CSIA in the News
Article of Interest
National Journal, June 21, 2006
Victims Of VA Data Theft Offered Free Credit Services
Veterans Affairs Department Secretary James Nicholson on Wednesday announced plans to provide free credit monitoring for millions of veterans and active-duty military personnel whose data was stolen. Nicholson said police have no further leads on what became of a laptop that contained personal information on 26.5 million people that was stolen from a former employee's home. "We have no evidence of use being made of this data that was stolen," he said. While veterans can get free credit reports themselves, Nicholson said hiring a credit-monitoring service is the right thing to do. He said he does not know the cost; the department will take bids from three leading monitoring companies.
He said the service will be offered to 17.5 million veterans, as some of the 26.5 million are deceased or did not have Social Security numbers or addresses. VA staff said sending the letters to 17.5 million veterans, once a contractor is hired, would cost about $7 million, as that was the cost to print and mail the initial letters to veterans confirming news reports of the security breach. "We will get the money to pay for it," Nicholson said. "The money will not result in a diminution of any services provided to veterans." At a hearing earlier this week, the VA said it was spending $200,000 a day to operate a call center for veterans seeking information on the data breach. Nicholson said they have not received as many calls as expected, just 200,000 so far. "The VA has learned the hard way that the cost to not securing sensitive personal information is clearly very high," said Paul Kurtz, executive director for the Cyber Security Industry Alliance. "It's not just in terms of monetary costs, but reputation and the overall drag it has on the confidence people and businesses have on the Internet, computers and our digital society."
"You can encrypt information very cheaply or far more cheaply than what
is now under way at the VA," Kurtz said. Gartner, a security research firm,
has estimated the average cost of a data breach at $90 per person. Avivah Litan
recently told the House Veterans Affairs Committee that a company's cost to
encrypt 10,000 accounts would be as little as $6 per customer. The House Veterans'
Affairs Committee has another hearing on the data breach scheduled Thursday.
It will look at the academic and legal implications of the data loss. The department
plans to retrain employees on security procedures by the end of the month and
will hold a security awareness week June 26-30. "What the VA is doing is
important, but Congress really has an opportunity now to put in a national standard
for securing personal information," Kurtz said. "They've been staring
at several bills for more than a year," he added. "They just need
to close the deal." The bills include S. 1326, S. 1408, S. 1789, H.R. 3997,
H.R. 4127 and H.R. 5318.
* Subscription only.
CSIA News
Government Executive, May 3, 2006
Flu plan requires
rewriting of federal telework guidance
The White House plan released Wednesday for responding to a possible influenza pandemic requires the Office of Personnel Management to update its telework guidance to provide instructions for alternative workplace options during an outbreak. Specifically, the plan calls for an OPM telework guide and two courses, one for managers and the other for employees, to be updated within three months. Within the same time frame, the personnel agency would need to provide guidance on continuity of operations planning and human capital management. Paul Kurtz, executive director of the Cyber Security Industry Alliance, echoed Mularie's concerns, stating the plan fails to address the stability of the nation's information infrastructure. "Everything we do associated with a pandemic is going to require that the communication infrastructure is up and running," Kurtz said. While he said he does not expect a presidential report to delve into the details of policy, he noted that it devotes an entire chapter to transportation infrastructure and borders. Similar attention should have been paid to communication networks, he said. In a letter to Frances Townsend, assistant to the president for homeland security and counterterrorism and the point person behind the report, Kurtz and Mularie requested that the president's National Security and Telecommunications Advisory Committee and the National Information Advisory Council jointly review plans for preventing the Internet's infrastructure from being overwhelmed in the event of a pandemic. Kurtz also criticized the Homeland Security Department for failing to fill the position of assistant secretary for cybersecurity and telecommunications announced in the July 2005 departmentwide reorganization.
LinuxElectrons.com , May 6, 2006
RAND
Launches National Computer Security Survey
On behalf of the U.S. Departments of Justice and Homeland Security, the RAND Corporation is fielding the first national survey to measure the impact of cybercrime on American businesses. The DOJ/DHS National Computer Security Survey (NCSS) is scheduled for completion by the end of 2006.The survey will produce industry-level statistics on the number and consequences of cyber attacks, frauds and thefts of information among the 5.3 million businesses in the United States. The survey has been endorsed by a wide range of groups including: Business Executives for National Security, the Business Software Alliance, the Cert Coordination Center, the Cyber Security Industry Alliance, the Food and Agriculture Information Sharing and Analysis Center, the Information Technology – Information Sharing and Analysis Center, InfraGard, the Manufacturers Alliance, the National Alliance for Health Information Technology, the National Association of Manufacturers, the National Federation of Independent Businesses, the National Telecommunications and Information Administration, the President's Council of Advisors on Science and Technology, the Real Estate Round Table, the Risk and Insurance Management Society, the Small Business Group and Entrepreneurship Council, and the U.S. Chamber of Commerce.
IDG News , May 8, 2006
Analysis:
US data breach notification law unlikely this year
In the wake of a series of data breaches in early 2005, the U.S. Congress
seemed ready to move quickly on legislation that would require companies to
notify customers when their personal information had been compromised. Now,
more than a year after data breaches at ChoicePoint Inc. and LexisNexis set
off a national debate about identification theft and data security, time is
running out for Congress to pass a law before it finishes business this year.
