The Industry Standard

Political Spectrum

Cecille Isidro — Fri, 27 Apr 2001 03:00:00 -0400

Why are the airwaves -- medium of so much potential commerce -- so poorly managed in the U.S.? The rapidly growing demand for spectrum, or a range of frequencies, is creating tension between doing what's fair and doing what's economically efficient. Yet Congress, which is the arbiter of spectrum disputes, has never been very good at making difficult decisions.

The extent of the spectrum shortfall is a relatively new problem. In the past, a continuous stream of new technology expanded the range of usable spectrum into a wide open frontier of higher and higher frequencies. The frequencies at the bottom end of the spectrum were allocated to the most popular applications: radio and television. When higher frequencies became usable, they were allocated to new applications such as direct-broadcast satellite TV. Today, the spectrum allocation chart can be read as a chronologically organized living-history museum, displaying artifacts of applications from a bygone era.

With the spectrum frontier constantly expanding, Congress could avoid difficult political trade-offs between the interests of existing spectrum licensees (the "incumbents") and those representing new services. Use all you want, the thinking went -- we'll find more. This worked reasonably well as long as the frontier was open. Unfortunately, it has closed; and it has closed at a time when demand is skyrocketing.

This at first might not seem like a very big problem. By law, the spectrum belongs to the public, and most licenses are limited in duration and constrained to particular applications. Why not let the market sort things out by terminating those licenses and awarding new ones via auction? The answer is that spectrum incumbents are politically powerful (no member of Congress wants to take on his or her local broadcaster) and would strongly oppose such a proposal. The going rate for 1 MHz (a measure, like bits per second, of information-carrying capacity) of unencumbered low-frequency spectrum serving the entire U.S. public is about $1 billion. Local TV broadcasters alone have the rights to 402 MHz of such spectrum, which they won't give up without a fight. Even if Congress took bold steps, lawsuits filed by incumbents would drag out the re-allocation process for decades, defeating the purpose of reform.

Not wanting to take on incumbents, Congress faces a painful trade-off between efficiency (how much consumer welfare can be squeezed from the spectrum) and equity (equalizing benefits to different groups). For example, if demand for broadband Internet services greatly exceeds demand for HDTV, allowing broadcasters the flexibility to meet this demand would increase efficiency but harm fairness by making the companies the beneficiaries of unprecedented government largesse. No politician wants to be seen giving billions of dollars, even in the form of spectrum rights, to a bunch of fat cats.

Torn between efficiency and fairness, Congress has chosen to do nothing. As is often the case, breaking out of this gridlock will require an external shock.

Pressure is already mounting for legislators to address spectrum mismanagement. But only when the pressure reaches crisis levels will the configuration of political forces leading to the current catch-22 spectrum politics be overturned. A bipartisan congressional bill introduced last week, the so-called Internet Freedom and Broadband Deployment Act of 2001, purports to speed broadband Internet deployment. But it does not even mention spectrum. Such avoidance can last only so long.

Your Ad Here

Cecille Isidro — Mon, 05 Feb 2001 00:00:00 -0500

Is a government Web site more like a bus or a park? How you answer this question is likely to determine how you feel about the idea of government agencies selling advertising space on their official Web sites. This practice is likely to become more common as municipalities hunt for cash to bankroll large investments in information technology. A company called govAds, for example, is already marketing its advertising-placement services to revenue-hungry governments.

This development leaves some people feeling queasy. To them, a government Web site is like a park, a public space that shouldn't be marred by clever click-through ads featuring images of supine Pamela Anderson look-alikes. Others, though, are not troubled by this prospect. These people point to city buses literally wrapped in advertising and nod approvingly. As long as they don't have to pay for it, they don't care.

The debate is new to the Internet but familiar offline. Many are dismayed by the kudzu-like spread of advertising into the public sector. Schools accept advertising revenue through soft drink contracts and cable television broadcasts. Publicly owned stadiums bear the names of corporate sponsors. Even the presidential debates were sponsored by Anheuser-Busch to the tune of $550,000. It was just a matter of time before governments were approached regarding their Web sites. So what should it be, park or bus?

The promise that the Internet would improve government services is repeated so frequently it has become something of a public-sector catechism. First, the argument goes, information technology will make provision of public services dramatically more efficient. Citizens will go online to register vehicles, obtain fishing permits, renew driver's licenses, apply for zoning variances, pay parking tickets, etc. Second, information-hungry folks will be able to delve deep into issues of great concern by reading reports, council meeting minutes, new proposals and the like. More practical-minded Internet users will be able to access the garbage pickup schedule, athletic-field reservation information and tax rules on their home computers.

Finally, elected officials will communicate directly with their constituents. This interactivity, the gospel goes, will break down the vast chasm that separates the governors from the governed. A new golden age of democracy will be born!

This may all be entirely true. The problem is that making it happen will cost a great deal of money, money that most governments do not have. Maybe someday our more traditional interfaces with government -- bureaucrats behind frosted-glass windows -- will be replaced by kiosks at the local supermarket. Potential long-run savings, however, provide little help in making contemporary budgets add up. Right now, governments have to pay for both the high-tech and the low-tech facilities. That is not cheap.

There are three ways to raise the money. One is to pay for the technology investment out of general revenues. This may work for the limited number of governments that are flush with cash. Elsewhere, however, and assuming that citizens are not eager to pay more taxes, this option is going to encounter significant opposition.

A second approach would be to charge user fees for all Web-based transactions. This has some obvious appeal. It would tax only those directly benefiting from the provision of the service, and it would make it easy to gauge "market demand" for that service. On the other hand, it would price significant portions of the population out of the market for a public good. This is especially troublesome inasmuch as it is likely to reinforce the much-discussed "digital divide." There has already been some grousing that community groups conducting business via Usenet groups systematically exclude certain parts of the community.

That leaves the advertising solution. The public has already expressed some dissatisfaction with the ubiquity of advertising in our lives. Critics claim that by allowing commercialism to seep into educational institutions we are effectively commoditizing our children. The 1996 Olympics in Atlanta were reviled for their omnipresent advertising. Denverites are rallying to preserve "Mile High Stadium" as negotiations with sponsors proceed to name the Broncos' new home.

Still, there is ample reason to shrug at the prospect of Internet ads on government Web sites and say, "A little more can't hurt." After all, the aesthetic displeasure created by the placement of crass come-ons on the same page as schedules of city council meetings is not too big a price to pay.

But there are additional issues to consider. First, the endorsement problem. Advertising on a government Web site may carry a tacit endorsement that should not be sold to the highest bidder. Is it possible to place a banner ad for, say, a hotel on the state tourism site without implicitly endorsing that hotel to prospective visitors? Not surprisingly, govAds' CEO Timothy R. Bartlett says yes. People are used to ads on Web sites, he says, and don't infer an endorsement.

