the wireless industry, some of which the Government may need to bear.

The protection of Critical Infrastructure has been a national priority since the release of The Report of the President's Commission on Critical Infrastructure Protection, Critical Foundations, in October, 1997 and the release of the Critical Infrastructure Protection Directive, Presidential Decision Directive 63 (PDD-63), on May 22, 1998 calling for a national effort to

03/26/10 10

assure the security of our nation's critical infrastructures.64 The Critical Infrastructure Assurance Office (CIAO) and the FBI's National Infrastructure Protection Center (NIPC) have worked diligently with private industry to improve public-private cooperation on critical infrastructure issues, to form ISACs for critical infrastructure industries, and to raise public awareness generally. Other than the communications sector, the financial industry is probably the farthest along, in large part due to their desire to protect their reputation and minimize fraud, account take-over, and credit card theft.

The category that is very vulnerable to terrorist attack and has received little if no attention from any corner of Government (except the FBI), is our nation's Consequential Infrastructure. This certainly includes the 66,000 plants using hazardous substances whose IT systems could be manipulated to cause an uncontrolled chemical spill or release of toxic gases, injuring potentially hundreds of thousands, if not millions, of civilians. Today, almost all manufacturing processes are controlled by complex computer systems that regulate the flow of chemicals, the opening and closing of valves and flues, and emissions. They also control access to secure physical areas where these operations are performed or chemicals are stored. We have heard repeated warnings that the intelligence community fully believes that information infrastructure will be a vehicle for a terrorist attack or an act of war. Knowing the preference of terrorists to use conventional targets and their desire to cause massive casualties, it is simply incomprehensible that the IT risks associated with Consequential Infrastructure have hardly been addressed, leaving a gaping hole in our Homeland Security.

Federal law requires facilities using toxic substances to file Risk Management Plans (RMPs) with the Environmental Protection Agency (EPA), setting forth on one simple form the consequences of a worst case scenario chemical spill or accident. The Plans contain some of these plants' most sensitive operational details and system vulnerabilities -- information that could be used by terrorists to cause a catastrophic event at any of these sites. For example, required information includes the size of the area impacted, the population and water sources that would be affected, and the number of nearby schools, hospitals, residences, forests and state parks. The Plans also must specify how the chemical would be released (e.g., gas, liquid spill, vaporization), the quantity, its release rate and duration, and any alternative toxins that might be released.

Additionally, the Plans require information regarding the site's five-year accident history and prevention program. Accident histories must include statistics concerning weather conditions at the time of accident, the number of deaths and injuries, environmental damage, and cite contributing factors, such as equipment failure, human error, improper procedures, over-pressurization, bypass condition or process design failure. In sum, these plans tell anyone reading them how bad it could get, under what circumstances, and what accident prevention plans would have to be taken into account.

For years, industry, the FBI and CIA were pitted against the EPA and environmentalists in an unsuccessful attempt to keep this information from public disclosure. Effective August 2000, it became available in 50 EPA reading rooms across the country. Any member of the public is now entitled to review and take notes on up to 10 of these plans per month. Only very

03/26/10 11

recently, has the EPA pulled its RMP information off its web site, but the reading rooms remain open.

The protection of Common Infrastructure is also important. These are the everyday businesses across the nation, many of which provide components and supplies vital for government operations and industries included in the Critical and Consequential Infrastructure categories. An intrusion or manipulation of their IT systems could result in an altered formula or create a clog in the flow of commerce that could result in untold damage or economic losses. The Gartner Group predicts that by 2003, half of small companies who manage their own networks and use the Internet for more than email will be victims of an Internet attack -- but two-thirds of them will not even know it happened.65

All in all, our nation's infrastructure -- all four levels -- is inadequately protected and is seriously vulnerable to asymmetric attacks from foreign soil by nation states and terrorists, in particular. We are not prepared. We have barely moved NS/EP requirements beyond wired telephony networks and CEOs and Boards are only now starting to pay attention to these issues. The following actions are necessary if we are to maintain geo-cyber stability:

The Government Emergency Telecommunications Service (GETS) that provides priority service to the wireline public switched telephone networks must be extended to include wireless, satellite, and other emerging technologies.

NS/EP requirements must remain a "national priority."

Security features must be developed for current and emerging wireless technologies.

Initiatives must be undertaken to protect our Consequential Infrastructure and develop response scenarios.

Early warning systems and new technologies must be developed to alert and prevent intrusions, infrastructure attacks, viruses and theft and sabotage of data.

Policy and Legal Implications

Increased numbers of non-English speaking Internet users also has legal and policy implications that impact geo-cyber stability: (1) we are losing control over our use of the Internet because it is causing U.S. corporations and individuals to be subject to international and foreign laws pertaining to the use of technology, and (2) our ability to track cybercrime and bad actors is becoming more difficult.

One of the first actions countries must take as they come online is to develop a legal framework (this includes government policies) that will support e-commerce and the use of ICTs. At this point, at least 50 countries are enacting laws and regulations concerning the use of technology,66 although most of the activity is being driven by the large multinational organizations, such as the United Nations, World Trade Organization (WTO), Organization for

03/26/10 12

Economic Cooperation and Development(OECD), the European Union(EU), and the Council of Europe (COE).

