CSIA in the News
Article of Interest:
Washington
Post, July 12, 2006
Top Cyber Security Post Still Unfilled After a Year
Critics say the yearlong vacancy is further evidence that the administration
is no better prepared for responding to a major cyber attack than it
was for dealing with Hurricane Katrina, leaving vulnerable the information
systems that support large portions of the national economy, from telecommunications
networks to power grids to chemical manufacturing and transportation
systems. "What this tells me is that ... [Chertoff] still hasn't
made this a priority ... to push forward and find whoever would be the
best fit," said Paul Kurtz, a former cyber security advisor in the
early Bush administration and now a chief lobbyist for software and hardware
security companies. "Hackers have discovered that owners of SCADA
systems are very sensitive and that they can make money by threatening
to do damage," Paller said, adding that he is aware of at least
two incidents just this year in which attackers broke into and threatened
to disrupt utility operations unless the owners paid a ransom demand.
*Also appeared in Free Internet Press
CSIA News:
Government Executive, June 1, 2006
Telework blamed in recent VA data loss
Proponents of policies allowing federal employees to work away from
the office are fighting recent claims that teleworking puts sensitive
agency data at an unnecessary risk for theft or loss. In an attempt to
avert future security breaches and to assuage lawmakers' concerns, Veterans
Affairs officials have said they are reviewing the department's guidelines
on remote use and access to agency information, following the theft of
personal data on more than 26 million veterans from an employee's home.
VA Secretary James Nicholson told House lawmakers Thursday that he is
attempting to determine how many agency employees telecommute because
of the potential damage they could do, not mischievously, but because "they
are negligent." But government officials and telework advocates
say the data breach is not a telework issue. Rather, it stems from the
mishandling of sensitive materials and the failure of an employee to
follow basic security procedures, they say. But Paul Kurtz, executive
director of the Cyber Security Industry Alliance, said agencies should
not respond to this incident by "hunkering down into a brick and
mortar mentality." "Data by its essence is portable," Kurtz
said. "We don't want to have data resting within four walls and
nobody can take it out." Kurtz said sensitive data can easily be
encrypted, but a better option is requiring employees to access that
data over secure Internet connections.
*Also appeared in National Journal’s Technology Daily.
MarketWatch, June 2, 2006
Persistent consumer anxiety seen over online transactions
It may take several more years before consumers are making financial
transactions over the Internet with minimal fear of fraud, the chief
executives of two security-software firms said Thursday. Improved technology
and consumer education will both be needed before users trust the worldwide
data network for sensitive business the same way they do an automated
teller machine, according to John Thompson of Symantec Corp. (SYMC) and
Art Coviello of RSA Security Inc. (RSAS) "It's going to take a bit
of time to get there" because "the Internet was developed in
an insecure environment," Coviello told an audience of executives
gathered near San Diego for the D4 -- All Things Digital conference.
Threats of identify theft, fraud and other scams resemble the fears that
had to be tackled when banks introduced automatic teller machines, Coviello
said. Of course, the industry overcame those concerns, and ATMs went
on to become a ubiquitous and trusted method of consumer banking. "It
took 10 to 15 years to build that trust," Coviello said. "I'm
hoping it doesn't take that long" for the Internet. More than half
of Americans say that because of fear of fraud they spend less time online
than they would otherwise, Thompson said, citing a report by the Cyber
Security Industry Alliance. "Now, it's about identity theft," Thompson
said, adding that consumers need to become much savvier about how they
use the Internet.
*By subscription only
Associated Press, June 6, 2006
GA attorney general urges law to protect ID online
Georgia Attorney General Thurbert Baker said Tuesday he would urge
Congress to increase protection of personal information on the Internet.
Baker, who will become president of the National Association of Attorneys
General at the end of this month, said he and his counterparts in other
states want federal legislation requiring that consumers be notified
when their personal information, held in corporate databases, falls into
the wrong hands. Speaking at a town hall discussion at the Georgia Tech
Research Institute Conference Center, Baker said high-profile data breaches
over the past two years have eroded public confidence in the security
of online transactions. "If society doesn't trust the Internet to
guard their financial information, will they continue to use the Internet
to conduct business and their personal affairs?" Baker asked the
crowd of about 150 people from the technology, business, law enforcement
and academic communities. A survey sponsored by the Cyber Security Industry
Alliance at the end of April found that only 44 percent of Americans
believe their information is safe when shopping or banking online, and
50 percent avoid making purchases online because of fear that their financial
information will be stolen.