And indeed the bus analogy supports him. Just because Los Angeles buses drive around wrapped in plastic technicolor Yahoo advertisements, does that mean the government is making a portal recommendation? Most would say no.

More problematic is what might be called the Rudy problem. Anyone who spends more than a little time on the Web knows the two strategies that seem to guide almost all advertising campaigns there: Create a banner that looks like a Windows dialog box or try to be as shocking as possible. Assuming that most people (outside of Palm Beach County) are not fooled by the fake dialog box, the shocking ads are more of an issue.

Someone is going to have to make decisions regarding appropriate content. Who is that going to be? New York City Mayor Rudolph Giuliani famously had a series of advertisements for New York magazine removed from city buses because they made fun of him. He even went to court to protect his claimed right to do so. (He was soundly rebuffed.)

But placement of ads on Web sites would invite this type of activity on a daily basis. There is simply no way around it. Unless we are willing to accept any and all advertisements on the Web, there will have to be judges of propriety. Bartlett argues there is no censorship problem because his company will make the decisions based on publicly available, contractually set criteria. This helps, but leaves the door open to controversy. Bartlett notes that government clients have the right to veto approved advertisements. Thus a cyber-savvy Giuliani could reject a mocking advertisement.

Interestingly, govAds touts the right of governments to limit advertising as an advantage. In a document prepared by the company's chief lawyer, govAds tries to soothe potential clients' fears of First Amendment lawsuits. He cites a court decision regarding a Texas city's Web site in which, he says, the judge essentially concluded that a Web site is a bus. And, insofar as it was a "nonpublic forum" (for example, unlike a park) reasonable policies regarding acceptable advertisements, such as those that do not discriminate against particular viewpoints, were just fine. Giuliani's problem was his unreasonableness. Are we clear on that?

Advertising on government Web sites is probably not the most pernicious commercialization of public space. For one thing, it may not work. Skepticism regarding the profitability of ventures that rely on Web-based advertising revenues is quite intense. Bartlett does, however, make a convincing case that he's got a winning formula in his ability to target eyeballs for advertisers. More important, his client list is growing.

Still as more of our lives are spent on-line, our concern with the sale of public cyberspace is likely to grow. Because there is essentially infinite room to expand the Internet, there is no need to protect government Web sites as the Grand Canyon or Everglades of the Web. In this case, effectively designating Web sites as "parks" is more a matter of preserving a mindset, a belief that some things are above commerce.

Talk is cheap. But someone has to pay for the servers and software that will make e-government work. If you're not willing to pay for them, maybe Motel 6 will be.

The Tax Man Cometh

Cecille Isidro — Fri, 01 Dec 2000 00:00:00 -0500

They fought over Social Security, tax cuts and defense. But Al Gore and George W. Bush agreed on one thing: Both pledged to extend the current three-year moratorium on new Net taxes. Score one for e-commerce, right? Not exactly. While the moratorium lets Washington lawmakers appear both pro-Internet and antitax, it doesn't bar existing taxes -- just new ones. In fact, states and municipalities are already allowed to apply existing sales taxes to Net purchases. And with half a billion dollars in lost revenues at stake, they're working feverishly to figure out how to levy -- and collect -- those fees.

The urgency is understandable. Every dollar spent online is a dollar not spent on Main Street -- and that many fewer pennies going into city and state tax coffers. Online consumers sales totaled $12.8 billion last year. In that same period, Forrester Research estimates, states and municipalities lost $524 million in potential tax revenues. A recent study by the University of Tennessee predicted that those annual losses would total $10.8 billion by 2003. "We have grave concerns about the magnitude of that money," says Ray Scheppach, executive director of the National Governors' Association.

The lack of online taxes also puts non-wired retailers at a disadvantage. Says Andy Ross, owner of Cody's Books in Berkeley, Calif.: "I can compete against the Internet. I can compete against chain stores. But I can't compete against a tax system that discriminates against me." That system also discriminates against the millions of Americans with no Net access, making the Internet a duty-free shop for the digital elite.

The story of the Net's rise as a tax haven began before most Americans had heard of e-anything. In a 1992 Supreme Court case, Quill Corp. vs. North Dakota, the justices ruled that a vendor doesn't have to collect taxes on remote sales unless it has a "physical nexus" -- meaning employees or tangible property, such as a store -- in the state where the purchases are made. The ruling made most mail-order purchases tax-free, because few mail-order companies have such physical assets. Quill applies to Internet sales as well: If an online store has an office in your state, you owe tax on anything you buy from it. Amazon, for example, should tax customers who live in Washington, where the company is headquartered.

But, as with catalogs, most online sales go untaxed. For one thing, like their mail-order counterparts, few Internet retailers own tangible property beyond their headquarters. Collection is another problem. Whey they do owe taxes on online purchases, and the vendor doesn't collect then, consumers are supposed to pay them at the same time as they make their annual state or local income tax payments. Few buyers are even aware of this requirement, much less meet it.

To help resolve the mess, Congress two years ago passed the Internet Tax Freedom Act, which created a three-year ban on new Internet taxes. That ban ends October 2001. Last May, the House voted to extend the moratorium an additional five years, but the Senate has yet to take up the matter. Note that word "new": The moratorium did not invalidate existing tax laws. It was simply intended to give everybody involved time to ponder the problem.

At the same time it created the original moratorium, Congress created the Advisory Commission on Electronic Commerce, a blue-ribbon panel consisting largely of high-tech CEOs and other Internet-industry notables. But last April, the 19-member panel dissolved in stalemate. Members agreed on some tangential issues (such as scuttling a century-old 3 percent telecommunications tax, originally passed to fund the Spanish-American War), but couldn't achieve the necessary two-thirds consensus on the central question: Can states require e-vendors to collect sales taxes?

Online businesses argue that if they were forced to play tax collector, sales would suffer, and the e-commerce boom would fizzle. Tech-dominated antitax groups such as the Internet Tax Fairness Coalition -- members include America Online, Cisco Systems and Microsoft -- insist that Internet taxation is just too complex. To quote the coalition Web site: "There is no cheap and easy technological solution."

It may be hard to believe that the geniuses of the new economy -- the same folks who create multibillion-dollar stock valuations on no revenues -- are daunted by a little thing like tax collection. But they may have a point. Collecting taxes on each Net purchase would mean identifying the relevant state and local jurisdictions for the customer, then calculation the associated sales taxes. Vendors would then have to remit payments and submit paperwork to each of the country's thousands of taxing authorities.

The taxing authorities themselves are attempting to help. The National Governors' Association, its municipal allies and a handful of brick-and-mortar businesses have formed the Streamlines Sales Tax Project, an effort to create a uniform national system for collecting sales taxes. So far, more than 30 states are taking part, drafting a new, one-size-fits-all tax policy that state legislatures can easily enact. The SSTP is also helping private companies develop software to simplify collection. The goal is a "zero burden" system in which states kick back a portion of the tax revenues to vendors to compensate them for the cost of compliance.