The upshot of this flurry of legal/regulatory activity is that the U.S. is no longer leading the global policy and legal debates regarding e-commerce and cybercrime. In fact, if anyone has been out front for the past two years, it is the Europeans, who have taken an active and highly regulatory approach to the Internet.67 Unless the U.S. begins exerting serious IT policy leadership, we may be in for a rude awakening during the Doha WTO negotiations when discussing IT policy and trade issues across the table from the EU's 15 member states, who will also have behind them the 10-12 countries lined up for EU accession. Lack of active U.S. IT policy leadership threatens our geo-stability because it puts us in an even more detached role with respect to the Internet. There are also serious economic interests at stake. The U.S. is leading the world economy because of our IT industry sector and productivity gains achieved from ICTs, but the global/legal regulatory framework is being set by the European countries whose policy positions did little to advance their economies or productivity levels.

A recent Conference Board report revealed that not only had other industrialized nations failed to match the job creation and productivity gains that the U.S. has realized from 1995-2000, but that "outside of the U.S. virtually every country showed decelerations in productivity growth in the latter half of the decade."68 While the EU's annual average productivity growth rate over the past five years was 0.7 percent, the US grew by an average of 2.6% annually. Ireland is Europe's only bright star. Japan achieved high productivity growth, but by cutting jobs.69 In discussing a recent EU report, Time magazine noted that none of the EU's 15 members states have created an "ideal environment" for Internet start-ups or small and medium-sized enterprises. Identifying "government-created barriers" as the primary reason in Germany, France and Italy and difficulty in raising capital in Britain and Sweden, the article notes:

"[C]ountries placing heavy administrative burdens on start-ups, such as Italy, Belgium and Austria create fewer jobs. Europe has not only a higher unemployment rate than the U.S. but poorer productivity, a factor the study links in part to under investment in new technology."70

The Council of Europe has also been very active, although not necessarily in a negative way. The Council of Europe Convention on Cybercrime was recently signed by 31 countries, plus the U.S., Canada, Japan, and South Africa (who are not members of the COE, but are considered "partners"). It goes into force upon ratification by five countries, three of whom must be COE member states.71 Other non-member states may be invited by the COE's Committee of Ministers to sign the treaty.72 The Cybercrime Convention offers an excellent example of how multinational bodies are impacting the legal/regulatory frameworks of other governments. The preamble of the Convention states:

"The member States of the Council of Europe and the other States signatory hereto. . .

Convinced that the present Convention is necessary to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the

03/26/10 13

criminalisation of such conduct, as described in this Convention, and the adoption of the powers sufficient for effectively combating such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation."73

In addition to criminalizing a wide range of cybercrime activity, the COE Cybercrime Convention also requires each signatory to adopt laws that hold corporate personnel liable for cybercrime acts committed for their benefit or where their "lack of supervision or control" made the cybercrime possible.74

Having other countries' laws apply to U.S. citizens and corporations can impact geo-cyber stability, but when countries do not have effective cybercrime laws or cannot provide effective investigative assistance, our geo-cyber security is impacted. Security is one of the most important aspects of online activity, but one of the last to be addressed by developing countries. Most developing countries generally have simple legal frameworks for handling commerce, and, therefore, lack many of the laws pertaining to sophisticated transactions and communications that industrialized countries have on their books and apply equally in the online and offline worlds. They also often have weak or no cybercrime laws, hindering our ability to deter or punish bad actors -- and reducing their incentive to assist in cyber investigations.

Why Security Laws and Regulations are Important

It is important that developing countries have appropriate cybercrime laws and regulations because:

They protect the confidentiality, integrity, and availability of their data and networks -- including Super and Critical infrastructure.

They protect the integrity of the government and reputation of the country.

They help preclude a country from becoming a haven for bad actors, including terrorist actions using/attacking IT systems.

They help prevent a country from becoming a repository for cyber-criminal data.

They instill market confidence and certainty regarding business operations and attract foreign direct investment.

They provide protection of classified, secret, confidential and proprietary information, criminal justice data, personal information, and protected public data.

They protect consumers and assist law enforcement and intelligence gathering activities.

03/26/10 14

They deter corruption.

They increase national security and reduce vulnerabilities from terrorists and other rogue actors.

They help protect corporations against risk of loss of market share, shareholder and class action lawsuits, damage to reputation, fraud, and civil and criminal fines and penalties.

They provide a means of prosecution and civil action for acts against information and infrastructure.

Cybercrime laws are also important to citizens in developing countries because they help reinforce and protect freedom of expression, human rights, and other legal rights that are secured in international law. The privacy of personal, confidential, and proprietary information remains a top concern of citizens globally. These laws also enhance statutory and constitutional rights, such as rights to privacy and protections against search and seizure and self-incrimination. Additionally, they strengthen consumer confidence against fraud.