* Also appeared in Macon Telegraph, Centre Daily Times, Bradenton
Herald, Columbus Ledger-Enquirer, WTVM, WXIA and Access North Georgia.
Insurance Journal, June 7, 2006
Survey: Lack of Confidence in Cyber Security Has Economic, Political
Effects
Americans share a lack of confidence in the Internet that could have political consequences. In addition, the lack of action by government to boost security of the digital infrastructure is manifesting itself in economic losses. Those are two conclusions formed by the Cyber Security Industry Alliance at the release of its survey measuring the American public's confidence in the security of the nation's digital infrastructure. The results of the nationwide survey of 1,150 adults conducted on behalf of CSIA by Pineda Consulting show that fewer than one in five Americans feel that existing laws are enough to protect them on the Internet. Moreover, voters express a clear preference for strong federal data security legislation even when presented with the argument that it will result in unwanted notices and higher prices. Some 70 percent of likely voters agree that Congress should pass a strong data security law anyway. "The rash of high-profile data breaches over the past 18 months has compromised more than 55 million personal records. Meanwhile, Congress has spent more than a year debating data security legislation without results as the issue of data security has been rising in the public consciousness," said Paul Kurtz, executive director of CSIA. "While data security alone won't be a deciding factor in an election, the survey does reveal that voters have serious doubts about candidates opposed to strong data security laws."
Morris News Service, June 7, 2006
Cyberspace safety still baffles officials
Unless government officials and business executives get a better handle
on computer security breaches, consumers' confidence that their personal
information is safe will continue to erode, Georgia Attorney General
Thurbert Baker said Tuesday. "If society does not trust the Internet
to guard their information, will they continue to use the Internet to
conduct business and their personal affairs?" Mr. Baker said during
a discussion in Atlanta organized by the Cyber Security Industry Alliance.
Mr. Baker and industry experts said the issue is still relatively new
and businesses and lawmakers are still trying to figure out the balance
between protecting consumers and overburdening companies with new regulations. "We're
talking about a generational thing where this is something that's not
going to be fixed next year with the passage of a law," said Tom
Noonan, president and CEO of Internet Security Systems, an Atlanta-based
company. "I do think taking the first step is critically important." Several
proposals are pending in Congress dealing with strengthening data security
procedures, including a national notification law.
*Also appeared in Augusta Chronicle.
SearchSecurity, June 7, 2006
Active-duty soldiers' data also stolen in Veterans Affairs theft
New information revealed Tuesday suggests that the personal information of active-duty armed forces personnel has been compromised as part of the ongoing Veterans Affairs data theft scandal. U.S. Department of Veterans Affairs officials said yesterday that the names, Social Security numbers and dates of birth of about 2.2 million active-duty, National Guard and Reserve troops were likely stored on the same computer that was stolen from a VA employee's home last month. That device contained information on 26.5 million U.S. veterans. This is the latest revelation in a widely publicized incident that refuses to go away. The VA confirmed May 22 that records for every veteran discharged from the military since 1975 were stolen from the home of an agency employee. The records contained the names, Social Security numbers and dates of birth of the veterans and some spouses. Security experts have said the incident shows that public and private organizations must do more to protect the information they keep and that Congress must offer stronger guidance. "This should be a major wake-up call that one small event can have a potentially dramatic impact on millions of lives," Paul Kurtz, executive director of the Arlington, Va.-based Cyber Security Industry Alliance, said last week. "I would think this should raise more awareness in the public consciousnesses."
SecurityProNews, June 7, 2006
Public Wants Government To Do More For Online Security
It's no secret that concern over online security is as high as ever, and many Americans want the government to do more about it. In fact, less that one out of five Americans think that existing laws are enough, according to a survey conducted by the Cyber Security Industry Alliance (CSIA). "The rash of high-profile data breaches over the past 18 months has compromised more than 55 million personal records," said CSIA executive director Paul Kurtz. "Meanwhile, Congress has spent more than a year debating data security legislation without results as the issue of data security has been rising in the public consciousness." Americans' feelings on online safety tremendously affect the e-commerce industry. 50% of those surveyed say they avoid making online purchases for fear of data theft. Online banking is another huge concern of the American public, with only a third of those surveyed seeing it as safe. 1,150 people were surveyed by Pineda Consulting on behalf of CSIA. Go here for CSIA's report complete with graphs.
