Cyber Security Industry Alliance Newsletter • Volume 2, Number 6  • February 2006

CSIA in the News

Article of Interest

Reuters, January 25, 2006
Washington AG, Microsoft File Spyware Scam Suit

Washington state and Microsoft Corp. said on Wednesday they filed civil suits against a New York-based company for violating the state's anti-spyware law and called for cooperation between technology companies and government to crack down on Internet fraud. Washington Attorney General Rob McKenna accused Secure Computer LLC and its associates of marketing software that falsely claims a computer is infected with spyware in order to sell a program to clean the PC when in fact the software makes the computer more susceptible to attacks. "Spyware has overtaken computer viruses as the number-one threat to personal computer users," McKenna said in a statement. "This lawsuit will make it clear to those who prey on consumers' fears about spyware that we are no longer going to tolerate their heinous activities." The 16-count suit, filed on Tuesday in U.S. District Court in Seattle, is the first lawsuit under Washington's new computer spyware act and represents the growing cooperation between the technology sector, lawmakers and regulators to limit unwanted tracking and advertising software. Redmond, Washington-based Microsoft said it referred this case to the attorney general's office and provided technical and forensic assistance. Microsoft also filed a parallel suit in federal court. "Microsoft continues to collaborate with many state attorneys general to help protect computer users from the effects of spyware, spam and cybercrime, such as identity theft," said Nancy Anderson, deputy general counsel for Microsoft.


Arizona Daily Star, January 3, 2006
Fighting crime in cyberspace requires vigilance

Even though a sense of routine and normalcy returns after weeks of holiday cheer, keep in mind you are not alone in cyberspace when you log on to the home or office computer. Cybercriminals are ready to zap your data as you get comfortable and start zipping through the Internet. Last year was the worst ever for computer security breaches, USA Today reported last week. At least 130 security breaches put more than 55 million Americans at risk for ID theft last year. Don't expect government to come to your immediate rescue. Cyber Security Industry Alliance, which represents high-tech companies, complains of a 7 percent cut in the Department of Homeland Security's research budget for cyber security programs, floundering ID theft-related bills and nonregulation of data brokers. The Department of Homeland Security National Cyber Security Division officials said the department is working with the private sector and government to create a response system to detect and stop cybercrime, according to the USA Today story.

Computerworld, January 3, 2006
Q&A: RSA CEO sees lack of leadership in U.S. cybersecurity efforts

Art Coviello wears multiple hats. As president and CEO of RSA Security Inc., he is responsible for the company’s vision and long-term strategy. He is also a founding member and co-chair of the Standards Committee of the Cyber Security Industry Alliance (CSIA), which is a consortium of technology companies. In an interview with Computerworld, Coviello talked about the lack of federal leadership on cybersecurity issues, the challenges of information-sharing and RSA's recent acquisition of fraud management software vendor Cyota Inc. The CSIA recently criticized the federal government for its apparent failure to act on recommendations to improve cybersecurity. What exactly is the problem? [Former White House counterterrorism chief] Dick Clarke, in his last act working for the White House, pulled together in early 2003 a strategy for the president to secure cyberspace. We are heading out into 2006, and the government has done absolutely nothing to execute on their own strategy. I think it is entirely appropriate that the Cyber Security Industry Alliance and industry leaders call attention to that fact., January 12, 2006
Data Breaches: New Year, Old Story

A new year and an old story: Americans fall prey to data theft. A new year and another old story: Congress does nothing about it, not even requiring companies to inform consumers of the breaches. In the absence of action by Congress, the Atlantis breach represents a new, more ominous threat: data breaches on foreign soil. "It was frightening enough for American consumers when major corporate database breaches here at home started exposing the potential vulnerability of their personal information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA). With the Atlantis breach, Kurtz said, "It's all the more important that we get our own house in order and move on to improving international law enforcement cooperation." After all, the United States is a signatory to the Convention on Cybercrime, the first and only international, multilateral treaty aimed at global cooperation between law enforcement officials in the investigation and prosecution of computer network crimes. Late last year, the Senate Foreign Relations Committee finally gave its approval, four full years later, to the treaty, but a full Senate vote is still nowhere in sight. "We can't let the criminals get any farther ahead of the cops than they already are," Kurtz said.
*Also appeared in Computer Crime Research Center.