International Cooperation

While it is important for developing countries to have cybercrime laws in place, it is equally important that countries have the legal authority to assist foreign countries in a cyber investigation, even if the country at issue has not suffered any damage itself and is merely the location of the intruder or a pass-through site. The Department of Justice's Unlawful Conduct on the Internet report notes:

"Inadequate regimes for international legal assistance and extradition can therefore, in effect, shield criminals from law enforcement: criminals can go unpunished in one country, while they thwart the efforts of other countries to protect their citizens."75

The process for obtaining assistance from foreign law enforcement and officials is cumbersome. International legal assistance for subpoenas, interviewing witnesses, producing documents, and search and seizures can be requested through:

Mutual Legal Assistance Treaties ("MLATs")

If no MLAT is in existence between the two countries, then assistance can be requested through domestic mutual assistance laws and practices, which include letters rogatory (a letter of assistance from one country's judicial authority to that of another country).76

Sometimes, MLATS or domestic legal assistance laws require dual criminality, i.e., that the crime for which information is being sought by the U.S. (or other requesting country), must also be a crime in the country from which the information is requested and it must be punishable by at least one year in prison. For example, in 1992 the U.S. government sought help from Switzerland regarding some hackers (from Switzerland) who attacked the San Diego

03/26/10 15

Supercomputer Center. The investigation was thwarted, however, because Switzerland required dual criminality, and under its laws, the hacking was not criminal conduct.77

The need for a broad multinational agreement on legal assistance for investigations and prosecutions regarding cybercrimes is clear. Trails of electronic communications are scattered across the globe in different time zones and multiple jurisdictions with differing legal systems and levels of technical skills. The need for coordinated, around-the-clock assistance regarding cybercrimes is pressing. The Internet is now connected to over 200 countries. Investigation of a single communication may require multiple court orders and legal assistance from several countries -- when time is of the essence. The inability to receive adequate assistance and cooperation from international law enforcement significantly impairs geo-cyber stability and precludes us from effectively addressing our own geo-cyber security issues.

The G-8 has advanced the ball in this regard. In December 1997, the G-8 Meeting of Justice and Interior Ministers responded to increased international movement and use of IT by criminals, organized crime, and terrorists. The Ministers noted:

"National laws apply to the Internet and other global networks. But while the enactment and enforcement of criminal laws have been, and remain, a national responsibility, the nature of modern communications networks makes it impossible for any country acting alone to address this emerging high-tech crime problem. A common approach addressing the unique, borderless nature of global networks is needed and must have several distinct components.

Each country must have in place domestic laws that ensure that the improper use of computer networks is appropriately criminalized and that evidence of high-crimes can be preserved and collected in a timely fashion. Countries must also ensure that a sufficient number of technically-literate, appropriately equipped personnel are available to address high-tech crimes.

Such domestic efforts must be complemented by a new level of international cooperation since global networks facilitate the commission of transborder offenses. Therefore, consistent with the principles of sovereignty and the protection of human rights, democratic freedoms and privacy, nations must be able to collect and exchange information internationally, especially within the short time frame so often required when investigating international high-tech crimes."78

The G-8 Ministers agreed to ten "Principles to Combat High-Tech Crime" and an "Action Plan to Combat High-Tech Crime."79 They pledged to review annually the implementation at the national level of these legal assistance measures. The Heads of the G-8 nations subsequently endorsed the Principles and Action Plan. A G-8 24/7 Point of Contact Network was established, requiring countries to designate a 24 hour, 7 days per week Point of Contact to provide assistance with cybercrimes. Around 20 countries are currently participating in the program.

Additionally, a G-8 high-tech experts group was also formed. They are examining options for improving the process of locating and identifying cyber criminals and are

03/26/10 16

undertaking issues such as data retention and preservation, tracing, user authentication, and international cooperation.

More recently, at the July 2000 Okinawa Summit, the Okinawa Charter on Global Information Society strongly endorsed international cooperation and coordination regarding cybercrime:

"International efforts to develop a global information society must be accompanied by coordinated action to foster a crime-free and secure cyberspace. We must ensure that effective measures, as set out in the OECD Guidelines for Security of Information Systems, are put in place to fight cyber-crime. . . .Urgent security issues such as hacking and viruses also require effective policy responses. We will continue to engage industry and other stakeholders to protect critical information infrastructures."80

For the most part, however, the work of the G-8 has not been extended to the 180 developing countries. The American Bar Association's (ABA) Privacy and Computer Crime Committee has launched an International Cybercrime Project81 to extend the cybercrime work of the G-8 and other industrialized nations to developing countries. Personnel from numerous U.S. Government and outside entities are participating in the Project.82 The goal of the Project is to promote: Enactment of cybercrime laws Cooperation with national and international law enforcement and Internet Service Providers

(ISPs) Cooperation regarding jurisdictional issues Acceptable practices for search and seizure of computers and electronic data (not legal

standards, but practical approaches that are effective yet balanced).