Washington Internet Daily, June 8, 2006
Web Security Takes a Village, Experts Say
A data retention mandate for ISPs, while unpopular in the high-tech
community and among civil libertarians, could help fight cyber crooks,
the incoming National Assn. of Attorneys Gen. (NAAG) pres. said Tues. "It
is a sensitive issue [and] a very complex issue," Ga. Attorney Gen.
Thurbert Baker (D) at a conference in Atlanta. The debate recalls one
over privacy when online buying first became popular, Baker said at a
Cyber Security Industry Alliance (CSIA) town hall meeting. As occurred
then, consumer groups, businesses and law enforcement are at odds, he
said. But as in debates on Internet privacy, "we've all got to be
able to find some common ground and get through it," he said. Less
divisive topics also were discussed. High-profile data breaches the past
15 months -- including a mammoth Dept. of Veterans Affairs breach revealed
last month -- animated industry and academic experts. Breaches, phishing
spyware and other types of online fraud are altering consumer and business
activity in the digital world, CSIA said. A recent survey by the trade
group showed that only 44% of Americans feel their data are safe in e-commerce
and half avoid buying online out of fear their financial information
will be stolen. If firms ignore key security issues, they risk regulatory
and image trouble, said Internet Security Systems CEO Thomas Noonan.
Companies that "land on the front page" due to data breaches "find
themselves losing the trust of the very people they're in business to
serve," he said.
*By subscription only
Washington Internet Daily, June 12, 2006
Data Breach Exposes 1,500 DoE Employees; DoE Secy. in Dark for 8 Months
House Commerce Committee Chmn. Barton (R-Tex.) called for the resignation
of a Dept. of Energy official after he failed to notify superiors about
a Sept. data breach that affected 1,500 dept. employees. A hacker broke
into a computer system at a National Nuclear Security Administration
(NNSA) service center in Albuquerque, N.M. The exposed file included
information about contract workers and other DoE employees including,
names, Social Security numbers and employment status. The attack was "sophisticated" and
penetrated firewall, and intrusion detection software, said DoE CIO Tom
Pyke. Linton Brooks, Administrator of the National Nuclear Security Administration
(NNSA), was informed about the security incident in Sept., but Energy
Secy. Samuel Barton learned of it only 2 days ago. The news infuriated
members of the House Oversight & Investigations subcommittee, which
had originally organized the hearing to discuss DoE's cybersecurity plan
but learned of the data breach Thurs night. Recent data breaches have
provided lawmakers with an opportunity to put reasonable security measures
into place, Paul Kurtz of the Cyber Security Industry Alliance said.
Reasonable laws are on the books --- such as FISMA and the Privacy Act
-- but there's a problem carrying them out, he said: "This incident
represents a systematic breakdown across the federal government of the
awareness level of cabinet-level officials and their engagement."
*By subscription only
UPI, June 16, 2006
Survey Finds Internal Security A Concern
Nearly half of financial institutions reported having experienced an
internal breach, according to Deloitte’s 2006 Global Security Survey
released this week. Though external security breaches still outnumber
internal security breaches, at 78 percent, the rise of internal breaches
shows that security officers may have been putting too much emphasis
on keeping outsiders at bay, according to Paul Kurtz, executive director
of the Cyber Security Industry Alliance. Ted DeZabala, a principle in
Deloitte & Touche’s enterprise risk services group, said that security
officers now have to be prepared for attacks that are well organized
and multi-pronged.
*Also appeared in The Post Chronicle, Monsters and Critics and
PhysOrg.com.
ShortNews.com, June 18, 2006
Study: Internal Network
A study from Deloitte Touche Tohmatsu points out that internal network security, although still outnumbered by external breaches, is increasingly becoming a concern. Almost half of financial companies are having reported internal security breaches. Executive director of the Cyber Security Industry Alliance Paul Kurtz says that too much emphasis is being put on external breaches. "It’s been an oversight more than anything. The idea was always perimeter security," he said. He also states that encryption and stronger authentication is essential to security. He notes that, "we’re seeing more sophisticated and more coordinated plans of attack."
