United States House of Representatives

Committee on Science

Subcommittee on Technology

Hearings on the

Report of the President’s Commission on Critical Infrastructure Protection

November 6, 1997

Statement of Russell B. Stevenson, Jr.

General Counsel, CyberCash, Inc.

Madam Chairwoman, members of the Subcommittee, thank you for the opportunity to appear before you this afternoon. My name is Russell Stevenson, and I am the General Counsel of CyberCash, Inc., a relatively small company that provides technology and services to enable secure financial transactions on the Internet.

Electronic commerce, while still in its infancy, is growing exponentially. It has the potential to make substantial contributions to economic efficiency and to the quality of the delivery of goods and services – to the tremendous benefit of consumers and business. It is essential to the realization of this great potential, however, that the Internet be a stable and secure environment in which consumers and businesses have confidence.

My role at this hearing is not that of a technologist. I have no expertise in the security of computer networks. I do, however, have some experience in the formulation of public policy. And I also know something about the way in which the implementation of public policy can affect business, especially smaller businesses. Finally, CyberCash is involved in the financial services business, for which computer and network security are of particular importance.

That background leads me to want to make three points this afternoon. First, public policy in this area should limit collective action to those aspects of the infrastructure in which there is likely to be what economists would call a market failure – that is aspects in which the aggregate behavior of individual actors leads to a sub-optimal system. Second, it is critical that government efforts to protect the electronic infrastructure not bring about unintentional consequences that curb its growth or stifle the innovation that has driven its remarkable success to date. Third, encryption is one of the cornerstones of security on the Internet; and nothing could threaten the security of electronic commerce more than ill-conceived public policy on encryption.

Market Failure

It is self-evident that there are strong private incentives that work toward the security of the Internet. All enterprises that make use of the Internet want their data, and the data of their customers, to be protected from theft or corruption. Likewise, they want the Internet itself to be a secure, efficient, and stable means of communicating data.

In a perfect world, the combined action of all users of this infrastructure would produce an optimal degree of security. We do not, however, live in a perfect world. For computer networks, this has two distinctly different aspects. First, individuals do not always pursue their own self-interest with perfect knowledge or with perfect dedication. The greatest weaknesses in computer security are the result, not of failures of technology, but of simple human folly. Businesses can fail to implement readily available technical protections, such as firewalls, against attacks from outside. They can fail to impose adequate systems of controls designed to prevent careless or dishonest employees from compromising their systems from inside. Most of the widely publicized cases of computer break-ins have been the result of this kind of failure.

A second potential area of failure, however, is a failure of the network, itself, resulting from flaws in its design or operation. In the last few years, we have seen examples of this sort of failure in another form of network, the national power grid, which has experienced several widespread outages. I am hardly an expert in networked systems, and the question seems to be a matter of controversy even among the experts, but it is at least conceivable, if not likely, that the Internet may have vulnerabilities of this sort.

What, then, is the proper role of government with respect to these issues? It cannot be doubted that the security and stability of the Internet is a matter of considerable public interest already, and that will only become more so as the Internet grows in importance. But we also know that government is better at some things than others. In addressing Internet security, the government should take care to limit its actions to areas in which, because of some condition of market failure, government can clearly produce a better outcome than would result from the actions of the private sector.

With respect to the first type of failure I have described – failures resulting from simple human imperfection – government’s role should be narrowly confined. It may be desirable, as the Commission has suggested, to sponsor research in computer security, to assist the private sector in establishing benchmarks and codifying best practices, and to promote the dissemination of information about computer security. I have some reservations about the Commission’s suggestion that this research effort be led in part by the National Security Agency. While NSA is, no doubt, a repository of considerable expertise in this area, it also has other missions that may not be entirely congruent with the promotion of the growth and security of the Internet. The National Institute of Standards and Technology, the other agency mentioned by the Commission, might be a better place in which to house the principal efforts.

Regulation also has a place in assuring that private entities follow sound security practices. The government should certainly use its regulatory power over banks and other financial institutions to assure that their safety and soundness is not threatened by inadequate computer security practices. But the government should confine the use of its regulatory power in this area to that narrow class of institutions whose safety and soundness it has undertaken to protect. Regulation is ill suited, and not necessary, for other types of business, for which simple self-preservation should be a sufficient incentive to adopt and maintain appropriate security measures.

With respect to the second type of failure – flaws in the design or operation of the system as a whole that are beyond the ability of any single actor to correct, there may be a place for government to take a more active role. What that role might be depends on the nature of the flaw and the steps necessary to remedy it. I am certain the Commission’s report addresses this question in greater detail; and I am equally certain that this is a question that requires considerably more research, including cooperation between government and industry.