The Project will publish an "International Guide to Combating Cybercrime," by August 2002. The Guide will be designed to: Step developing countries through the key issues of cybercrime Explain the importance of these issues to their future development Provide guidance on the need for balanced and fair cybercrime laws and international

cooperation with law enforcement and ISPs Explain the need for public/private cooperation on cybercrime and information/infrastructure

security breaches Provide guidance on the search and seizure of computers and data. The Guide will include (a) a compilation of U.S., Canadian, EU, and APEC cybercrime laws and regulations (to the extent they are available), a summary of each, and a link to the statute, regulation or directive, (b) a discussion of jurisdictional issues related to the detection and investigation of cybercrime, (c) a guide to cooperating with national and international law enforcement and ISPs, (d) a discussion on search and seizure of computers and electronic data, with a link to U.S. and international search and seizure guides, and (e) a guide on establishing effective public/private sector cooperation on these issues.

03/26/10 17

Hopefully, the work of the Project will: Help advance legal frameworks around the globe Assist industrialized nations investigate cybercrimes Help prevent cybercrime (including organized crime, terrorist, and money laundering

activities) Help promote public-private cooperation in developing countries Help promote foreign direct investment (FDI) and high-tech opportunities in developing

countries.

The G-8 and ABA initiatives are the types of projects that will help minimize shifts in geo-cyber stability and security. Strong U.S. leadership in the upcoming Doha WTO round will also be very important. III. CRISIS AND CONSEQUENCE MANAGEMENT IN 2005

Our ability to have adequate crisis and consequence management in 2005 will be directly dependent upon our ability to understand the economic, national security, and legal/policy implications of the shift in geo-cyber stability we are currently experiencing due to an increased online population that makes control of the cyber environment more attenuated.

Although these are not neat categories and there are overlaps, the following actions should be taken to both prepare and enable us to meet shifts in geo-cyber stability and security. From an economic and legal/policy perspective, by 2005, the following actions should occur:

Implementation of the COE Cybercrime Convention and requirements set by insurance companies and general counsels (through case law on the protection of data and networks)83 should force CEOs and Boards to exercise adequate oversight of their data and networks and set floors for minimum requirements, including policies and procedures for legal risk management of corporate use of technology, decentralization of operations, security controls for outsourced systems, annual reviews, and employee training.

Public corporations should be required to state in SEC filings what steps they are taking to protect their networks, systems, and information (similar to Y2K filing requirements).

The global developing legal framework for technology and cybercrime should be a

major agenda item in the Doha WTO negotiations, with strong leadership coming from the U.S. Government backed by input from all stakeholders, including small, innovative IT companies, not just the Washington office or policy representatives of major multinational corporations.

The Government should help fund research and development of security solutions to wireless technologies. Bluetooth, a certain winner, opens up users to "drive-by or parked hacking," whereby users can break into and connect to the Internet by parking

03/26/10 18

outside a company with a wireless network. Because individual Bluetooth devices can act as routers, they can also be used to hack into a company's systems, either through the user's own device or through one they planted or mailed to the facility. Bluetooth devices can also, of course, spread viruses, worms, etc. through computer systems and other mobile devices, such as laptops and Palm Pilots.84

Software companies should adopt the culture that security matters and develop programs that have undergone rigorous security testing, and they should develop automatic, user-friendly updates to licensed technologies.

IT companies should develop easy "push" technologies for tested system patches to minimize time and expense in updating.

Non-governmental organizations around the nation should promote public/private cooperation on cyber security issues as a state and local issue.

The Government should fund research and development of enhanced threat detection and early warning technologies for use by both public and private systems.

Our schools and educational institutions should incorporate cyber morals and ethics into curricula.

Americans must become more multilingual. Geo-cyber forces will shift economic gains from the Internet toward multilingual populations. We can no longer afford to insist our business partners around the globe deal with us in English.

From a national security perspective, by 2005 the following actions should occur:

Standards for emergency communications among responders, emergency personnel, and government officials must be established, and these systems must be developed and tested. NS/EP standards must be developed for converging and NGN and priority service capabilities implemented. Standards for interoperability of communications among state, local and federal personnel is one of the Government's top e-commerce initiatives.85

Advanced databases and systems that enable interoperability and sharing of information should be developed to assist state, local and federal responders and to facilitate coordination and sharing of information among law enforcement, intelligence, and immigration on the federal and international levels.

NATO should become more involved in information/infrastructure security issues in member countries and with Partners for Peace countries.

State and local governments should initiate infrastructure protection plans with Consequential Infrastructure in their area and work out response plans with private sector entities and federal officials.

03/26/10 19

The Government has to stop the lip service and establish comprehensive security programs for all Government systems. By and large, government agencies have not taken security of their information systems or the Government Information Security Reform Act86 (GISRA) as seriously as Congress intended. In a February 13, 2002 report to Congress on GISRA compliance, the Office of Management and Budget (“OMB”) confirms this lack of compliance and details six problem areas, including weak security controls for contractor services.87

The Government should fund research and development of (a) commercial, technological solutions to security threats coming from outside U.S. borders, (b) intelligence gathering systems, (c) improved satellite imagery capabilities, and (d) knowledge management and data fusion technologies to better utilize open source information and process massive amounts of data.88

Technological solutions (that may combine technologies, such as PKI, biometrics, and time stamping) should also be developed for immigration controls.89 The Government should not, however, institute a national ID system because it would offer a false sense of security when in actuality technological weaknesses and the ability to assume multiple names would undercut any perceived advantages.