TechWeb.com, June 20, 2006
Tech Heavyweights Join Effort For Federal Privacy Law
In forming the Consumer Privacy Legislative Forum, the companies said they hoped to convince lawmakers to create a "simplified, uniform but flexible legal framework" that would protect consumers from inappropriate collection and misuse of personal information, while also enabling legitimate companies to use data on people in conducting business. Forum members included EBay Inc., Google Inc., Hewlett-Packard Co., Intel Corp., Microsoft Corp. and Oracle Corp.
"In principle, such legislation would address businesses collecting
personal information from consumers in a transparent manner with appropriate
notice; providing consumers with meaningful choice regarding the use
and disclosure of that information; allowing consumers reasonable access
to personal information they have provided; and protecting such information
from misuse or unauthorized access," the group said in a statement.
Companies are concerned that fear over identity theft and the mishandling
of personal data would eventually hamper their ability to conduct business
on the Internet. The Forum, for example, quoted a nationwide survey released
in May by the Cyber Security Industry Alliance, which found that 94 percent
of people polled listed identity theft as a serious problem. Only 24
percent of the respondents believed businesses were placing the right
emphasis on protecting people's data.
*Also appeared in InformationWeek
MarketWatch.com, June 20, 2006
Business group calls for federal privacy law
The companies, which include eBay Inc. (EBAY), Eli Lilly & Co. (LLY), Google Inc. (GOOG), Hewlett-Packard Co. (HPQ), Microsoft Corp. (MSFT) and Procter & Gamble Co. (PG), argued for "a simplified, uniform but flexible legal framework" that supports "the free flow of information and commerce, while providing protection for consumers from increasing incidents of identify theft, fraud and intrusions of privacy." The Consumer Privacy Legislative Forum said it is concerned that declining consumer trust in the Internet could threaten economic growth and innovation online. It cited a nationwide survey by the Cyber Security Industry Alliance released in May showing 94% of respondents consider identity theft a serious problem and only 24% feel businesses are placing the right emphasis on protecting their information.
National Journal, June 21, 2006
Victims of VA data theft offered free credit services
Veterans Affairs Department Secretary James Nicholson on Wednesday
announced plans to provide free credit monitoring for millions of veterans
and active-duty military personnel whose data was stolen. "The VA
has learned the hard way that the cost to not securing sensitive personal
information is clearly very high," said Paul Kurtz, executive director
for the Cyber Security Industry Alliance. "It's not just in terms
of monetary costs, but reputation and the overall drag it has on the
confidence people and businesses have on the Internet, computers and
our digital society." Gartner, a security research firm, has estimated
the average cost of a data breach at $90 per person. Avivah Litan recently
told the House Veterans Affairs Committee that a company's cost to encrypt
10,000 accounts would be as little as $6 per customer.
*Also appeared in Government Executive
Red Herring, June 21, 2006
Net Firms Seek Privacy Reforms
A coalition of companies including Google, Intel, Microsoft, and eBay called on the U.S. government to enact legislation to streamline the rules governing the collection and distribution of private consumer information to combat growing online fraud. Today, states such as New York have gone after companies suspected of committing online fraud. New York Attorney General Eliot Spitzer has fined a number of companies that have either fraudulently collected consumer email addresses or purchased fraudulently mined email addresses. A nationwide survey quoted by the forum found that 94 percent of the people polled cited identity theft as a serious problem and only 24 percent felt that businesses are placing the right emphasis on protecting information. The survey was conducted in May 2006 by the Cyber Security Industry Alliance.
Technology News.Info, June 21, 2006
Tech giants push for federal privacy laws to standardize legal expectations
Several major high-tech companies lobbied Congress on Tuesday to pass a federal consumer privacy law concerning personal data on the internet. A nationwide survey conducted by the Cyber Security Industry Alliance in May was quoted by the CPLF, and seems to confirm their fears -- 94 percent of those polled listed identity theft as a serious problem, and only 24 percent felt the industry was putting enough effort into protecting private data. Such opinions come after a slew of high-profile cases of mishandled personal information, including thefts from the LexisNexis, Bank of America and the Department of Veterans Affairs. A statement issued by the CPLF read, "In principle, such legislation would address businesses collecting personal information from consumers in a transparent manner with appropriate notice; providing consumers with meaningful choice regarding the use and disclosure of that information; allowing consumers reasonable access to personal information they have provided; and protecting such information from misuse or unauthorized access."
