Re: Gorelick testifies before Senate, unveils new executive order

[David Sternlight <david@sternlight.com>]

At 12:44 PM -0700 7/19/96, Lucky Green wrote:
>At 3:04 7/18/96, David Sternlight wrote:
>
>>Serious studies have shown that the kinds of protections to make the
>>systems we depend on robust against determined and malicious attackers (say
>>a terrorist government, or one bent on doing a lot of damage in retaliation
>>for one of our policies they don't like), have costs beyond the capability
>>of individual private sector actors. Your friendly neighborhood ISP, for
>>instance, probably can't affort the iron belt and steel suspenders needed
>>to make his system and its connectivity sabotage-proof, and so on. Even
>>cheap but clever solutions involving encryption in such systems require
>>standards and common practices across many institutions.
>
>However, the neighorhood IPS doesn't need the kind of defenses required for
>the powergrid and other crucial systems. The systems that do require such
>heightend security are typically run by parties that can afford such
>security. If they choose not to implement them, then it stands to reason
>that their threat evaluation does not deem it necessary. Let market forces
>govern, lest we spend money on countermeasures for inflated threats.

I suggest that your comment about non-neighborhood IPS systems is
speculative and isn't based on reading the formal threat assessment
analysis.

You are entitled to your opinion but it's just that, not an analytic
argument. It also contains at least one false assumption: that if "their"
threat evaluation deems it important, they can afford to implement it. As
we know this is flat out false. Many aviation experts have said that we
could make airplanes a lot safer than they are now (for example), but
nobody could afford to fly them if we did.

David