Cyber Security Industry Alliance Newsletter •  Volume 3, Number 9  • July/August 2007

President's Message

  Tim Bennett

As the only industry association solely dedicated to cyber security policy issues in the U.S. and E.U., we are often seen in legislative hearings or quoted in media reports discussing the enormous impact of cybercrime on our economic and national security interests.

In late July we saw many of the same messages coming from a different source: the United States Government Accountability Office (GAO). Its report, “CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats,” offers a wealth of information on the impacts of cybercrime on our economic and national security. It also underscores the difficulties faced by both private and public sector organizations, especially law enforcement, in tackling this complex problem.


CSIA shares the primary conclusion of the GAO Cybercrime report: “Cybercrime is a threat to U.S. national economic and security interests.”

Originally sent to Congress on June 22 and released to the public on July 23, the report offers far too much information for me to summarize everything in this column, although some of the key findings are noted below. However, CSIA shares the primary conclusion of the report: “Cybercrime is a threat to U.S. national economic and security interests.” While the GAO report by its mandate focuses on just the U.S., its conclusions undoubtedly would also apply to the E.U. and elsewhere too.

GAO auditors reviewed a number of studies which estimate cybercrime costs, but correctly concluded that it’s impossible to pinpoint the exact dollar amount of cybercrime. Nonetheless, GAO still estimates the direct economic impact on the U.S. economy is in the tens of billions of dollars annually. This number must be a gross underestimation since it doesn’t capture any estimates of the cost of commercial espionage or theft of commercial intellectual property via computer networks.

The report warns about cyberwarfare preparations of China, extensive use of the internet by terrorist groups and the vulnerability of “computer-reliant critical infrastructures.”


On the national security front, the report references cyberwarfare preparations of China which are targeted at the heavily IT-based infrastructure of the U.S. military. It also points to the extensive use of the internet by terrorist groups for fund-raising and recruiting. The largest threat is to the “computer-reliant critical infrastructures,” whether they be power generation, food or water supply, financial systems, or information systems. An interesting factoid in the report is that DOD’s information network represents about 20 percent of the entire Internet and receives about 6 million probes or scans per day.

The report discusses four key challenges that must be addressed to better fight back against cybercrime: (1) accurate reporting of cybercrime to law enforcement: incidents are often not reported; (2) ensuring adequate staff and equipment resources for law enforcement organizations; (3) working in a borderless environment with laws of multiple national and international jurisdictions, and (4) implementing information security practices and raising awareness.

The GAO report contains an interesting observation about the fourth challenge above. It found that organizations are encountering substantial difficulty “in maintaining strong information security programs” and that, despite efforts by public and private groups to raise awareness about the importance of infosecurity, many organizations and individuals remain insecure.


Recommendations for better cyber security include:
improving reporting to cybercrime authorities, staffing enforcement agencies, building national and international legislative cooperation and training individuals and organizations to secure their information

Cybercrime transcends borders. The criminals are unaffected by the proximity constraints and differing laws that hamper law enforcement. This is one reason CSIA is seeking federal data security legislation in the U.S. to replace the hodgepodge of state laws now existing in 38 U.S. states.

What’s more, global cooperation on cybercrime is critically important, as are efforts to harmonize international laws to the extent possible. This is why CSIA fought hard for last year’s U.S. Senate ratification of the Council of Europe’s Convention on Cybercrime, which was a significant step forward in the international fight against cybercrime. It is also why CSIA is a global organization.

As seen in the latest GAO report, the cybercrime problem is both serious and complex. CSIA member companies are focused on developing and providing advanced products to protect the computers and networks of individuals and organizations and that, when an intrusion occurs, to detect it.

On the policy front, CSIA remains committed to seeking additional information security laws in the U.S. and E.U. by bringing together the best and brightest in the information security industry to arm policymakers on both sides of the Atlantic with the intelligence needed to navigate this challenging issue.


Tim Bennett