The Wall Street Journal,June 21,
2006
Business Group Calls For Privacy Law
A group of 12 large corporations urged Congress to pass a comprehensive federal consumer-privacy law, citing rising concern that consumer trust in Internet safety is eroding. Privacy Legislative Forum at a U.S. House Energy and Commerce Committee hearing Tuesday on federal privacy legislation. The forum said its purpose would be to study the implications of federal legislation and lobby for its passage. The Forum said it is concerned that declining consumer trust in the Internet could threaten economic growth and innovation online. It cited a nationwide survey by the Cyber Security Industry Alliance released in May showing 94% of respondents consider identity theft a serious problem and only 24% feel businesses are placing the right emphasis on protecting their information.
Washington Internet Daily, June 21, 2006
High-Tech Leaders Push Privacy Protections
Piecemeal federal privacy safeguards don't work and major legal loopholes keep them from helping citizens, businesses and govt., House Commerce Consumer Protection Subcommittee leaders said Tues. Little has changed since the panel's 2001 privacy hearing, its first, Chmn. Stearns (R- Fla.) said. The U.S. still handles privacy via a "sector-specific, disjointed approach" as officials juggle ever more local, state and federal rules on notice, consent and security, he said.
"Something must be done to hold bad actors accountable," eBay
CEO Meg Whitman told the subcommittee. Just as with trade, privacy policy
should be aligned with international allies' rules, Whitman said, calling
U.S. privacy legislation "the next logical step." The forum
takes form amid data showing less consumer trust in the Internet, officials
said. A May Cyber Security Industry Alliance report said 94% of respondents
cited ID theft as a serious problem and only 24% felt businesses put
proper emphasis on protecting data. "Increased use and access to
information, often made possible through advances in technology, has
greatly benefited society through the exchange of ideas, enhanced economic
productivity, and increased access to goods and services," Ohio
State U. law prof. and forum member Peter Swire said: "Unaddressed,
a loss of trust has an adverse impact on economic growth and innovation."
*By subscription only
WebProNews.com, June 22, 2006
Tech Firms Fear Privacy Lawsuits
A dozen high-powered companies inside and outside of the technology industry jointly requested Congress pass a law to protect the privacy of consumers, while insulating them from being "brought to their knees" by class-action lawsuits. The Consumer Privacy Legislation Forum has been formed by twelve companies that believe the perception of the Internet as an unsafe place for personal information has been increasing. Google, eBay, Microsoft, Sun Microsystems, Symantec, Oracle, Hewlett-Packard, and Intel joined other companies in signing off on a letter to Congress requesting a federal consumer privacy law. The group cited a survey conducted by the Cyber Security Industry Alliance, where 94 percent of respondents nationwide considered identity theft a serious problem. Only 24 percent believe businesses have sufficiently emphasized protecting information.
CNET News.com, June 23, 2006
U.S. unprepared for Net meltdown, blue chips warn
The United States has never experienced a massive Internet outage, but a coalition of dynamic chief executives said Friday that the nation must do more to prepare for that prospect. The suggestions drew praise from the Cyber Security Industry Alliance. That organization, composed of computer security firms, has long been lobbying for additional actions in the cybersecurity realm by Congress and the Bush administration. "A massive cyberdisruption could have a cascading, long-term impact without adequate coordination between government and the private sector," said Paul Kurtz, the alliance's executive director. "The stakes are too high for continued government inaction."
InternetNews, June 23, 2006
Another Government Security Breach
According to the U.S. Department of Agriculture (USDA), unknown hackers may have illegally accessed a USDA database containing the names, Social Security numbers and photos of current and former agency employees. The USDA said approximately 26,000 Washington, D.C., area employees are potentially at risk for identity theft. The USDA is providing one year of free credit monitoring to those affected by the intrusion. Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), added, "From our view, this is yet another incident of not taking security seriously. It seems like there's a breach a day in the government."
Federal Computer Week, June 26, 2006
Groups call for improved cyber-COOP preparedness
The United States is unprepared for a crippling natural or man-made disaster that would disable large parts of the nation’s cyber infrastructure, according to a new report from a prominent business group. The report also states the nation lacks an adequate continuity-of-operations (COOP) plan for restoring the Internet. "If there’s a cyber disaster, there is no emergency number to call and no one in place to respond because our nation simply doesn’t have the kind of coordinated plan in place that we need to restart and restore the Internet," said Edward Rust Jr., chairman and chief executive officer of State Farm Insurance Companies. He is leader of the cybersecurity working group of the Security Task Force at the Business Roundtable, an association of CEOs of large American companies. The report "breaks the problem down to a simple statement: We are not prepared," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "The report makes clear that information systems are essential and that a massive cyber disruption could have a cascading, long-term impact without adequate coordination between government and the private sector."