States are trying to make more immediate changes. The California state Senate, for instance, recently approved a bill that attempted to clarify the definition of "physical nexus." Gov. Gray Davis vetoed the bill, but backers vow they'll reintroduce it in 2001. If it becomes law, online vendors like Barnesandnoble.com that are part-owned by companies with a California nexus will have to collect taxes.

Meanwhile, North Carolina added a new item to its 1999 tax forms. The paperwork now clearly explains that taxes are due on Internet purchases that weren't already taxed by vendors. The addition helped North Carolina garner roughly $3 million in use taxes, up from roughly $225,000. Says Charles Collins, an administrator for the North Carolina Department of Revenue: "We want to make things simple while making it clear that all commerce applies to all taxpayers."

E-taliers and consumers, consider yourselves warned.

Bad Boys

Cecille Isidro — Mon, 23 Oct 2000 00:00:00 -0400

In the days before Web addresses were as ubiquitous as McDonald's, the Internet was imagined as a lawless badlands. Rogues and bandits would soon terrorize cyberspace as hapless sheriffs struggled to turn on their computers. And as promised, cybercrime has presented novel challenges to law-enforcement agencies.

Fraud has gone online in multiple forms. Auction sites such as eBay have proved fertile hunting ground. Some sellers make fake bids on their own merchandise to inflate its price, while others simply take the money and run. That is, they never send the buyer the promised item. Not the most sophisticated gambit, but surprisingly effective.

More ambitious scam artists have targeted the growing population of stock traders that gather information on the Internet. Even improbable claims can fuel an effective "pump and dump" scheme. Two California men were arrested after spreading a rumor that a small, publicly traded car dealership had acquired another company that just happened to possess a cure for AIDS. The stock shot up, proving that people will believe anything.

Then there are the purveyors of illegal items -- everything from alcohol to prescription drugs to firearms. If you want it, you can probably get it via the Net. Online gambling sites have created a global floating craps game that would make Nathan Detroit green with envy.

And then there is perhaps the most sinister class of criminal Web denizens: sexual predators. There are pedophiles that troll the Internet looking for children. There are sociopaths who take advantage of the Internet's culture of trust to lure unsuspecting victims of all ages into vulnerable positions.

Here's the surprising thing. The spate of horror stories and the dire predictions of uncontrolled mayhem on the Internet obscure reality. Law enforcement is holding its own against scam artists, malevolent hackers, snake-oil salesmen and violent criminals who use the Internet. Does crime exist on the Web? Of course. But there isn't any evidence that Internet criminals are less likely to be caught than their unwired colleagues.

It turns out that law enforcement agencies have been (surprisingly?) skillful in responding to cybercrime. Police departments have used data-mining techniques to track down drug traffickers. Hackers have been busted through invisible backup monitoring systems. Pedophiles have been snared by agents posing as kids in chat rooms. And law enforcement agencies are just getting started. There are increasing numbers of personnel devoted to cybercrime at the FBI, Federal Trade Commission, Securities and Exchange Commission and just about every other agency in Washington. State and local agencies are ramping up their capacity as well. One could cynically harrumph and say, "These bureaucrats are just trying to protect their budget!" I would respond with an emphatic "So what?" Government is responding to the "market demand" for more law enforcement on the Internet. That is, for many, the essence of reinventing government.

I do not want to suggest that there is no crime on the Internet or that law enforcement has fully adapted to the changes wrought by the proliferation of information technology. It has not. There will always be new scams and new technologies to be exposed, understood and addressed. Moreover, the shape of law enforcement will evolve. As I have argued before, the Internet will require the centralization of law enforcement in order to combat cross-jurisdictional crime.

The point is that the good guys have not been overwhelmed by the bad guys. Indeed, one of the biggest unmet challenges for Internet crime-fighting is the establishment of what we might call "norms of proportionality" to keep law enforcement from doing too much.

In the world of "real" crime, we have developed shared standards of the appropriate behavior of police that relate to the seriousness of crimes. This is most obvious in terms of sentencing; jaywalkers are punished less severely than murderers. But the same logic carries over to the realm of enforcement.

We think police should distinguish between crimes based on the severity and behave accordingly. First, there is a sense that resources should be deployed based on the nature of criminal activity. Police are expected to spend more time and energy stopping thieves than tracking mattress retailers who illegally cut off the tags. Second, we tolerate more intrusive police behavior when it is intended to stop more serious crimes. Thus wiretaps are acceptable in the pursuit of a kidnapper but perhaps not as a means of apprehending a juvenile shoplifter.

Are such norms of proportionality iron-clad and universal? Absolutely not. Some police behavior is held to be unacceptable regardless of the ends (such as torture of suspects). Some people would argue that criminals are targeted because of their race without regard to the severity of their alleged crime. Moreover, the "seriousness" of crimes may be related to the race of the person committing the offense (for example, possession of crack is punished more severely than possession of powder cocaine, disproportionately affecting minority populations). An alternative critique of the "proportionality" approach is that minor crimes must be addressed or they will grow into more serious crimes. This theory, espoused by James Q. Wilson and implemented by New York Mayor Rudolph Giuliani and his first police chief William Bratton, is widely used to explain the reduced crime rates in New York.

The point is that we do not have any sense of the proportionality of Internet crime. What is a serious crime? Denial-of-service attacks? Is that a worse crime than creating the I Love You virus? How does that compare with the transgressions of Napsterites? And how do all of these crimes rank relative to more traditional crimes that have migrated onto the Web?

Thus when the FBI unveils Carnivore, we're left to wonder who it will devour. (Who came up with the name Carnivore, anyway? Stephen King? Hey, FBI! Call the next big surveillance proposal "Cuddly Bunny" and I guarantee it will go over much better.) Are the feds going to use Carnivore to go after scheming terrorists? That might be OK. Or are they going to hunt down the next "Coolio" who shuts down E-Trade for an hour? Doesn't it make a difference?

Even if we decide, as in New York, that the police must punish quality-of-life crimes, it must be determined what constitutes such a crime. Is "shouting" someone down in a chat room such a crime? Few would say so. How about sending spam? That seems to make people upset, but is it criminal? How about vandalizing a Web site? How about sending pornographic instant messages to unsuspecting computer users (including children)?

The point is clear enough. Currently, we have no means of distinguishing among Internet crimes and thus reaction to Carnivore, Digital Storm, Echelon and future crime-fighting technologies are bound to be decidedly mixed. Law enforcement agencies will understandably see these technologies as the required tools to combat cybercrime in the 21st century. Civil-liberties advocates will see police officers chasing after juvenile pranksters with elephant guns. And both sides will be right.

We need to figure out what types of cybercrime constitute the greatest threat to the Internet and society as a whole. Then we can work on determining the appropriate responses to different offenses. Until then, Internet cops will keep coming up with ever-scarier names for their software and cruising the Internet in search of criminals without distinguishing between the digital equivalents of scofflaws and serial killers.