Lawmakers have introduced more than 10 bills dealing with data breach notification
since early 2005. In late 2005, a data breach notification law seemed virtually
assured; even data brokers such as ChoicePoint advocated a federal law that
would preempt state notification laws that were popping up across the U.S.
Last month, a group of executives from IT security vendors came to Washington,
D.C., to push for a data breach bill, with some worried that Congress was letting
the issue die. Organized by the Cyber Security Industry Alliance, the trip
left some participants with continuing concerns that Congress has put the issue
on the back burner. Participants told lawmakers and staff, “You might
want to poll your constituents and see if this is important,” said Philip
Dunkelberger, president and chief executive officer of PGP Corp. “We’re
saying, ‘You need to get the legislation out there where people can have
an open, public debate’.”
*Also appeared in MacWorld, PC Advisor, Computerworld, Network World
and InfoWorld.
Mass High Tech , May 8, 2006
Security
standstill
The unwavering bottom line in the world of network security remains as sobering as ever: The growth rate of threats is outpacing conventional wisdom and solutions. Current trends in corporate purchasing of emerging intrusion detection/prevention and associated technologies are driven by the need to maintain data security as the mobile-technology and remote-access age explodes, while still allowing business to flow normally. Of course, network security governance policies and procedures that balance usability and risk are far more easily conceived than achieved. That challenge is made steeper given that large firms tend to straggle behind the rest of the field in IT security spending, staff, technology and management practices. According to a 2006 survey of North American IT security managers by Computer Economics, companies with annual revenue exceeding $750 million devote fewer dollars in relative spending to IT security than small and midsize firms. Such so-called large firms also typically deploy cutting-edge security-management practices and adopt new security technology solutions at a slower rate. The Cyber Security Industry Alliance, an industry advocacy group, reported to Congress last month that more than 52 million Americans' personal records have been hacked, lost, stolen or otherwise compromised in the past year. In an Aberdeen Group study published earlier this year, 33 percent of respondents to a national heath care provider security survey reported a security incident or patient-privacy breach since July 2005, while another 22 percent conceded they "did not know" if such an intrusion had occurred.
Washington Internet Daily ,
May 9, 2006
Finnish antivirus firm F-Secure is the first
European member of the Cyber Security Industry Alliance, the group said Mon.
Because many Alliance members have international operations, "we hope
to expand our ability to promote international dialogue and cooperation as
the European Union moves forward with a number of important initiatives," said
Exec. Dir. Paul Kurtz. Alliance priorities include the i2010 campaign, the
role of the European Network & Information
Security Agency, and the electronic communications and e-privacy revisions
in the EU regulatory framework. F-Secure CEO Risto Siilasmaa will join the
Alliance board. The company has offices in France, Germany, Italy, U.K., U.S.,
Japan and elsewhere. F-Secure said it was the first firm to test Sony BMG CDs
for security vulnerabilities.
*Subscription only.
Government Executive , May 11, 2006
Plans for telework
during disasters found to be lacking
The ability of federal agencies to continue critical operations during large-scale emergency situations would be significantly enhanced with widespread use of telework, but few have made the necessary preparations, officials told a congressional panel Thursday. Comptroller General David M. Walker said agencies would be unlikely to ensure that their employees are able to telework during a disaster unless White House-mandated guidance from the Homeland Security Department requires them to do so. A second panel of private sector officials, including Scott Kriens, chairman and chief executive officer of Juniper Networks, and Paul Kurtz, executive director of the Cyber Security Industry Alliance, said the technology for agency employees to work from home during disasters is readily available. Kurtz said officials "simply don't know" the impact if half the 60,000 employees of the Health and Human Services Department try to work offsite. "We do know that any limitations on their ability to do their jobs would have a cascading effect throughout the medical system, and at the worst possible time," Kurtz said. He recommended that the president's advisory committees on the issue suggest plans for surge capability. House Government Reform Committee Chairman Tom Davis, R-Va., expressed his frustration with agencies' sluggish implementation of telework, as compared with the private sector.
IDG News , May 11, 2006
Tech groups: Teleworking
can slow bird flu
Parts of the U.S. government could shut down during a much-feared outbreak of avian influenza unless it develops better telecommuting plans, two IT leaders told lawmakers Thursday. Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), and Scott Kriens, chairman and chief executive officer of networking equipment vendor Juniper Networks Inc., told the U.S. House of Representatives Government Reform Committee that government agencies lack plans for long-term telecommuting. Even as world health officials worry that the ever-spreading avian flu could mutate and begin jumping from human to human, most federal agencies' telecommuting plans assume employees will be gone two or three days, Kurtz said. In addition to a flu pandemic that could last as long as 18 months, teleworking can help the government continue operations in other emergencies, such as terrorist attacks and natural disasters, Kurtz said. Although the U.S. Congress in 2000 passed a law requiring agencies to offer telework options, agencies are required to return any cost-savings achieved through teleworking back to the federal budget, Kurtz said. Kriens told committee members that private businesses are ahead of government agencies in embracing telework. "Business managers realize that telework is a way to get optimal performance from their workers, allowing employees to get work done from home or the road," Kriens said in written testimony. "I find it ironic that many government managers reportedly equate telework with reduced employee work hours and lower productivity, believing in the outdated management philosophy that 'if I can’t see you, I can’t manage you.'”