Washington Internet Daily, January 12, 2006
Capitol Hill

A Bahamian hotel's admission that financial data on 55,000 of its customers might have been stolen prompted the Cyber Security Industry Alliance (CSIA) to urge Congress to focus on passing comprehensive data breach legislation. The Atlantis Resort recently acknowledged an apparent database break-in might have jeopardized personal identifiers of guests, including names, addresses, credit card numbers, Social Security numbers, driver's license numbers and bank account numbers. "It was frightening enough for American consumers when major corporate database breaches here at home started exposing the potential vulnerability of their personal information. That threat alone is more than worthy of federal legislation to protect consumer data and require prompt notification of security breaches," said CSIA Exec. Dir. Paul Kurtz: "But now that the problem is expanding overseas, it's all the more important that we get our own house in order and move on to improving international law enforcement cooperation."
*By subscription only

eWeek, January 18, 2006
Experts Offer Data and Liability Protection Tips

With federal data breach notification legislation slated for passage this year, enterprises that collect and maintain personal information will have another reason for securing their networks. Experts from the legal, business and IT worlds agree that although the environment is in flux, companies should begin protecting their data from theft and themselves from liability now. It is becoming clearer that data protection is no longer the responsibility of an organization's IT personnel alone, and that high-level officials also play a role. In prosecuting breaches, the government will target company officers if they were aware of security problems and had some control over them, said Joel Winston, associate director of the Division of Privacy and Identity Protection at the Federal Trade Commission. "From the FTC's standpoint, there are situations where we do hold individual corporate officers responsible," Winston said at the Data Integrity Summit in Washington, D.C. sponsored by the Cyber Security Industry Alliance. The standard for liability often boils down to whether an organization has taken reasonable measures to protect data, and what is reasonable for one company might not be for another, said Randy Sabett, special counsel for the Information Security and Cybercrime Practice Group at Cooley Godward LLP in Washington.

National Journal’s Technology Daily, January 18, 2006
CEOs Should Improve Privacy Policies, Experts Say

Top executives have taken a lackluster approach to actively ensuring that their companies keep privacy and information security policies updated, panelists said Wednesday. Financial services companies have been laggards in complying with a 1999 financial institution deregulation law and its privacy provisions, said Joel Winston, associate director of privacy and identity protection at the FTC. He spoke for himself and not for the commission. "We spent a year doing outreach saying, 'Here's your obligation, here's what you need to do,' and then at the end, we took a look at what kind of compliance people were doing, and [the answer was] not much, and then we filed a lawsuit," he said. Winston spoke at a conference organized by the Cyber Security Industry Alliance, a trade association of security technology and financial companies such as Visa. Corporations have been scrutinized by the media and regulators for their information security in the past year. There has been a string of high-profile data breaches since California's data privacy law took effect.
*By subscription only.

Network World, January 19, 2006
U.S. critical infrastructure needs improved security

The year 2005 saw a number of reports summarizing and often criticizing the state of cybersecurity in the critical infrastructure of the United States. The Department of Homeland Security (DHS) published its first annual privacy report in February covering April 2003 through June 2004. The U.S. government has lagged behind other nations in establishing formal government positions focused on privacy, so it was encouraging to find upon opening the PDF file for the report that the DHS actually has a chief privacy officer, Nuala O’Connor Kelly. The Government Accountability Office strongly criticized the DHS in a report published in May. In addition, the report cited extensive turnover in the upper echelons of DHS management. In December, the Cyber Security Industry Alliance (CSIA) issued a blistering report giving the federal government an overall grade of D+ (58%) on its cybersecurity efforts. One of the criticisms was that the new position of Assistant Secretary for Cybersecurity at the DHS remained unfilled six months after its announcement.

Washington Internet Daily, January 19, 2006
Government Data Integrity Failures Said to Pose Risks for Consumers

U.S. government data integrity efforts are failing and even if agencies can't keep pace with the private sector, they should not have a lower standard, Center for American Progress Pres. John Podesta told a security conference Wednesday. President Clinton's former staff chief said the Bush Administration "should set a good standard for its own actions" and "show what practices are necessary to make good on that commitment." In short, government policies should "lead by example," Podesta told the Cyber Security Industry Alliance (CSIA). Since 9/11, the U.S. government has "been on a feeding frenzy for data," amassing all types of information in the name of national security, Podesta said. The private sector is also to blame. Agencies have been tapping private databases willy nilly to skirt privacy laws, he said. "All the government has to do is ask and data brokers hand over personal information on countless citizens," he said. Other speakers addressed the corporate variable in the equation. CSIA Exec. Dir. Paul Kurtz said "ignorance is no longer an excuse when it comes to information security... If you go to the effort of collecting data, it is self-evidently something of value, which means you have a responsibility to take reasonable measures to protect it." "Good corporate governance means getting in front of a problem rather than having to clean up after something goes awry," Kurtz said.
*By subscription only