Federal Computer Week, June 26, 2006
Hack at USDA puts 26,000 at risk
A hacker broke into an Agriculture Department information technology system that contained names, Social Security numbers and other employee data during the first weekend in June, department officials said last week. The security breach put 26,000 current and retired employees and contractors in the Washington, D.C., area at risk of identity theft and other cybercrimes. Computer forensic examiners confirmed that an unauthorized person accessed a computer system in the USDA’s Office of Operations. Although examiners could not determine whether a database containing personal information was viewed or downloaded, their forensic analysis indicated the data could be at risk, USDA officials said. The USDA incident is the latest in a string of revelations about agency security breaches, and it does not surprise Paul Kurtz, executive director of the Cyber Security Industry Alliance. "It seems like every week it’s a new federal agency," he said. In recent weeks, the Department of Veterans Affairs and the Energy Department have also revealed details of information security incidents.
Government Executive, June 26, 2006
GAO, Navy add to growing list of federal data breaches
The number of agencies announcing data breaches is continuing to grow, with both the Navy and the Government Accountability Office revealing Friday the inadvertent release of personal information over the Internet. Personal information, including Social Security numbers, birthdates and names of about 28,000 sailors and their family members, turned up on a civilian Web site in spreadsheet files, the Navy announced. GAO revealed that sensitive information on fewer than 1,000 government workers was available in Internet-accessible archival records. In a memorandum Friday, Clay Johnson, Office of Management and Budget deputy director for management, released a checklist of safeguards for the protection of information that is accessed outside agencies' offices and said OMB will work with inspectors general to ensure compliance within the next 45 days. In addition to the checklist, provided by the National Institute of Standards and Technology, Johnson recommended that agencies encrypt all data on mobile computers and require two factors of authentication for access, re-authentication after 30 minutes of inactivity and the deletion of all sensitive information within 90 days. Paul Kurtz, executive director for the Cyber Security Industry Alliance, said there isn't a "silver bullet" to resolve the security breach problem. "For too long, senior officials, Cabinet-level officers, have really not asked tough questions and taken this issue seriously," Kurtz said. "Until senior managers start asking the questions about risk, asking how things are secured, you don't get the necessary level of interest in securing systems."
National Underwriter, June 26, 2006
Risk Managers Push For Permanent TRIA
A joint committee hearing next month will examine the need for a permanent
federal backstop to cover catastrophic terrorism insurance losses, risk
managers were told here as they gathered to lobby Congress on the issue.
Plans for a hearing were disclosed by an insurance company lobbyist as
the Risk and Insurance Management Society was meeting here last week.
RIMS held a panel discussion on "TRIA-The Final Defense" as
part of the annual "RIMS on the Hill" event, which brings the
group's members to Washington to lobby lawmakers. Their efforts now are
focused on getting a permanent extension of the Terrorism Risk Insurance
Act, which provides a federal reinsurance backstop, thereby encouraging
carriers to write coverage. TRIA was renewed last December after a tough
battle, but is due to expire at the end of 2007. Concerns were voiced
during the panel discussion by a number of attendees-including a representative
of the company that owns the World Trade Center properties-that terrorism
insurance, already hard to come by, will dry up if TRIA is allowed to
sunset. Another panelist, Liz Gasster, general counsel of the Cyber Security
Industry Alliance, cautioned that the likelihood of a "severe action" against
a telecommunications provider is unlikely because it would require major
planning by a sophisticated group. However, she added, risk managers
must be aware that an attack would create "major congestion," and
that private risk managers should plan to coordinate with state and local
governments, other private businesses, as well as with first responders
in their area.