All Quiet on the Network Front

Cecille Isidro — Mon, 16 Oct 2000 00:00:00 -0400

The building at 4500 Southgate is indistinguishable from the cookie-cutter offices that dot the outskirts of Dulles Airport in Virginia. But beyond a phalanx of security cameras, behind doors controlled by retina scanners and handprint readers, sits a room resembling the Norad command center depicted in the movie WarGames. This is a Secure Operations Center run by Counterpane Internet Security, one of a growing number of companies that monitor clients' computer networks -- from e-commerce sites to internal servers -- in search of malicious intruders.

With cybercrime paranoia soaring in the wake of several high-profile incidents -- from last spring's "I Love You" fiasco to late September's Disney World intrusion -- wired companies increasingly rely on third-party experts to keep a digital eye peeled for miscreants. According to the Gartner Group (IT) , $7.1 billion will be spent on security services this year, and that figure will grow by 40 percent annually for the near future.

It all sounds quite scary. Ninety percent of the respondents to a recent Computer Security Institute survey reported "computer security breaches" last year. But that figure includes such banal transgressions as employees downloading porn, exchanging bawdy e-mail jokes and pirating software. The real headline-grabbers -- stolen credit card numbers, pilfered trade secrets -- are frightening yet rare.

Hence, Secure Operations Centers like Counterpane's are the new-economy equivalent of the Alaskan radar stations that once scanned the skies for incoming Soviet ICBMs. Still, clients pay outfits like Counterpane, RIPTech and Pilot Network Services (PILT) as much as $12,000 per month for the peace of mind that comes with knowing their systems are being constantly monitored for unauthorized uses.

Curious to witness the action on the front lines of network security, The Standard spent 24 hours monitoring the monitors at Counterpane. Founded in 1999 by cryptographer Bruce Schneier, inventor of the still-unbroken Blowfish algorithm (and a contributor to The Standard), Counterpane was among the first companies to offer around-the-clock human surveillance.

On their watch, the monitors sift through a constant tidal wave of information looking for the minuscule anomalies -- a failed log-in attempt, a malfunctioning router -- that can indicate that a nascent attack is under way. A cyberattack is nearly impossible to detect with an untrained eye; a massive denial-of-service onslaught can appear to be nothing more than a few jargony command lines. Thus the culture of surveillance is one of patience. A typical 24-hour stretch includes a fair share of alerts, but also long stretches of thumb-twiddling. Sealed in a sterile, windowless room, SOC employees play digital-age voyeurs, scanning the horizons for the next calamity.

9: 00 am

Arrayed behind desks in a quasi-lecture hall arrangement, the three-person morning shift sits in near darkness facing a wall adorned with several massive screens. One displays a never-ending loop of shots from the 13 security cameras strewn throughout the facility. Another shows a continuous stream of data culled from the "sentries," Counterpane-speak for the PC installed behind a client's firewall to monitor network activity. The scrolling data resembles the hypnotic thicket of characters that Keanu Reeves gawked at in The Matrix.

Each sentry emits a regular "heartbeat," a signal that indicates it's up and running. A dormant heartbeat is cause for alarm; it indicates that Counterpane's surveillance abilities are temporarily crippled, and therefore a customer's network is ripe for exploitation -- whether by a disgruntled insider, a precocious preteen armed with hacking scripts or an evil mastermind in search of digitized loot. The latter is the most dangerous adversary, the one SOC analysts live to combat. But for every mastermind, there seems to be a million kiddies. And, even worse, a billion false alarms.

9:48 am

Eyes slightly straining in the SOC's dim, blue glow, Rob Jamison pores over a chronicle of the past week's activity for a client. The Web-hosting firm that Jamison is vetting experienced 1,642 so-called tickets in the previous seven days. "Ticket" is shorthand for an incident, and they are given one of four classifications. The lowest grade is "interesting," which refers to elementary glitches such as "printer out of toner" messages or brief traffic spikes. The next level is "security relevant," which can be something as minor as a mistyped password. Above that is "suspicious," which includes activities that can be preludes to attacks, such as scans that can detect weak firewalls or pliable backdoors. Finally, there is "critical," an attack in progress, something that requires immediate attention.

Only two tickets merit the suspicious label. Both are related to malfunctioning sentries that lost their heartbeats for over 10 minutes. But alas, it's nothing to get the heart racing; Jamison simply chalks up the downtime to hardware problems on the customer's end.

10:02 am

Don DeBolt may be a technogeek, but he has the solid build and close-cropped hair of a newly minted Marine. He terms himself an "ethical hacker" and did his fair share of penetration testing while at Ernst & Young. Now, as a senior SOC engineer, he decides when to "escalate" a ticket -- that is, to notify a client of a security issue and provide counsel on how to react. DeBolt calls his cramped office the War Room.

11:41 am

DeBolt emerges from the War Room, brow furrowed. One sentry has been down for 14 hours, reportedly because of a hardware problem. But the continued lack of a heartbeat is worrying him. He studies the ticket on a console and makes a fateful judgment call: "Let's go on and escalate this one."

Jamison calls the client to assess the situation. But the tech person he reaches there isn't exactly in the loop. "The guy doesn't have root access and he doesn't have physical access, so there's not a lot they can do," groans Jamison.

Clients may be willing to let Counterpane log and analyze their most sensitive network traffic, but they stop short of giving them the power to hit the kill switch. DeBolt calls this look-but-don't-touch access "limited keys to the kingdom."

1:59 pm

The boredom is beginning to take its toll as the morning watch draws to a close. MSNBC has been playing over the PA system for hours, and the umpteenth story about VP Al Gore is starting to grate on people's nerves.

2:17 pm

Differing musical tastes cause a mini ruckus. John Glasscock, the newest member of the SOC team, says "I like country, I like ska, I like all sorts of stuff. Except for what he likes." He points at a grinning Jason Van Brecht, the team's resident Unix snob and a rabid industrial music fan.

The sterility of the SOC contributes to the stir-craziness. There are none of the typical accoutrements of "wacky" new-economy culture. The only sign of color is a lone mousepad shaped like a pizza.

3:24 pm

Second-shifter Kathy Wang plows through a bowl of microwaved ravioli and mulls over her career anxiety. "I feel like I'm running out of time," sighs the 27-year-old. Eager for a slice of computer-world glory, she's developing an intrusion-detection system for ISPs but has found it difficult to get research done on the job, especially since laptops are verboten at the SOC to ensure that analysts won't walk away with sensitive data.