The Government should create an "enhanced intelligence capability" that combines the resources of both foreign and domestic intelligence, and, simultaneously Congress should pass laws to ensure the information collected is used only for counter-terrorism.90 Attorney General Ashcroft has directed components of the Department of Justice (DOJ), including the FBI, Drug Enforcement Administration, DOJ's Criminal Section, the U.S. Marshals Service, and the Foreign Terrorist Tracking Task Force, to increase coordination and sharing of terrorist information, including foreign information.91

The Government should work with private sector companies to provide best practices and models for protecting hard infrastructure through the utilization of technology. For example, the international transportation system (railroads, shipping) is vulnerable to system disruptions. The traditional "stop and check" method for security precautions is an antiquated method in today's environment. Stephen Flynn, a Coast Guard commander and faculty member of the U.S. Coast Guard Academy, is calling for "technology-based security approaches," such as validation and authentication systems at ports of origin and global tracking.92

Government portals should be designed to serve as information bulletin boards in

times of emergency for citizens and responders. New York City's portal provided up-to-the-minute information during the hours after the attack.93 Special pages could be accessed by emergency workers through wireless devices to inform them of the status of buildings, health hazards, etc. Mark Forman, associate director of information technology and e-government for the Office of Management and Budget, has

03/26/10 20

identified the establishment of a disaster management portal as one of the Government's top 24 e-commerce initiatives.94

Y2K-like Crisis Centers should be reestablished. Valuable lessons can be learned from both Y2K and September 11. Y2K brought the public and private sectors together in unprecedented fashion to address unknown risks that could be caused by computer chips. Billions of dollars were spent by governments and industry around the globe who worked together to try to prevent problems and plan for imagined events. Coordination centers and 24/7 contacts were established, but dismantled after Y2K. That may have made sense at the time, but today, we need to reestablish them to function on a new level against a new global threat. The Y2K effort was successful largely due to the unity of the response. The unity of outrage surrounding 9-11 provides us with another opportunity to bring the public and private sectors together in a united defense. Infrastructure attacks require close public/private coordination; military and law enforcement cannot handle these tasks alone.

IV. CONCLUSION

Vint Cerf noted recently that, "The Internet is largely insensitive to national borders. Its addressing structure is network-centric but blind to geo-political boundaries.”95 We must address the geo-cyber shift that is taking place and, in doing so, we must also look to the future of the Internet. The Interplanetary Internet is in the works, and Mr. Cerf is part of a team that is developing a new protocol to enable reliable file transfers between planets and spacecraft. Whether we will ever communicate with Mars remains to be seen, but we do know that, to date, space technologies have been underutilized in the development of our communications networks, including the Internet. If we are not able to deal with the risks associated with millions of new non-English speaking Internet users on this planet and less control over the Internet, how can we possibly be ready for outer space?

We must be active, not reactive. We need to look ahead and focus on solutions -- technical, legal, logistical, political -- to the economic, national security, and legal/policy issues that are causing, or will cause, a shift in geo-cyber stability and security that threatens our Homeland Security. At the same time, we need to look back in history and ensure that our solutions also preserve the rights that we have held so dear for over two centuries.