*By subscription only
Telecomweb, June 26, 2006
Business Leaders Warn Of 'Cyber Katrina'
The Business Roundtable warns that the public and private sectors in
the United States remain ill-prepared for a "cyber catastrophe," with
significant ambiguities in sector responses needed to restore and recover
the Internet. In its 21-page report, the Business Roundtable, an association
of about 160 CEOs, was adamant about enterprise and government lack of
preparation to rebound from catastrophic Internet disruptions and significant
weaknesses that could impact homeland security and economic well-being. "Essential
Steps Toward Strengthening America's Cyber Terrorism Preparedness" took
about a year for the group's Security Task Force to complete as members
looked to identify ways to harden the Internet, and maintain Internet
functionality and continuity in the event of disasters. The Roundtable
report drew near-immediate praise from the Cyber Security Industry Alliance
(CSIA), an advocacy group consisting of vendors in the security field;
it, too, has crafted reports and recommendations for enterprise and government
decision makers. "The Business Roundtable report breaks the problem
down to a simple statement: We are not prepared," says Paul Kurtz,
executive director of CSIA. "We have seen such warnings before and
they have not been heeded. Witness the aftermath of Hurricane Katrina.
Government must make information infrastructure resiliency a higher priority."
*By subscription only
Washington Internet Daily, June 26, 2006
Security
The U.S. isn't ready for a cyber-catastrophe, Business Roundtable (BR)
said. BR's analysis exposes "a significant weakness that could paralyze
the economy following a disaster," Edward Rust, chmn. of State Farm
Insurance and head of BR's Security Task Force's working group on cybersecurity,
said: "Our nation simply doesn't have the kind of coordinated plan
in place that we need to restart and restore the Internet. Government
and industry must work together to beef up our cybersecurity and recovery
efforts." The report cites lapses similar to problems after Hurricane
Katrina. Besides an inadequate early warning system, the report flagged
unclear and overlapping responsibilities for recovery oversight and insufficient
resources. A massive cyber-disaster could have "immediate and nationwide
consequences to our nation's security and economy, and we need to be
better prepared," BR Pres. John Castellani said. The Cyber Security
Industry Alliance (CSIA) lauded BR's recommendations. "Govt. must
make information infrastructure resiliency a higher priority," CSIA
Exec. Dir. Paul Kurtz said: "The stakes are too high for continued
government inaction." In Dec. CSIA urged Congress and the Administration
to implement 13 steps to improve the privacy, reliability and integrity
of information, Kurtz said. Little progress on those ideas has been seen,
he said.
*By subscription only
Washington Technology, June 26, 2006
Cyberprotection takes center stage
A year ago, an IT critical infrastructure list circulating in Washington included the headquarters of Intel Corp. and Microsoft Corp. Today, the list is more likely to include virtual assets such as networks that carry data to and from major power plants, government offices and Wall Street. "It is very difficult to define critical assets in cyberspace," added Paul Kurtz, executive director of the Cyber Security Industry Alliance, a cybersecurity advocacy group led by IT chief executives. The determination of what constitutes a critical IT asset is affected by several other trends, such as the ongoing convergence of the IT and telecom industries, said Peter Allor, director of operations for the IT Infrastructure Sector Analysis Center. IT vendors in 2001 created the center as a forum to share information on cyberthreats. The two industries have been intertwined for decades, with telecom providing the backbone systems that enable transfer of data among businesses, government agencies and residences.
Washington Post, June 27, 2006
OMB
Sets Guidelines for Federal Employee Laptop Security
The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens. The new security guidelines, issued Friday by the White House Office of Management and Budget, cap a month marked by data thefts or disclosures at five different agencies that compromised Social Security numbers and other private data on millions of people. To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.
Red Herring, June 28, 2006
IBM, FBI Tackle Identity Fraud
A disparate alliance that includes the Federal Bureau of Investigation and IBM said Wednesday it will tackle the growing problem of identity fraud, a problem drawing increasing attention in the United States. The alliance, the Center for Identity Management and Information Protection (CIMIP), also includes the U.S. Secret Service, LexisNexis, and Utica College. Other partners include Carnegie Mellon University Software Engineering Institute’s CERT/CC, Indiana University’s Center for Applied Cybersecurity Research, and Syracuse University’s CASE Center. The CIMIP alliance will try to find ways to detect and prevent identity fraud, particularly the online variety, and improve authentication systems. While immense resources have been ploughed into the development of new security technology, identity fraud and the resulting larceny have not gone away. In fact, identity theft is drawing increasing attention in Washington, D.C., where a number of proposed bills are being considered. A May 2006 nationwide survey by the Cyber Security Industry Alliance found that 94 percent of the people polled cited identity theft as a serious problem. Only 24 percent felt that businesses were placing the right emphasis on protecting information.
Collections & Credit Risk, July 2006
Searching for Direction; Collectors and debt buyers are doing well
this year but all have their fingers crossed about what's ahead.
