Cyber Security Industry Alliance Newsletter • Volume 2, Number 5 • January 2006

CSIA in the News

Article of Interest, December 1, 2005
Be afraid of the catastrophic data breach

Data breaches seem to be getting more common, and soon they could get more costly. At least one security analyst predicts that a breach will bankrupt a high-profile company. Bank of America Corp., CardSystems Inc., ChoicePoint Inc., LexisNexis Group and TransUnion LLC represent just a handful of the most recent victims bitten by the breach bug. But the lessons these high-profile companies are learning about customer data security may not be motivating other firms to secure their systems. Many companies have not spent enough money on protection, according to Jon Oltsik, senior analyst with Enterprise Strategy Group in Milford, Mass. "They're playing catch-up now, but some say they will just live with the risk," he said. "Some old-school types can't justify the return on their investment." The cost of disclosure, notification and the offer of credit monitoring services to affected users or customers after a breach can really add up. Penn said that the general rule is $15 per customer. "If it's a financial firm and credit cards are involved, that's an additional $35 for credit card replacement."


InformationWeek, December 14, 2005
White House, Congress Flunk on Cyber Security, Group Says

The administration and the federal government got a failing grade in securing the nation's information infrastructure from a security trade association -- with most of the blame falling at the feet of the Department of Homeland Security. The Cyber Security Industry Alliance (CSIA), a group that includes big name security firms such as Symantec, McAfee, RSA Security, Check Point, and Internet Security Systems on its member rolls, blasted the government's progress in keeping the U.S. safe from cyber attacks. "We lack leadership," said Paul Kurtz, the executive director of the CSIA, "and because of that, there's been a lack of progress." The group's self-styled "National Agenda for Information Security in 2006" is a response to President Bush's "National Strategy to Secure Cyberspace," which was touted in December 2003. "Since then, we've really been on a downward slope," said Kurtz. "There are some places where we see some limited progress, but the overall strategic level of leadership -- someone who is there full time, all the time making sure programs are in place and properly funded -- that's what's lacking."
***Also appeared in Optimize Magazine, Systems Management Pipeline, Security Pipeline and TechWeb.

TechNewsWorld, December 14, 2005
CSIA Says Government Needs Cyber-Security Strategy Improvement

Is the United States government doing enough to secure the country against cyber-attacks? Not according to the Cyber-Security Industry Alliance (CSIA). The security trade organization issued a report yesterday calling on the federal government to assert greater leadership in the protection of the country's information infrastructure in 2006. The CSIA's "National Agenda for Information Security in 2006" identifies 13 specific actions required to improve information security for consumers, industry and governments globally. As part of the Agenda, CSIA also provides a report of the government's limited progress in information security in 2005 and releases a new "Digital Confidence Index" that reflects the public's lack of confidence in our nation's critical infrastructure. "Over the past year, the government has taken limited steps to improve the state of information security in our country, such as increased Congressional leadership on issues of spyware and identify theft, and the creation of a new Assistant Secretary for Cyber-Security and Telecommunications position within the Department of Homeland Security," said Paul Kurtz, executive director of CSIA.
*Also appeared in E-Commerce Times.

Computerworld, December 15, 2005
Security Log

Fed Cybersecurity Efforts Faulted: The U.S. government has made little progress in most cybersecurity areas in the past year, despite warnings from several groups, said a trade group representing cybersecurity vendors. The U.S. Department of Homeland Security has failed to hire an assistant secretary for cybersecurity even though an elevated position was announced in July, and cybersecurity research and development within the U.S. government is "at a crisis," said Paul Kurtz, executive director of the Cyber Security Industry Alliance.
*By subscription only.

The Wall Street Journal, December 15, 2005
The Morning Brief: U.S. Criticized for Cyber-Security Effort

A group of leading technology companies chastised Congress and the Bush administration for what it characterized as a failure to support initiatives to fight online crime, saying a lack of leadership and accountability in this area is endangering U.S. economic and national security, the Washington Post reports. The Cyber Security Industry Alliance said the federal government has largely declined to act on recommendations the group outlined a year ago, goals that mirrored policies originally set forth in early 2003 by the White House in the "National Strategy to Secure Cyberspace." Cyber-security as a government priority "has been on a downward slope and we need to arrest that decline and bring the issue back to the level [of importance] it was a few years ago," said Paul Kurtz, a former Bush administration cyber-security official who serves as chief executive of the alliance. The industry-led criticism comes as the problem of computer- and Internet-based crime has reached an all-time high, the Post notes.
*By subscription only

eWEEK, December 19, 2005
Poll Reveals Data Safety Fears

Nearly half of all adults in the United States avoid making purchases online because they are afraid that their personal information could be stolen, according to a new poll sponsored by the Cyber Security Industry Alliance. Seventy-two percent of the 1,151 respondents to the poll conducted in November said new laws are needed to protect consumer privacy. The CSIA-sponsored study was conducted by Pineda Consulting, of Pasadena, Calif. Calling the federal government's progress in improving the security of the country's networks limited, Paul Kurtz, executive director of the 2-year-old alliance in Washington, said the lack of leadership is reflected in the anxiety of the general public. One year ago, CSIA outlined 12 recommendations to enhance cyber-security, and this year the group graded the government on its progress, issuing below-average grades for seven of the recommended areas. The alliance was particularly harsh in its assessment of efforts to fund R&D, to improve information sharing and to enhance the quality of software by strengthening certification.