03/26/10 21

1 George Kennan, "The Long Telegram," Feb. 22, 1946, classified in Thomas Etzold and John Lewis Gaddis, Containment: Documents on American Policy and Strategy, 1945-1950 (New York and London: Columbia University Press, 1978), pp. 50-63 at 51.2 Efstathios T. Fakiolas, "Kennan's Long Telegram and NSC-68: A Comparative Analysis," East European Quarterly, Vol. 31, No. 4, Jan. 1998; http://www.mtholyoke.edu/acad/intrel/fakiolas.htm. 3 "A Brief History of the Net," Fortune, Oct. 9, 2000 at 34; Dave Krisula, "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml. DARPA is the Defense Advanced Research Projects Agency.4 Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, Stephen Wolff, "A Brief History of the Internet," Internet Society (ISOC) All About the Internet, http://www.isoc.org/internet/history/brief.shtml (hereinafter "A Brief History of the Internet"); Licklider published his series of "Galactic Network" memos in August 1962 and began at ARPA in October 1962.5 Dave Krisula, "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml;"A Brief History of the Net," Fortune, Oct. 9, 2000 at 34; Stewart Brand, "Founding Father," Wired, Mar. 2001 at 148. 6 Stewart Brand, "Founding Father," Wired, Mar. 2001 at 145-153; Dave Krisula, "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml.7 "A Brief History of the Internet," Internet Society (ISOC) All About the Internet, http://www.isoc.org/internet/history/brief.shtml; Stewart Brand, "Founding Father," Wired, Mar. 2001 at 146; Dave Krisula, "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml.146.8 "A Brief History of the Internet," Internet Society (ISOC) All About the Internet, http://www.isoc.org/internet/history/brief.shtml.9 "Life on the Internet: Net Timeline," PBS, http://www.pbs.org/internet/timeline/timeline-txt.html; see also "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml.10 See e.g., http://www.isoc.org/isoc/; http://www.wia.org/ISOC/; http://www.iab.org/iab/.11 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.global-reach.biz/globstats/evol.html. 12 Dave Krisula, "The History of the Internet," Aug. 2001, http://www.davesite.com/webstation/net-history.shtml.13 Geopolitics is defined as "(1) The study of the relationship among politics and geography, demography, and economics, especially with respect to the foreign policy of a nation, (2) a. A governmental policy employing geopolitics. b. A Nazi doctrine holding that the geographic, economic, and political needs of Germany justified its invasion and seizure of other lands, (3) A combination of geographic and political factors relating to or influencing a nation or region." American Heritage Dictionary, 2000, http://www.dictionary.com/search?q=geo-political.14 47 U.S.C. § 310(b).15 "A Brief History of the Internet," Internet Society (ISOC) All About the Internet, http://www.isoc.org/internet/history/brief.shtml.16 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.global-reach.biz/globstats/evol.html.17 Digital Economy 2000, U. S. Department of Commerce, Economics and Statistics Administration, June 2000, p. v, vi; see also Global Internet Statistics: Sources & References, Mar. 31, 2002, http://www.global-reach.biz/globstats/evol.html, indicating that out of 391 million online population, 192 million, or 49% were English-speaking. The following countries are considered English-speaking: U.S., Britain, Ireland, Canada, Australia, New Zealand, South Africa, Philippines, and part of India; http://www.global-reach-biz.gbc/en/english.php3.18 James D. Wolfensohn, "Development and International Cooperation in the Twenty-first Century: The Role of Information Technology in the Context of a Knowledge-based Global Economy," Speech to United Nations Economic and Social Council, June 5, 2000, http://worldbank.org/html/extdr/extme/jdw-070500/ecosocsum.htm.19 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.glreach.com/globstats/index.php3. Global Reach, a marketing communications consulting firm, tracks online users by language rather than country, since people tend to use the Internet in their own language.20 Global Internet Statistics: Sources & References, Mar. 31, 2002, http://www.global-reach-biz.gbc/en/english.php3.21 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.global-reach.biz/globstats/ref.html.22 Id.23 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.glreach.com/globstats/index.php3. European languages include Catalan, Czech, Dutch, Finnish, French, German, Greek, Hungarian, Italian, Polish, Portuguese, Romanian, Danish, Icelandic, Norwegian, and Swedish. Asian languages include Arabic, Chinese, Hebrew, Japanese, Korean, Malay, and Thai.24 Id.