UPI, January 23, 2006
FBI survey finds cybercrime rising

Nearly nine out of 10 public and private institutions suffered computer security incidents in 2005, but less than 10 percent of those report the incidents to law enforcement, according to a FBI survey. The 2005 FBI Cyber Crime Survey, which used responses from 2000 organizations in four states, found that 20 percent of organizations reported enduring 20 or more cyber-security attacks in the last year. Ron Teixeira, executive director of the National Cyber Security Alliance, said that small businesses tend not to report cyber crimes to law enforcement for a variety of reasons. Paul Kurtz, executive director of the Cyber Security Industry Alliance, agreed. "An organization may not want to report because of what they fear it might do to their market share and their investors," he said. Kurtz added that businesses may not report cyber crimes because they assume nothing can be done. "There's a perception among victims that reporting a crime won't bring any returns," he said, "that there's no chance of prosecution and investigation." Kurtz, who also recommended as a tool to educate individuals and businesses, said Congress's role in cyber crime prevention is becoming problematic. The Senate Committee on Foreign Relations passed along to Senate a motion signing on to the Council of Europe's Convention on Cyber Crime. However, Kurtz said, two senators are anonymously blocking the chamber from voting on the resolution. "We need to create the international infrastructure to prosecute cyber criminals," Kurtz said. "We have to create relationships, and have these laws on the books in multiple countries." Kurtz called the Convention on Cyber Crime "a very solid step that doesn't require the passing of any new laws," and said it was "unexplainable" that two senators would want to block a vote on it.
*Also ran in Monsters and Critics and

Washington Internet Daily, January 23, 2006
Capitol Hill

The Cyber Security Industry Alliance (CSIA) said Fri. it tried to persuade the Senate to ratify the International Convention on Cybercrime. The Convention would aid in international law enforcement cooperation by incorporating key civil rights protections, CSIA said.
*By subscription only

Washington Internet Daily, January 24, 200
High-Tech Group Files FTC Complaint Against Adware Firm

After 2 years of trying to negotiate with 180solutions, the Center for Democracy & Technology (CDT) abandoned its campaign to reform the adware firm and filed a hefty complaint Mon. with the FTC. The high-tech consumer watchdog asked the agency to crack down on what it called deceptive and illegal practices by one of the world's largest Internet advertising software developers. 180 and its affiliates have caused immeasurable harm to individual Web surfers and the Internet itself, said CDT Deputy Dir. Ari Schwartz. The Cyber Security Industry Alliance (CSIA) praised CDT for filing the complaint. "Consumers are fed up with spyware and deceptive adware," said CSIA Exec. Dir. Paul Kurtz: "Congress should help by passing legislation that would allow spyware-blocking companies to focus on product improvement by reducing the number of frivolous, resource-consuming lawsuits they currently face." Dozens of such suits have been filed by spyware purveyors, alleging their software was unfairly flagged by antispyware programs, CSIA said. In most suits, defendants have been forced to choose between pricy litigation and lowering their standards for protecting customers, he said. "Ultimately, consumers are the victims if their protection programs are weakened."
*By subscription only

Computerworld, January 26, 2006
DHS cybersecurity efforts lacking, surveys find; State, local CISOs seek more support from federal agency

Results of two surveys released today suggest that more than three years after the federal government developed a strategy to secure cyberspace, there is still a divide between the U.S. Department of Homeland Security (DHS) and state and local governments in handling cyberthreats. The National Association of State Chief Information Officers (NASCIO) and the Metropolitan Information Exchange (MIX) today jointly released the results of a survey of state and local government information security officers conducted last August. The surveys indicate that a lot of work remains to be done to improve training, funding and communication efforts at the federal, state and local levels to secure cyberspace, said U.S. Rep. Bennie G. Thompson (D-Miss.) in a statement today. The sentiments in today's survey echo that of other industry bodies. For instance, the Cyber Security Industry Alliance, an Arlington, Va.-based consortium of technology companies, in December blasted the federal government for failing to act on recommendations made in 2003 to improve cybersecurity.