11:27 pm

Techie to the core, graveyard-shifter Rodney Mitchell pontificates on a future in which computer chips will be embedded in everything from rocking chairs to neckties. "Soon you'll be able to walk up to a Coke machine and put your watch up to it, or your cell phone, and you'll get a Coke and it'll all be paid for," he predicts. "But of course, that increases the vulnerabilities. Somebody can go up and hack a Coke machine." That insecurity partly explains why Mitchell joined Counterpane; as a man who takes pride in trendspotting, he foresees a rosy future for companies aimed at keeping technothugs from swiping sodas.

2:27 am

Dozing behind his console, Mitchell is startled awake by a series of four bings. He scrambles to make sense of the incoming tickets, which indicate that a system error has occurred on a client's network. "They've been doing maintenance since Friday, but this looks different from a maintenance event," says DeBolt, emerging slightly bleary-eyed from the War Room.

Mitchell gets on the horn to the sister SOC in Mountain View, Calif. "You guys looking at these tickets? ... They're having some adjacency problem? ... Things quiet on that end? ... OK, take care."

4:59 am

Jamison arrives a minute early for his shift to find Mitchell studying a Cisco manual. Van Brecht arrives shortly and immediately opens a cable cabinet to retrieve his stealthily concealed wool blanket. "It gets so cold in here in the morning," he says, bundling up as he flicks on his console's monitors. "The air conditioning gets a little crazy."

These are the slowest hours at the SOC, when even the hardiest cybercriminals are probably fast asleep. Bings are rare, and the crew occupies themselves with debating the relative merits of sourdough vs. whole-wheat toast. ZDTV's programming has turned from late-night infomercials to a show on international business, featuring a segment on the Bahamian communications minister. "Oh, that must be a tough job," snickers Van Brecht. "What is that, like, four phones? I'd take that job."

8:58 am

"Any tickets?" DeBolt squawks over a speakerphone, shattering the lighthearted mood. Van Brecht leans over to report that the morning has been quiet. DeBolt, operating on only a few hours sleep, orders his troops to start checking whether a database of client information is accessible. The ribaldry ceases and the tappity-tap of keyboards commences. The networks demand constant attention, even if the proverbial ICBM never comes streaking across the digital sky.

A Big Pie, Sliced Thin

Cecille Isidro — Mon, 25 Sep 2000 00:00:00 -0400

Who's winning in the new economy? Not as many people as you might think. Even as the market hits the stratosphere, the vast majority of working Americans continue to struggle along, at least in terms of wages.

In 1998, for example, the average annual income for all working males was $36,252, a gain of precisely $5 since 1970. At the same time, women's salaries went from $21,470 to $26,855.

The picture is much bleaker, though, if you look specifically at the three-quarters of Americans who have not graduated from college. Over the course of a single decade, according to the Department of Labor, the average male high-school graduate, the blue-collar worker of yore, has seen his inflation-adjusted weekly wages drop by an astounding 20 percent, from $679 to $559.

Of course, even these dismal averages are boosted by the presence of college dropouts like Larry Ellison and Bill Gates in the mix. A more accurate indication may be to look at how many families fall on one side or another of the poverty line, defined by the government as $13,290 per year for a family of three.

In 1970, 5.2 million households, roughly 10.1 percent of American families, were considered impoverished. In 1997, 7.3 million families, 10.3 percent of all households, lived in official poverty. And between 1980 and 1997, poverty as a proportion of a state's population grew fastest in the new economy's patron state, California, from 11 percent to nearly 17 percent.

Government-certified hardship is an arbitrary delineation. To be sure, there are millions of families well over the poverty line who are struggling to make ends meet. Are they reaping any of the benefits of the new economy? Not really.

The truth is, as rapidly as the American pie is expanding, the proportion devoured by the rich is expanding even faster, leaving the poor with the same or less than they used to have.

The average CEO's salary, for instance, rose 62.7 percent during the '90s. CEOs, on average, now make more than 107 times that of the typical worker. That's up from a multiple of 56 in 1989, according to the Economic Policy Institute.

This widening gap in paycheck parity helped the richest fifth of Americans achieve a pretax income boost of 23 percent between 1989 and 1998, an increase of tens of thousands of dollars for the average well-heeled home. By contrast, a recent study by the Center on Budget and Policy Priorities found that during the same period annual income for the poorest fifth grew by a whopping $23 dollars, to $9,223.

Even worse than the wage gap is the more cavernous wealth gap. Household wealth, of course, takes into account wages and other assets, such as investment income, as well as debt.

Because of increasing reliance on debt, the typical American household's net worth increased only slightly during the '90s, by about $2,200, to $61,000. Meanwhile, the wealthiest 1 percent of Americans control 38 percent of the nation's wealth, while the bottom 80 percent controls just 17 percent.

To Catch a Thief

Cecille Isidro — Mon, 11 Sep 2000 00:00:00 -0400

In April 1999, Bruce Schneier, mathematician, digital security expert and unlikely hacker-scene hero, had an epiphany. It prodded him to reorganize his company, Counterpane Internet Security, and altered his view of securing computer systems. The fruits of that thinking also make up the bulk of his engaging and exhaustive new book, Secrets and Lies: Digital Security in a Networked World.

Schneier, the creator of two widely used data-scrambling formulas and author of the definitive Applied Cryptography, realized that he and his colleagues were trained to view security as a hopeless prophylactic, a passive approach that relies too heavily on complex technologies to keep hackers and criminals out. "Too many system designers think about security design as a cookbook thing," writes Schneier. Add a firewall and a pinch of encryption, and eventually you'll have a secure system.

He concluded that technology, no matter how complex, can't solve all our problems. "Security is rooted in the physical world. The physical world is not logical. It is not orderly," he explains. "People don't play along. They do the unexpected; they break the rules."

In a land of rule-breakers, rules-based systems are not especially useful. Instead of building the digital equivalent of a Maginot Line, Schneier argues, it is far more effective to think of security as an ongoing process of "risk management" that includes not just protection, but also detection and reaction mechanisms.

Secrets and Lies, then, isn't so much a "how-to" as a "how-to-think" -- a philosophical road map in which Schneier guides the reader along the same path that brought about his new thinking. With the single-minded discipline of a programmer, Schneier spends almost two-thirds of the 400-page book getting to know the mind of the enemy; surveying the methods hackers employ to break into systems, from automated programs to the person-to-person con games known as "social engineering."

The aim in mastering such arcana, according to Schneier, is "threat modeling," which is his way of teaching readers to think like the most methodic of thieves. Schneier provides a series of cognitive exercises designed to get crime-inspiring synapses firing. How might one rig an election or hack a stored-value smartcard without getting caught, for instance?

In one exhaustive deconstruction, Schneier walks readers through the process of getting free pancakes: "We can eat and run. We can pay with a fake credit card, a fake check or counterfeit cash. We can persuade another patron to leave the restaurant without eating and eat his food. We can impersonate (or actually become) a cook, a waiter or the restaurant owner ..." Schneier goes so far as to diagram these threat models -- to near-comic effect -- with what he calls "attack trees." With such deep knowledge of one's potential security flaws in hand, managers can far more effectively secure their systems.