25 Based on 1990 Census figures. Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.glreach.com/globstats/index.php3.26 For Arabic countries, the number of people online per DIT Net are: Egypt .40m, UAE .20m, Lebanon .13m, Saudi Arabia .11m, Kuwait .06m, Oman .04m, Bahrain .03m, Qatar .03m, Yemen .006m. SANGONet reports Tunisia has .11m. Cited from Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.glreach.com/globstats/index.php3.27 Global Internet Statistics: Sources & References, Mar. 31, 2002, http://www.global-reach.biz/globstats/evol.html.28 Id.29 Non-English languages for this table include Spanish, Japanese, German, French, Chinese, Scandinavian, Italian, Dutch, Korean, Portuguese, and Other.30 Id.31 "U.S. Internet Usage 1995-2005 (% of Population), http://www.commerce.net/research/stats/stats.html. Percentages are approximate. 32 Global Internet Statistics: Worldwide eCommerce Growth, Nov. 2001, http://www.glreach.com/eng/ed/art/2004.ecommerce.php3.33 Global Internet Statistics: Sources & References, Global Internet Statistics (by Language), Mar. 31, 2002, http://www.global-reach.biz/globstats/ref.html.34 Global Internet Statistics: Worldwide eCommerce Growth, Nov. 2001, http://www.glreach.com/eng/ed/art/2004.ecommerce.php3.35 Based upon author's experiences conducting ICT assessments in developing countries for the U.S. Agency for International Development, her work with The World Bank, and conversations with contractors and professionals in the development field.36 "Taking up the technology," Financial Times, Apr. 2, 2002 at 8.37 JODY -- find cite.38 Simon Romero, "Attacks Expose Telephone's Soft Underbelly," The New York Times, Oct. 15, 2001 at 2A.39 Al Baker and Kevin Flynn, "After a Bunker Proves Vulnerable, Officials Rethink Emergency Response," The New York Times, Sept. 29, 2001, http://www.nytimes.com/2001/09/29/nyregion/29BUNK.html?todaysheadlines.40 A. Marshall Acuff, Jr., "Information Security Impacting Securities Valuations: Information Technology and the Changing Face of Business," 2000 at 5-6.41 Les Csorba, "Corporate security can never be normal again," Houston Business Journal, Dec. 7, 2001, http://houston.bcentral.com/houston/stories/2001/12/10/editorial4.html.42 "Cybercrime," Business Week, Feb. 21, 2000.43 Dan Verton, "Disaster recovery planning still lags," Computerworld, Apr. 1, 2002, http://www.computerworld.com/securitytopics/security/story/0,10801,69705,00.html.44 Richard Power, "2002 CSI/FBI Computer Crime and Security Survey," Computer Security Institute, 2002, http://www.gocsi.com.45 Id.46 "Computer Security: Improvements Needed to Reduce Risk to Critical Federal Operations and Assets," GAO Testimony of Robert F. Dacey, Director, Information Security Issues, Before the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, Committee on Government Reform, House of Representatives, Nov. 9, 2001, GAO-02-231T at 4 (referencing "Issue of Intrusions into Government Computer Networks," Statement for the Record by Ronald L. Dick, Director, National Infrastructure Protection Center, Federal Bureau of Investigation before the House Energy and Commerce Committee, Oversight and Investigation Subcommittee, Apr. 5, 2001).47 Vint Cerf, "A Glimpse of the Future of the Internet," WorldCom Suggested Readings and Prose, http://www1.worldcom.com/global/resources/cerfs_up/issues/glimpse/xml.48 Norman Willox, "Global Impact of Economic Crime Groups," Economic Crime Investigative Institute Conference, Oct. 27-28, 1997, Washington, DC.49 "Computer Security: Improvements Needed to Reduce Risk to Critical Federal Operations and Assets," GAO Testimony of Robert F. Dacey, Director, Information Security Issues, Before the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, Committee on Government Reform, House of Representatives, Nov. 9, 2001, GAO-02-231T at 3.50 "Information Security: Code Red, Code Red II and SirCam Attacks Highlight Need for Proactive Measures," GAO Testimony of Keith A. Rhodes, Chief Technologist, Before the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, Committee on Government Reform, House of Representatives, Aug. 29, 2001, GAO-01-1073T at 6.51 Louis J. Freeh, Director, Federal Bureau of Investigation, Statement for the Record before Senate Committee on Judiciary, Subcommittee for Technology, Terrorism, and Government Information, U.S. Senate, Mar. 28, 2000, at 4-5, http://www.usdoj.gov/criminal/cybercrime/freeh328.htm.

52 "Security: Improvements Needed to Reduce Risk to Critical Federal Operations and Assets," GAO Testimony of Robert F. Dacey, Director, Information Security Issues, Before the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations, Committee on Government Reform, House of Representatives, Nov. 9, 2001, GAO-02-231T at 3.53 Hanan Sher, "Cyberterror Should Be Int'l Crime," http://www.newsbytes.com/news/00/157986.html.54 John Lancaster, "Abroad at Home," Nov. 3, 2000, at A31, http://washingtonpost.com/ac2/wp-dyn/A4288-2000Nov2?language=printer.55 "G-7 to Call for Police Network," Wall Street Journal, Apr. 15, 2002 at A4. 56 "Cyberterrorism: Death, Ruin at a Touch of the Return Key?" AFP, May 16, 2000.57 Critical Foundations: Protecting America's Infrastructures, The Report of the President's Commission on Critical Infrastructure Protection, Oct. 1997, at 17. 58 National Security Telecommunications Advisory Committee, http://www.ncs.gov/NSTAC/nstac.htm.59 Simon Romero, "Attacks Expose Telephone's Soft Underbelly," The New York Times, Oct. 15, 2001 at 2A.60 Dan Caterinicchia, "Wireless priority system nears," Federal Computer Week, Nov. 7, 2001, http://www.fcw.com/fcw/articles/2001/1105/web-disa-11-07-01.asp. 61 "Wireless Priority Services Program," Wireless Priority Services Program Office, http://www.ncs.gov/N2/WPS/WPS1.html; see also, "NS/EP Requirements for Wireless Networks, http://www.its.bldrdoc.gov/tpr/2000/its_e/nsep_require.html.62 "National Security and Emergency Preparedness (NS/EP) Wireless Priority Service: Discussions with CTIA," DynCorp, Sept. 24, 2001 at 6.63 "Wireless Priority Services Program," Wireless Priority Services Program Office, http://www.ncs.gov/N2/WPS/WPS1.html.64 Critical Infrastructure Assurance Office, http://www.ciao.gov/resource/index.html; http://www.ciao.gov/resource/pdd6263summary.html.65 "How Safe is Your E-Business?" Strategic Decisions, date unknown at 14.66 See e.g., http://www.bmck.com/ecommerce/intlegis-t.htm; http://www.bmck.com/ecommerce/intlegis-p.htm.67 Brandon Mitchener, "Increasingly, Rules of Global Economy Set in Brussels," Wall Street Journal, Apr. 23, 2002 at A1, A10.68 "US top for productivity," Financial Times, Feb. 13, 2001 at 4.69 Id.70 Jennifer L. Schenker, "Not Yet Up to Scratch," Time, Nov. 27, 2000 at 78.71 Convention on Cybercrime, http://conventions.coe.int/Treaty/EN. There are 43 member states of the COE.72 "Cybercrime: the law moves in," http://www.coe.int/T/E/.73 Council of Europe Convention of Cybercrime, Preamble, http://www.coe.int.74 Council of Europe Convention of Cybercrime, Article 12 - Corporate Liability, http://www.coe.int.75 The Challenge of Unlawful Conduct Involving the Use of the Internet, Report of the President's Working Group on Unlawful Conduct on the Internet, March 2000, at 37, http://www.doj.gov/criminal/cybercrime/unlawful.htm (hereinafter "Unlawful Conduct").76 See, e.g., 28 U.S.C. § 1782.77 Unlawful Conduct at 37-38.78 Communique, Meeting of the Justice and Interior Ministers of The Eight, Dec. 9-10, 1997, http://www.usdoj.gov/criminal/cybercrime/communique.htm.79 See text at http://www.usdoj.gov/criminal/cybercrime/action.htm.80 Okinawa Charter on Global Information Society, Kyushu-Okinawa Summit 2000, http://www.library.utoronto.ca/g7/summit/2000okinawa.gis.htm.81 http://www.abanet.org/scitech/computercrime/home.html.82 Personnel are participating from the following organizations outside the American Bar Association: American Association for the Advancement of Science; American Civil Liberties Union; Center for Democracy & Technology; Economic Crime Investigative Institute; Electronic Frontier Foundation; Electronic Privacy Information Center; Federal Bureau of Investigation; Federal Deposit Insurance Corporation; Georgia Institute of Technology - Sam Nunn School of International Affairs & Georgia Tech Information Security Center; G-8 Subgroup on High-Tech Crime; Interpol; U.S. National Central Bureau; Lexis-Nexis; National Fraud Center; National Infrastructure Protection Center; National White Collar Crime Center; State of Connecticut, Computer Crimes & Electronic Evidence Unit; The World Bank; U.S. Agency for International Development; U.S. Customs Cyber-Smuggling Center; U.S. Department of Commerce, NTIA; U.S. Department of Defense, C3I; U.S. Department of Justice - Computer Crime & Intellectual Property Division; U.S. Department of State; U.S. Secret Service, Financial Crimes.83 See e.g., Weigh Systems South v. Mark's Scales & Equip. Inc., Ark. No. 01-959, Mar. 7, 2002 (Corporate carelessness with computer passwords protecting proprietary data and software (failure to change default on passwords and patch bugs