SC Magazine, January 26, 2006
Feds slap ChoicePoint with $15M penalty

ChoicePoint has agreed to pay $15 million in fines and consumer redress to settle Federal Trade Commission charges that its record-handling procedures violated consumers’ privacy rights and federal laws, the agency announced today. Deborah Platt Majoras, FTC chairperson, said Thursday that the settlement should be a lesson that the agency is taking data security seriously. "The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," she said. "Data security is critical to consumers, and protecting it is a top priority for the FTC, as it should be to every business in America." Paul Kurtz, executive director of the Cyber Security Industry Alliance, said Thursday that many companies must yet increase information safeguards, saying, "The fact that this is the largest civil penalty in the FTC's long and storied history speaks for itself. Companies that do not have adequate information security safeguards in place are risking breaches that not only hurt the brand among customers and investors, but are also increasingly likely to bring unwanted attention from regulators and law enforcement agencies," he said. "This will particularly be the case when the information at stake is confidential personal data on individual consumers."

Washington Internet Daily, January 27, 2006
ChoicePoint Hit with Largest Civil Penalty in FTC History

ChoicePoint will pay $10 million in a civil penalty and $5 million for a consumer redress fund to settle FTC charges the firm violated federal laws through careless screening and information security procedures. The settlement, the largest in agency history, should warn data brokers and others to "guard the front door... as well as guard the back door" to protect sensitive personal information, or face harsh financial and regulatory consequences, Chmn. Deborah Majoras told a press conference Thurs. Asked what the Commission thinks of Capitol Hill legislation on breaches and what "gaps we need to fill in" between federal laws, Majoras fretted there's "no one statute that requires companies in a general way to safeguard information." She recalled 18 bills introduced to that end, but didn't state a Commission preference for any. The ChoicePoint breach's "front door" nature -- it was done through deceitful requests, not hacking -- is a "powerful reminder that information security must be a priority at every stage of a business's operations," Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. The "required 3rd-party audits and close FTC compliance monitoring for the next 2 decades" should scare firms into improving certification and data security procedures, he added.
*By subscription only

UPI, January 30, 2006
IM interoperability raises virus threat

Interoperability of instant-messaging services will allow worms and viruses to propagate more easily, creating more risk in online security, according to Postini's annual Message Management and Threat Report. The 42-page report, issued by messaging traffic processor Postini, details the types of threats to look for in 2006, as well as the new trends in data security to attempt to minimize those threats. Among the predicted new security trends, the report said that message encryption will become standard, as companies find new ways to provide easy, policy-based encryption on demand. Ron Teixeira, executive director of the National Cyber Security Alliance, said that small businesses are at more of a risk because they simply aren't prepared for cyber threats. Last week's FBI Cyber Crime Survey "showed that the small-business community doesn't have the resources and the education to put cyber security at the forefront of their priorities," Teixeira said. Paul Kurtz, executive director of the Cyber Security Industry Alliance, said that the best defense from cyber threats for small businesses is to worry about security from the start and "not have it be an afterthought." "They need to adjust their thinking on how to protect information systems," Kurtz said. He suggested companies hire someone to focus on company security, to look after the systems as well as security policy. Last week's FBI survey found that less than 10 percent of the polled public and private institutions that suffered a computer security incident reported it to law enforcement, a fact that Kurtz found troubling.
*Also appeared in and Monsters and – Financial Times, February 8, 2006
Privacy under pressure in Europe

Privacy campaigners claim it is the realisation of a Big Brother state, while some law enforcers insist it is a necessary response to the growing global threat of terrorism. For telecommunications groups and internet services providers, though, the prospect of Europe-wide laws requiring them to retain, and hand over, electronic communications data is a potential headache and extra cost burden. A European directive is in preparation that will require the providers of publicly available communications services to retain details of fixed-line, mobile phone and e-mail communications for at least six months, and possibly up to two years. It is a requirement that even the US has not imposed in its war on terror. Some countries, such as the UK and Spain, already make substantial use of internet and phone records in serious criminal inquiries. Others, including Germany and Finland, have been less enthusiastic because of concerns over the costs and the impact on existing data- protection laws.
*By subscription only, February 8, 2006
Hacker jailed for bringing down millions of PCs

A hacker who stopped more than three million Spanish computer users from using the internet has been sentenced to two years in jail. Twenty-six-year-old Santiago Garrido used a computer worm to launch distributed denial-of-service (DDoS) attacks after he was expelled from the popular "Hispano" IRC chat room for disobeying its rules. The attacks disrupted an estimated three million users of the Wanadoo, ONO, Lleida Net and other internet service providers - amounting to one third of all of Spain's web users at the time of the 2003 offense. Garrido was sentenced at a court in La Coruña and also faces a 1.4 million Euro fine.