Schneier is the right person to popularize these views. His prose is lively and his work is informed by current headlines about the I Love You virus, obscure historical facts about Germany's World War II "Enigma" data-scrambling device and ancient myth. (How did Zeus sneak into Danae's supposedly impenetrable bronze chamber? He turned himself into gold dust and showered down into Danae's lap through a hole in the roof.)

In the wake of this year's denial-of-service attacks on major Web sites, Schneier's book joins a host of other popular works on digital security -- most notably Winn Schwartau's Cybershock. Setting himself apart, Schneier navigates rough terrain without being overly technical or sensational -- two common pitfalls of writers who take on cybercrime and security. All this helps to explain Schneier's long-standing cult-hero status, even -- indeed especially -- among his esteemed hacker adversaries.

New World Order

Cecille Isidro — Mon, 28 Aug 2000 00:00:00 -0400

The future of governance was recently on display in Yokohama, Japan. It was not a World's Fair, a U.N. conference or an international exposition. Rather, it was the latest meeting of ICANN, the Internet Corporation for Assigned Names and Numbers.

ICANN is not governmental in the usual sense. It does not oversee a geographic jurisdiction. It does not have an army or even a police force. What it does possess, however, is authority. At present, its authority appears somewhat limited: ICANN has been delegated responsibility for the management of the Internet's address book. That is, ICANN is making the rules that determine who gets the rights to Web site names and manages the technical facilities that makes, say, Amazon.com's (AMZN) Web site appear when you type "http://www.amazon.com" into your browser window.

But what exactly is ICANN and why should it be making rules regarding anything? Some people mistakenly think that ICANN is a U.S. government agency. This confusion is borne of a contemporary propensity to make government agencies seem more efficient by calling them "corporations" (for example, the Corporation for National Service). But ICANN is not part of the U.S. government -- or any other government for that matter.

No, ICANN is a private, nonprofit corporation. It was created by the late Jon Postel, former leader of the Internet Society and one of the architects of the Internet, after the Clinton administration announced that it would transfer responsibility for management of domain-name registration to a private organization. Up to that point the domain-name registry had been administered by Network Solutions (NSOL) , a private company, under contract with the National Science Foundation (a U.S. government agency, despite its misleading name) and later, the U.S. Commerce Department.

ICANN's critics charge that ICANN is an instrument of Internet interest groups that secretly colluded with the Clinton administration. The appearance of an objective selection process, they say, was a sham. Setting aside this controversy, delegating regulation of the Internet to ICANN (or any other nongovernmental entity) suggests an approach to the complexities of governance in this era of globalization that is likely to become common and thus deserves examination.

Trade, communications, crime -- almost every form of human activity -- now routinely crosses borders. As a result, the mechanisms we have relied upon to regulate everything from accounting standards to telephony now appear creaky and outdated. How can the U.S. Food and Drug Administration meaningfully protect Americans from dubious drugs if manufacturers around the world have direct access to U.S. consumers? How can local law enforcement officials punish operators of rogue gambling operations based offshore? How can American financial regulators verify the truthfulness of the claims made by issuers of stocks and bonds on the other side of the world?

The science fiction solution is world government. But this approach seems far-fetched because national governments will not vote themselves out of existence. The answer is more likely the growth of entities like the World Trade Organization and the World Intellectual Property Organization to which governments of the world will cede authority and responsibility for international transactions and activities. In theory, such organizations can overcome many of the logistical problems that restrict national governments. Their authority ranges across borders. They propagate and enforce regulations that apply in all jurisdictions.

The creation of ICANN extends the governance experiment one step further. Unlike treaty-based organizations such as the WTO, ICANN's creators hope to sever all formal ties to the governments of the world. ICANN is envisioned as a model for the quasi-government of the Internet because it is ostensibly responsible only to "the Internet community." This is immensely appealing -- on paper. Like many who vilify traditional government agencies, ICANN's proponents argue that by being independent of "the bureaucracy," ICANN will be lean, efficient and free of the political wrangling that characterizes traditional government. Moreover, ICANN is promised to be immune to the ideological disputes that make governance in the nonvirtual world so difficult.

But the early experiences of ICANN indicate that such governance structures introduce vexing challenges of their own.

For instance, representativeness. ICANN aspires to be a democratic government for the Internet. Without borders, however, identifying those with a legitimate right to participate in ICANN's decision-making is difficult and contentious. There is a vocal group of critics who argue that ICANN's board of directors and management are not representative of the Internet user population and, as result, biased toward corporations with an overriding interest in protection of their commercial property rights.

The last ICANN meeting, in Cairo, was embroiled in disagreement regarding the election of additional board members. The board bowed to objections that an indirect election system would give the existing board greater authority; the election procedures are being revised but will allow anyone with an e-mail address to vote for five at-large members of the board (from a list put forward by a nominating committee). Will this eliminate objections to the composition of ICANN? Not likely.

Another difficult issue involves challenges to authority. Governments have a unique tool to compel subjects to respect their authority: force. ICANN has no analogous monopoly on power, physical or otherwise. Indeed, there are ways to circumvent or ignore ICANN. For example, even as ICANN has established and implemented procedures for arbitration of domain-name disputes, opportunities to litigate disagreements abound at the state and federal level. It's difficult to maintain governmental authority if parties dissatisfied with the outcome can turn to another venue.

Accountability is also tricky. To whom, exactly, is ICANN accountable? The question is difficult to answer. At present, the Commerce Department's National Telecommunications and Information Administration exercises at least a supervisory role. In the future, however, it is anticipated that ICANN will grow wings and set out on its own. ICANN should not look to Uncle Sam for guidance as it oversees an increasingly international Internet. America's dominance of the early days of Internet governance was a natural consequence of its seminal role in the Internet's creation. But what, if any, body will assume the role now played by the U.S. government? Opponents can now turn to Congress to air objections regarding the administration of ICANN. Indeed, Congress ordered the recently released General Accounting Office report on ICANN. Who will conduct investigations in the future?

These concerns are expressed now in theoretical terms. But "what if" can quickly become "what now?" ICANN raised a few eyebrows by granting the Palestinian authority its own top-level domain name, the same status accorded nation-states. The symbolic recognition provides a small reminder that organizations to which significant authority is delegated have a funny habit of using it in ways that few imagine. ICANN may someday make decisions that affect the ability of the U.S. government to protect property rights or police Internet transactions. The consequences could be more than symbolic.

It is difficult to picture ICANN, an obscure entity with an odd acronym, as anything more than a footnote to the rise of the Internet. But a year ago it would also have been hard to imagine violent protests disrupting the WTO meetings in Seattle. The world is changing. Old boundaries are being eroded by commerce, transportation and communications. And government is adapting, taking new forms to accommodate the new reality. In this sense, ICANN is an important harbinger of the controversies to come.