InformationWeek, December 20, 2005
Editor's Note: Homeland Insecurity

While The New York Times was polishing its report on secret, presidential-approved eavesdropping on U.S. citizens, another report was making the headlines last week on the beltway and in the tech press. The Cyber Security Industry Alliance, which includes big-name security companies such as Symantec, McAfee, and RSA blasted the government's progress in keeping the United States safe from cyberattacks. In the past year, I've watched report after report record negative grades and mete out severe tongue-lashings to government agency after government department, posted in story upon story. When does this end? Over the last several years we've watched the Homeland Security czar post become a revolving door as proponents struggle to give the position some visibility, meaning, and authority. Meanwhile, GAO report card after report card slaps around our various government agencies--including Homeland Security--for earning low scores on security readiness. Since this is the same government that has urged reluctant companies to report security breaches and the mostly privately owned national infrastructure to adhere to a standard level of security measures, it's a classic case of "do as I say, not as I do."

New Scientist, December 24, 2005
Gaping holes in internet security

Last week the Cyber Security Industry Alliance, in its annual report, gave the government mainly grade Ds and one grade F on 12 security recommendations that it made last year. Paul Kurtz, head of the CSIA, says that multiple data security breaches in the past year have exposed the personal details of over 50 million Americans. He warns that in the future, hackers could corrupt medical or financial records or take down a significant portion of the internet. The report makes 13 new recommendations, including a law that would require companies to notify customers of security breaches and harmonisation of the US and Europe on cybercrime investigation and prosecution.
*By subscription only.

USA Today, December 28, 2005
2005 worst year for breaches of computer security

Data breaches disclosed at Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam's Club this month capped what computer experts call the worst year ever for known computer-security breaches. At least 130 reported breaches have exposed more than 55 million Americans to potential ID theft this year. The breaches come at a time when the Department of Homeland Security's research budget for cybersecurity programs was cut 7%, to $16 million, for 2005. ID theft-related bills are stalled in Congress, and data brokers such as ChoicePoint, itself a victim of fraud this year, remain unregulated, "so it is likely that many more serious breaches have gone unreported," says Avivah Litan, a security analyst at Gartner. As a result, the Bush administration has drawn the ire of the Cyber Security Industry Alliance, which represents high-tech heavyweights Symantec, McAfee and RSA Security. "Attacks are taking place every day," says Paul Kurtz, a former Bush administration cybersecurity official who is executive director of CSIA.
*Also appeared in Appleton Post Crescent, Lansing State Journal,, Bucyrus Telegraph Forum, AZ, The Common Voice, Tucson Citizen and

American Banker, December 30, 2005
Security Watch; Breaches, Leislation, The Year

During an otherwise largely quiet holiday week, the financial services industry found itself surprisingly busy managing the disclosure and discovery of new breaches. Visa U.S.A. acknowledged this week that another merchant -- not Wal-Mart Stores Inc.'s Sam's Club division, which announced a payment-related breach this month -- has experienced a security breach involving credit card account information. Many companies are pushing for federal rules on identity theft, because they fear states will enact even tougher laws, the Los Angeles Times reported Monday. Not surprisingly, some computer experts are calling this year the worst ever for security breaches. At least 130 reported breaches have exposed more than 55 million Americans to potential identity theft this year, USA Today reported Thursday. But the Department of Homeland Security's 2005 research budget for cybersecurity programs was cut 7%, to $ 16 million. That cut has frustrated members of the Cyber Security Industry Alliance, which includes technology companies like RSA Security Inc., McAfee Inc., Juniper Networks Inc., and Symantec Corp., the paper reported.
*Full article below.

Arizona Daily Star, January 3, 2006
Fighting crime in cyberspace requires vigilance

Even though a sense of routine and normalcy returns after weeks of holiday cheer, keep in mind you are not alone in cyberspace when you log on to the home or office computer. Cybercriminals are ready to zap your data as you get comfortable and start zipping through the Internet. Last year was the worst ever for computer security breaches, USA Today reported last week. At least 130 security breaches put more than 55 million Americans at risk for ID theft last year. Don't expect government to come to your immediate rescue. Cyber Security Industry Alliance, which represents high-tech companies, complains of a 7 percent cut in the Department of Homeland Security's research budget for cyber security programs, floundering ID theft-related bills and nonregulation of data brokers. The Department of Homeland Security National Cyber Security Division officials said the department is working with the private sector and government to create a response system to detect and stop cybercrime, according to the USA Today story.

Computerworld, January 3, 2006
Q&A: RSA CEO sees lack of leadership in U.S. cybersecurity efforts

As president and CEO of RSA Security Inc., Art Coviello is responsible for the company’s vision and long-term strategy. He is also a founding member and co-chair of the Standards Committee of the Cyber Security Industry Alliance (CSIA), which is a consortium of technology companies. In an interview with Computerworld, Coviello talked about the lack of federal leadership on cybersecurity issues, the challenges of information-sharing and RSA's recent acquisition of fraud management software vendor Cyota Inc. The CSIA recently criticized the federal government for its apparent failure to act on recommendations to improve cybersecurity. What exactly is the problem? [Former White House counterterrorism chief] Dick Clarke, in his last act working for the White House, pulled together in early 2003 a strategy for the president to secure cyberspace. We are heading out into 2006, and the government has done absolutely nothing to execute on their own strategy. I think it is entirely appropriate that the Cyber Security Industry Alliance and industry leaders call attention to that fact.