that permitted unauthorized use) led Arkansas Supreme Court to declare the data was not entitled to protection as a trade secret). U.S. v. Slanina, 5th Cir., No. 00-20926, Feb. 21, 2002 (Absent a computer use policy to the contrary, a municipal employee has a constitutionally protected privacy interest in materials stored on his office computer). 84 "Beware of drive-by hackers," Financial Times, Sept. 5, 2001 at IV.85 William Welsh, "Forman enlists state, local governments in fed e-gov projects," Washington Technology, Apr. 9, 2002, http://www.washingtontechnology.com/news/1_1/daily_news/18084-1.html.86 44 U.S.C. § 3531 et seq. 87 “FY 2001 Report to Congress on Federal Government Information Security Reform,” http://www.whitehouse.gov/omb/inforeg/fy01securityactreport.pdf.88 See generally, Dan Gonzales, Lou Moore, Chris Pernin, David Matonick, Paul Dreyer, "Assessing the Value of Information Superiority for Ground Forces - Proof of Concept," RAND, 2001; Dan Caterinichhia, "Army releases major network RFP," Federal Computer Week, Apr. 16, 2002, http://www.fcw.com.89 Judi Hasson, "Border tech bill on fast track," Federal Computer Week, Apr. 17, 2002, http://www.fcw.com/print.asp.90 Full credit for this suggestion goes to Michael Caloyannides, PhD, Senior Fellow, Mitretek Systems, "What Price Counter-Terrorism?" Sept. 26, 2001.91 Press Release, "Attorney General Orders New Steps To Share Information Relating to Terrorism with Federal Agencies as Well as State and Local Government," U.S. Dept. of Justice, Apr. 11, 2002.92 "Protection of Electronic Infrastructures Calls for Government, Private Sector Roles," Privacy & Security Report, Bureau of Nat'l Affairs, Mar. 11, 2002, Vol. 1, No. 10 at 257-58.93 "State, Federal Leaders Use NYC's Handling of WTC Crisis as Technological Model," Dec. 5, 2001, http://www.ny1.com/ny/Living/Sub…/index.html.94 William Welsh, "Forman enlists state, local governments in fed e-gov projects," Washington Technology, Apr. 9, 2002, http://www.washingtontechnology.com/news/1_1/daily_news/18084-1.html.95 Vint Cerf, "A Glimpse of the Future of the Internet," WorldCom Resources, http://www1.worldcom.com/global/resources/cerfs_up/issues/glimpse.xml.