The World's Most Secure Operating System

Cecille Isidro — Thu, 17 Aug 2000 00:00:00 -0400

The cartoon character on Theo de Raadt's business card is surprisingly uncuddly. Most upstart software companies employ cute mascots -- Linux's bemused penguin, for example -- but de Raadt, project leader for the open-source operating system OpenBSD, favors a smirking, muscular demon clad in policeman's garb. The fiend brandishes a badge reading: "OpenBSD: To Serve and Protect."

This satanic cop may not make a great stuffed animal, but he's a fitting symbol of de Raadt's singular aim -- to create the world's most secure operating system. Coded by hundreds of volunteers worldwide, the freely downloadable OpenBSD is hailed by security buffs as uncrackable; it's been over three years, for example, since a vulnerability was discovered in the system's off-the-shelf version. The airtight security is the product of a labor-intensive approach that many experts feel should become standard. De Raadt and his cohorts are not only motivating the nascent open-source industry to rethink its basic security policies, they've honed a set of principles that promise to make all systems -- open source or not -- safer.

"OpenBSD is probably one of the most secure operating systems out there," says Chris Brenton, author of Mastering Network Security. "The crew does a fantastic job of locking down and being responsive when vulnerabilities are found." Such a good job that the U.S. Department of Justice uses 260 copies of OpenBSD to store and transmit its most sensitive data.

Like other projects bearing the BSD moniker, OpenBSD traces its origins to the University of California at Berkeley. (The acronym stands for Berkeley Software Distribution.) Unhappy with Unix's clunkiness, the school's programmers started tweaking the code in the late 1970s to create several variants, culminating with the release of 4.4 BSD-Lite in 1992. Legal wrangles with AT&T (T) , the original Unix developer, forced the university to abandon the project, but open-source devotees picked up the slack.

De Raadt began experimenting with BSD code during his student days at the University of Calgary. Along with several friends, he created an open-source project called NetBSD in 1993; his friends booted him from the project the following year. In archived e-mail, his former colleagues claim he was guilty of "rudeness toward and abuse of users and developers." De Raadt denies those allegations.

De Raadt used NetBSD's code as the foundation for the OpenBSD project, which he formed in 1995. After his machine was hacked by a colleague in 1996, he adopted a security tactic that has become the project's trademark: "proactive auditing."

Over an 18-month period, a team of 10 volunteers vetted OpenBSD's entire source code -- all 350 megabytes -- weeding out thousands of bugs. Though not necessarily related to security features, those glitches could have been targeted by attackers using "buffer overflows" (which overwhelm a machine with data packets), denial-of-service tools or other elementary hacking techniques. For two years, de Raadt worked 14-hour days, seven days a week to debug his system. Despite his notoriously prickly personality, de Raadt also has managed to attract a legion of collaborators to help him build OpenBSD.

"It's security through quality," says de Raadt, who runs the project out of his Calgary home, surviving on donations and proceeds from T-shirt sales. "It's like in airplanes, [where] safety is a side effect of good engineering."

A sincere passion for technological tinkering motivates de Raadt. Though he lives modestly, his house is bursting with wall-to-wall hardware. He owns over a dozen computers, and his basement is so jammed with Unix machines that several acquaintances have requested guided tours.

OpenBSD's proactive approach is unique among open-source systems, which normally rely on user reports and public forums to find vulnerabilities. The Linux security philosophy, for example, can be summed up as "more eyes means better security" -- that is, since the source code is open to peer review, bugs will be quickly spotted and patched.

De Raadt scoffs at that credo. Most reviewers of open-source code, he says, are amateurs. "These open-source eyes that people are talking about, who are they?" he asks. "Most of them, if you asked them to send you some code they had written, the most they could do is 300 lines long. They're not programmers."

Proactive auditing is the key to OpenBSD's vaunted security. Many security professionals would like to see the model duplicated elsewhere, especially in Linux offshoots struggling to seize market share from notoriously buggy Microsoft (MSFT) products.

"I'm surprised there's not a version of Linux out there that has grown supersecure," says Ron Gula, chief technology officer for Network Security Wizard, a developer of intrusion detection systems who says that Linux developers could augment its security using de Raadt's painstaking methods.

OpenBSD is designed to be "secure by default." Most comparable operating systems, by contrast, come out of the box with settings that are inherently insecure. Last year, for example, when hundreds of servers running Red Hat (RHAT) Linux were compromised by buffer overflow attacks, the company blamed system administrators for failing to reconfigure the defaults.

"Linux distributions tend to take the approach of throwing everything possible onto the default install, which leads to a clueless user ending up with a highly insecure operating system," says Matt Barringer of WireX Communications, a vendor of software solutions for Linux server appliances. "OpenBSD takes the opposite approach, by only including the essential and not allowing, by default, services that may not be essential -- FTP, for instance."

The secure-by-default policy is also a stress reliever for veteran administrators. "The 10 percent [of these users] who do know how to secure their machines, they get bored with it," says de Raadt. "It's no more exciting than ditch digging. OpenBSD means they can get along with their day-to-day jobs."

Unlike its American counterparts, which until July were bound by strict encryption-export laws, the Canadian-based OpenBSD ships with built-in encryption. (In a subtle display of Maple Leaf pride, labels on OpenBSD discs read: "Made in Canada -- Land of Free Cryptography.") The latest version includes OpenSSH, which enables traffic to avoid "sniffers" designed to detect users' passwords.

While it's ideal for security-sensitive tasks, such as running firewalls or data warehousing applications, OpenBSD is probably not the best option for desktops. "Linux is more flexible than OpenBSD, which is a direct result of OpenBSD being more focused on security," says Brenton. "As you lock things down, you lose functionality."

De Raadt sounds unconcerned about customer satisfaction. "I don't pay attention to who's using it," he says. "We don't write OpenBSD for the people, we write it for ourselves. If people end up getting benefits from it, that's great."

Nevertheless, the system is catching on in corporate America. The project doesn't track the number of free downloads or CD-ROMs purchased, but a rough estimate places the number of users in the tens of thousands. Potential investors regularly contact de Raadt with offers of financial backing, he notes, but he has rebuffed them all: "I talked to a venture capitalist a couple of weeks ago. I ended up convincing him to just give us a donation."

De Raadt has devoted himself to OpenBSD with a mathematician's love of constructing elegant systems. He fears that commercialization could compromise security, since bottom-line-obsessed executives would be tempted to skimp on time-consuming audits. Even worse, those image-conscious suits might force de Raadt to abandon his fearsome business-card mascot in favor of something more huggable. For now, the demonic policeman is safe.

