The risks inherent in e-commerce can be mitigated by the use of appropriate security countermeasures in conjunction with the establishment of necessary business and legal frameworks. Some of the security safeguards required are comparatively obvious-for example, restricting access to systems that store sensitive information or performing background checks on personnel trusted to perform critical tasks-and we shall not spend time on them in this book. Rather, we focus on special security countermeasures and the supporting technical and legal infrastructure needed because of the unique characteristics of the e-commerce environment. Apart from the fundamental issues identified in section 1.3, environmental factors include
Open communications infrastructure: E-commerce is largely conducted on open, interconnected, unregulated, and largely unpoliced or unpoliceable networks (such as the Internet), as compared with the closed, point-to-point channels (such as leased circuits between major trading partners) typically used in earlier business communications systems.
Global reach: Businesses now demand to trade globally, with at least a comparable degree of confidence as in the insular, controlled digital communities of the past. Because trading partners can reside halfway around the world, there is a great incentive to avoid legal disputes that might end up in a foreign court. This is particularly important when one considers that cyberspace may have no clear jurisdictional boundaries and that messages can pass through a potentially uncontrollable number of jurisdictions. E-commerce may become the most regulated activity in history, with every jurisdiction through which a message passes claiming at least some authority.3 By utilizing good security methods, parties can provide and secure the best possible probative evidence of their transactions and avoid such a legal quagmire.
Real-time trading: In comparison to the batched, EDI-style,4 delayed transactions of the past, real-time trading has both negative and positive implications. On the negative side, real-time trading diminishes the opportunity for parties to meaningfully investigate one another and erodes other safety factors inherent in delayed transactions. On the positive side, an opportunity is introduced for real-time authentication of the transacting parties and the excuse that "the check is in the mail" can less easily be used to gain an unintended free trial period before making final payment.
Political influences: Information security has become a major political issue, involving industrial/economic, national security, and law enforcement communities. The interests of the latter two communities often diverge from those of the business community. Information security issues also raise questions about fundamental constitutional rights.
Secure e-commerce means the reliable execution of business transactions over untrustworthy underlying communications and storage systems, in which transactions may be exposed to unknown parties. Furthermore, business information needs to be secured between users who may never meet each other personally. Satisfaction of these requirements depends heavily on widespread deployment of information security solutions, including authentication, confidentiality, access control, and integrity.
Most significantly, secure e-commerce depends upon the use of cryptographic-based technologies, such as digital signatures and encryption, especially when valuable or private information is involved or when the potential for repudiation of transactions is considered a material risk.
Cryptographic-based technologies are not new. However, until the emergence of e-commerce, their use was essentially limited to the national security arena and a limited set of banking applications. E-commerce has raised many new questions and issues regarding the deployment of cryptographic and related information security technologies on a large-ideally global-scale. In particular, scalability and non-repudiation requirements have led to the widespread application of public-key cryptography, which satisfies these needs well. This, in turn, has created demand for certification authorities and other public-key infrastructure (PKI) functions.
The widespread deployment of digital signatures and other cryptographic technologies also raises many issues relating to legal and business practices and controls. The roles and responsibilities of the parties involved, the legal effect of the information transferred, and the efficacy of computer-based commercial practices in general all present issues pertinent to secure e-commerce.
This book covers the breadth of these issues, within the context of the following definition of secure e-commerce: Secure e-commerce is e-commerce that uses security procedures and techniques, including cryptography and digital signatures, commensurate with anticipated risks.