So far, so good largely sums up the attitude of collectors and debt
buyers half way through 2006. Says Aaron Hadam, a vice president with
debt broker National Loan Exchange: "I have not run into an overly
bullish or an overly bearish perspective. You see a lot of speculation
in both directions." A variety of uncertainties, such as higher
interest rates, retail estate market shakiness, continued high energy
prices, worries about consumer debt loads and regulatory issues lie ahead." On the regulatory front, issues that seemed hot as the year began,
such as a federal data privacy measure and relief for debt buyers from
an Internal Revenue Service requirement to create 1099C forms reporting
forgiven debt above a threshold level as income, have quieted down. Congress'
efforts to wrestle with a passel of data privacy proposals have spelled
inaction and led Washington observers to think that no measure will be
agreed upon by both houses before fall elections. Says Rozanne Andersen,
general counsel and senior vice president legal and government affairs
with industry trade association ACA International: "I would be surprised
if data breach legislation passed yet this Congress." Seventy percent
of Americans want a federal law on data security even if they receive
unwanted notices and a law means higher prices, the Cyber Security Industry
Alliance, a data security trade group, reported in May.
*By subscription only
Government Computer News, July 3, 2006
As data breaches pile up, OMB cracks down
The flood of recent data breaches appears to be the product of a perfect storm of inadequate security controls, enforcement and training. As a result, the Office of Management and Budget has announced a deadline for agencies to implement data security safeguards, and Congress is watching to ensure that agencies comply. Momentum is building for agencies to strengthen their security controls significantly—and quickly. Heads of departments that have lost data, such as VA secretary Jim Nicholson, bear the brunt of a lot of unwanted attention, said Shannon Kellogg, director of government and industry affairs at RSA Security Inc. of Bedford, Mass. OMB’s leverage comes through the budgeting process, said Paul Kurtz, executive director of the Cyber Security Industry Alliance and a former Homeland Security Department official. For example, OMB has the authority to withhold budget approval unless an agency makes corrections, he said. "This kind of guidance that they have to implement within 45 days is a strong recommendation to take action," Kurtz said. A lot of agencies still are struggling with deploying and enforcing best practices, RSA’s Kellogg said. "You can put best practices in place but if they are not enforced or someone just decides to break policy, then the processes break down," he said. Kurtz said the challenge is enforcement, accountability and authority. "You have to have the authority to enforce policy, and for those who do not exercise their authority and enforce policies, there must be accountability," Kurtz said.
National Journal, July 5, 2006
DHS lags in appointing cybersecurity czar
As the nation celebrated its birthday on Tuesday, those awaiting the
appointment of a Cabinet-level cyber security czar are drawing attention
to another July anniversary. Chertoff made the announcement as part of
a six-point agenda July 13, 2005, which identified elevating the position
to an assistant Cabinet-level post as part of an overall strategy to "ensure
that the department's policies, operations, and structures are aligned
in the best way to address the potential threats -- both present and
future." Lofgren said having a cyber security czar who has a seat
at the table during Cabinet meetings is critical for effective rebuilding
of the Internet. Paul Kurtz, executive director the Cyber Security Industry
Alliance, agrees. Kurtz said he understands Homeland Security was busy
with helping the Gulf Coast recover from last year's Hurricane Katrina,
but he is "very troubled the position remains unfilled. It's yet
another indication of the overall level of attention in the most senior
levels of government," Kurtz said.
*Also appeared in Government Executive.
Reuters, July 15, 2006
No quick fix for government data security
The White House has set an early August deadline for government agencies
to encrypt sensitive data after the embarrassing theft of millions of
veterans' personal information, but experts warn a quick technology fix
will not cure security problems. "The White House directive is a
good first step, but we're concerned about the time frame," said
John Dasher, director of product management at encryption software maker
PGP Corp. "Do they have funds budgeted and allocated? These are
the nuts and bolts of the procurement process." "Agency executives
do not know the value of the data they have in their information technology
systems and they take security for granted," said Paul Kurtz, director
of the Cyber Security Industry Alliance (CSIA) and a former White House
computer systems security policy adviser. Encryption vendors disagree.
But tellingly, their most recent product and marketing efforts have focused
on making the software easier for typical computer users to use.
*Also appeared in InfoWorld, Washington Post, Australian IT, News.com.au,
ZDNet, CNET News.com and Reuters India