The Hand That Rocks the Net

Cecille Isidro — Mon, 07 Aug 2000 00:00:00 -0400

Not so long ago it was common for high-minded "Netheads" to spout theories about the Internet's capacity to learn, evolve and, yes, even think. For anyone who still believes this, consider a tale of Christmas past. Back in December 1987 -- when fewer than 100,000 people were using the Internet -- a nasty computer code called Christma.exe swept the globe, infecting thousands of mainframes. The virus, which traveled via e-mail, came with a message: "Here's a Christmas greeting I thought you'd like."

Uncomplicated and compact, Christma.exe was a clever program. Even so, the virus required some naivete on the part of its recipients. The e-mail could wreak havoc only if a person executed or clicked on the attached ".exe" file. Most did. Once lodged inside a host computer, the Christmas virus destroyed files and replicated itself hundreds of times, stymieing the computer's random access memory. It copied a list of people who frequently received mail from its host and parceled itself out seeking new victims.

Any of this sound familiar? The Christma.exe scourge of 1987 mirrors events this spring when a couple of Philippine miscreants unleashed the I Love You virus, which itself followed the Melissa virus contagion. And despite the massive damage and equally sizable media coverage of I Love You, this summer's Killer Resume and Very Funny.vbs viruses are still finding victims.

What all this says about the state of the Internet is alarming: In 13 years, the network's collective subconscious has learned nothing. "Instead of evolving and becoming stronger, the Internet has become 'dumber' and less efficient," says Fred Cohen, a computer scientist at Albuquerque, N.M.-based Scandia National Laboratories.

Cohen is widely recognized as the first person to use the word "virus" as a metaphor for malicious code. Over the last two decades he has studied the similarities between digital viruses and biological ones. These days, he questions the extent to which biology can help explain social, economic and technical development on the Net. Cohen notes, for instance, that the Internet has yet to develop a decent immune response system.

The similarities between the Christma.exe and I Love You bugs illustrate a glaring flaw in the biological metaphor on which many people base their understanding of the Internet. Scholars tend to see the Net as a Darwinian ecosystem, a landscape of machines, wires and code in which users -- sophisticated hackers and newbies alike -- would each fill a useful niche in the evolving, symbiotic digital world.

According to this worldview, Net users encountering a series of similar viruses would learn from experience, adapt and develop a means of protecting themselves. How? By weeding out inferior software, faulty hardware and incompetent network engineers. The end result: A better, smarter, more balanced system.

Virus-writers and hackers often cite this Internet-as-Serengeti philosophy to justify their destructive activities. By authoring rogue programs they're exposing vulnerabilities in the network and improving the state of Internet security. In its February 1995 issue, Wired lent mainstream credibility to the idea with a piece titled "Viruses Are Good for You." And five years later, even those who disdain hackers see a place for them in the grand scheme of things. History may treat them as the "early warning system of cyberspace," says Winn Schwartau, author of the recent book Cybershock (Thunder's Mouth Press).

Sure, viruses might be good for the Net just as termites have their purpose in the right environment. In a densely wooded area the little bugs are a natural deforestation, as well as a source of food for birds and other animals. In the same sense, viruses and hackers might fill a niche on the Net -- but only if the Internet's ecology were a healthy one.

Unfortunately, there's ample proof that the global network has taken a turn for the worse on its evolutionary path. Instead of termites in the Amazon basin, picture swarms of them feasting in Central Park, an artificial environment where every tree is a more valuable resource than its jungle counterpart. That's what hackers and viruses are to today's Internet.

The Net's ecosystem is clearly dysfunctional, says Bruce Schneier, one of the world's leading cryptography experts and CEO of Counterpane Internet Security based in San Jose, Calif. How are hackers prodding the Net down a warped evolutionary path? "On the Internet, you have malicious adversaries designing viruses to attack someone in a methodical way. Computer viruses don't occur randomly the way they do in nature," says Schneier. "So, there's no way for the Net to keep up -- just like our ecosystem can't keep up with man." As in nature, it is man's will that is throwing the Internet ecosystem out of balance. This will, or agency, as philosophers call it, must be taken into account when measuring the Net ecosystem's development.

As you read this, virus writers are busily fashioning new mutations of I Love You. Though it's impossible to estimate the volume of viruses now coursing through the Net's infrastructure, researchers at Symantec (SYMC) , makers of the bestselling Norton antivirus software, estimate that about 40,000 are currently in circulation, more than double the number at the end of 1998. (The human fight against real-world viruses and disease isn't nearly so daunting by comparison, at least in terms of numbers. Although an estimated 1,500 people around the world die every hour from an infectious disease, only 30 new diseases -- including ebola and hantavirus -- have emerged in the last three decades, according to the National Center for Infectious Diseases in Atlanta.)

In 1996, a mere 10 out of every 1,000 computers were infected with a virus in a given two-month period. Today, according to the International Computer Security Association in Reston, Va., some 80 computers per 1,000 are virus-stricken. A recent Pricewaterhouse-Coopers study predicts viruses and hackers will cost businesses worldwide more than $1.5 trillion this year -- for everything from new servers to lost productivity.

Originally created as a forum for collaborative ideas, the Internet wasn't designed to be secure. Rather than maturing from that state of innocence, as one might expect, recent market developments are working against tougher security. Companies trying to seize first-mover advantage often release buggy and insecure software. More important, functionality has become the main catalyst of Net evolution. Security is a growing, but still small part of the innovation equation.

Consumers too are partly to blame. "Evolution takes place when the weaker one dies out," says Steve Bellovin, a research fellow at AT&T Labs in Florham Park, N.J. "So far that's not happening. If Microsoft (MSFT) Word is vulnerable to macro viruses, you would think people would move away from Word toward another product. Until you see a product losing market share because of security problems, there's no natural evolution in software development."

The network effects surrounding Microsoft's dominance in Web browser and e-mail software are much discussed. And Bellovin's point was noted after security experts observed that the I Love You virus spread so quickly because of Microsoft Outlook's dominance as a consumer e-mail program. It's what ecologists call a monoculture -- the same absence of differentiation that allowed a single organism to wipe out Ireland's homogeneous potato crop, causing the famines of the 1840s.

Another reason for the dysfunction: The Internet may be growing too fast to develop a decent ecology. Indeed, people who experienced the Christma.exe virus in 1987 are a small portion of the Net's current population -- too small, perhaps, to contribute anything to the network's collective memory.

Even if the Net were to someday develop a healthier, balanced ecosystem of sorts, is a digital Darwinism, in which the fittest survive, really what we want? Not everyone is willing to abide the life and death struggles this type of world implies. "Saying all this destruction occurs for the good of the system is OK if you're talking about zebras, but if it's my human resources database, I don't want to hear it," says Schneier.

Whatever the case, the Internet is plagued with problems that mirror the natural world: crime, hyperfast population growth and economic imperatives that run counter to its well-being. Those engaged in business and policymaking on the Net, however, should be aware that the invisible hand of market capitalism is not the same as the arbitrary, sometimes cruel hand of Mother Nature. It is the invisible hand for now, though, that guides the evolution of the Net.