It is also important to remember that electronic networks are evolving at a revolutionary pace. The issues of security and stability they raise are not static; they cannot be resolved once and then forgotten. They are issues that call for regular reevaluation.

The Law of Unintended Consequences All thoughtful observers of the formulation and implementation of government policy toward anything know about the iron law of unintended consequences. According to that law, any major change in policy, however well intended, is certain to have unintended, adverse consequences. They will usually be significant, and sometimes outweigh the beneficial consequences of the new policy. Congress should keep this principle firmly in mind when formulating policy regarding the electronic infrastructure.

This problem is only amplified when the government is dealing with rapidly changing technologies. Laws move at the speed of Congress. The Internet moves at the speed of light. This creates a great risk that regulation intended to protect the infrastructure will end by, at best, slowing the pace of its development and, at worst, stifling beneficial innovation that might ultimately have made the regulation unnecessary.

Smaller companies are particularly vulnerable to the unintended consequences of regulation, as they seldom have the resources to hire lawyers and lobbyists to protect themselves against being crushed when the elephant in Washington rolls over. This is particularly unfortunate in the area of electronic commerce, as smaller companies have been a major source of the entrepreneurial drive and rapid innovation that have made the Internet what it is today.

Encryption

Of all the technologies on which the security of a computer network depends, encryption is perhaps the most important. Without it, sensitive communications would be vulnerable to interception by terrorists, thieves, industrial spies, voyeurs, and the merely curious. With strong encryption, users of the Internet can communicate among each other with little concern that their messages will be read by anyone other than the intended recipients.

It is certainly not lost on the members of this Subcommittee that U.S. policy on encryption has been both confusing and controversial. Some controversy over the matter is perhaps inevitable, as there are several legitimate, but conflicting interests at stake. Unfortunately, some participants in the controversy persist in either willful ignorance of, or deliberate refusal to acknowledge, the importance of encryption in the security of our electronic infrastructure. It is no small irony that the law enforcement interests who argue so ardently for limitations on encryption seem to fail to recognize the increased vulnerability to crime and terrorism that would result from those limitations.

Encryption is a complex technology. The systems that employ it as a tool for security are equally complex, and are evolving rapidly. Regulatory constraints on the use of encryption, or forcing the use of certain design parameters will inevitably weaken the security of electronic networks. It may be that, as a nation, we are willing to sacrifice infrastructure security in exchange for some other value. Before we strike that bargain, however, it is important that we understand the price we are paying.

Conclusion

In conclusion, in considering what action to take on the recommendations of the Commission, Congress should limit the role of the government to (1) research and education aimed at enabling private actors to protect their interests more effectively and (2) identifying and addressing those weaknesses in the electronic infrastructure as a whole that cannot be effectively addressed by the efforts of the private sector. In so doing, Congress should be slow to adopt regulatory measures and keenly aware of the law of unintended consequences. Finally, Congress should pay particular attention to the importance of encryption to security and not expose the electronic infrastructure to attacks by terrorists and criminals in an ill-considered effort to provide law enforcement agencies with tools to investigate terrorists and criminals.

Russell B. Stevenson, Jr., is General Counsel and Secretary of CyberCash, Inc. Before coming to the Company he was engaged in private law practice in Washington, D.C., concentrating on corporate and securities law.

From 1971 to 1981 Mr. Stevenson was a member of the full-time law faculty at George Washington University, where he taught corporations, securities regulation, international business transactions and international economic development. During that time he also was a visiting faculty member at Cornell Law School and at the University of Paris II (Sorbonne). From 1981 to 1984 Mr. Stevenson served as Deputy General Counsel of the Securities and Exchange Commission.

Mr. Stevenson is the author of two books on corporate law and has written numerous articles on securities law and corporate law. He has also lectured frequently on these and related topics. He has been active in the Business Law Section of the American Bar Association, the District of Columbia Bar, the International Law Association, and various community organizations.

Mr. Stevenson graduated with distinction from Cornell University in 1964 with a BME degree and received his J.D. from Harvard Law School, cum laude, in 1969. He is a member of the bars of the District of Columbia and the United States Supreme Court.

United States House of Representatives

Committee on Science

Subcommittee on Technology

Hearings on the

Report of the President’s Commission on Critical Infrastructure Protection

November 6, 1997

Statement of Russell B. Stevenson, Jr.

General Counsel, CyberCash, Inc.

Statement of Federal Government Funding

CyberCash, Inc. has not since its inception in October, 1994, been the direct (or, to its knowledge, indirect) recipient of funds from the Federal Government either through grant or contract.