*Also appeared in InfoWorld and IT World.
National Journal’s Technology Daily ,
May 11, 2006
Cyber Security; House Panel Notes Barriers to Government Telework
With lessons from Hurricane Katrina fresh on their minds, members of a congressional
committee on Thursday drilled federal agency leaders on how they plan to keep
the government running during a pandemic of influenza or other emergency. Government
Reform Committee Chairman Tom Davis, R-Va., expressed frustration with the
federal foot-dragging on telework, compared with the private sector. A General
Accounting Office investigation found that nine of 23 federal agencies have
a plan for some employees to telework to continue government operations. Industry
agrees that teleworking capacity after emergencies will take planning. Paul
Kurtz, executive director of the Cyber Security Industry Alliance, said officials "simply
don't know" the impact if half the 60,000 employees at HHS try to work
offsite. "We do know that any limitations on their ability to do their
jobs would have a cascading effect throughout the medical system, and at the
worst possible time," Kurtz said. He recommended that the president's
advisory committees on the issue suggest plans for surge capability. But both
he and Scott Kriens, chairman and CEO of Juniper Networks, said the technology
is there "waiting on the shelf for deployment." "This is a capability
that can be employed today," Kriens said. He said the State Department
is using telework to keep employees safer while working in Afghanistan, and
given the greater technical challenges there, the same thing certainly could
be done in the United States. Kriens recommended leadership by example. "Have
managers themselves telework," he said, adding that writing a report would
not generate the same wave of acceptance.
*Subscription Only
Reuters , May 11, 2006
US government
urged to work from home in pandemic
If a flu pandemic forced 40 percent of workers to stay home, telecommuting
could help keep governments and businesses running -- but hardly any are set
up to do this, experts told the U.S. Congress on Thursday. A report from the
Government Accountability Office found that only nine of 23 federal agencies
had plans in place for essential staff to work from home during a pandemic. "None
of the 23 agencies demonstrated that it could ensure adequate technological
capacity to allow personnel to telework during an emergency," GAO Comptroller
General David Walker told a hearing of the House Government Reform Committee.
One reason for the lack of preparation was that FEMA (the Federal Emergency
Management Agency) had not provided specific guidance on what was needed to
allow staff to work from home, the GAO report said. But it requires planning,
said Dr. Jeffrey Runge, acting undersecretary for science and technology at
the Department of Homeland Security. "It is one thing to say we are all
going to use the Internet for work," Runge told the hearing. There are
fears that Internet access could be overwhelmed if millions of workers all
try to use it at the same time. "It turns out to be quite a more complex
problem than saying, 'guys, go home and log on,'" Runge said. The GAO's
Linda Koontz said one agency needed to be put in charge of coordination, and
rehearsing was essential. Paul Kurtz, a former National Security Council member
now executive director of the Cyber Security Industry Alliance, said no one
had evaluated the Internet's total capacity. "We simply don't know about
what the impact would be if, for example, even half the 60,000-plus employees
of the Department of Health and Human Services -- who help coordinate the entire
national health care system -- were to attempt to work off-site," Kurtz
said.
*Also appeared in CRN, ChannelWeb, InformationWeek, TechWeb, Australian
IT, The Advertiser, Melbourne Herald Sun, Daily Telegraph, Courier Mail,
VARBusiness and The Australian.
CQ Homeland Security , May 12, 2006
Computer Infrastructure Could Be Overwhelmed by People Working From Home
During Pandemic
If a pandemic or terrorist attack strikes the nation, the best place for
many government officials to work may be from their own homes. But questions
are being raised about the ability of the Internet and government computer
infrastructures to handle the sudden onslaught of thousands of new teleworkers.
When the government began assessing continuity of operations plans, or COOP,
from federal agencies in the 1990s, much of the focus was on alternative operation
sites. The National Strategy for Pandemic Influenza: Implementation Plan, unveiled
by the White House earlier this month, acknowledges that because a pandemic
presents the same risks everywhere, the use of alternative facilities may not
work. Teleworking is a key alternative. Paul Kurtz, executive director of the
Cyber Security Industry Alliance, told Congress Thursday that teleworking and
other remote access to government operations would likely be secure in a national
emergency. But he said he is unconvinced the government’s networks could
handle the strain. “Little empirical evaluation has been done of the
ability of the Internet infrastructure to support the traffic created when
large number of employees — from both public and private sector — suddenly
attempt to log on,” he said. “There will surely be a spike in telecommunications
traffic overall at the first onset of the crisis.” And that surge could
last for months. “Most agencies’ contingency plans are designed
for a maximum downtime of two or three days; a flu pandemic could last as long
as 18 months,” Kurtz told the House Government Reform Committee. “We
simply don’t have the workforce distribution capability or the Internet
infrastructure that we need today.”
*Full article below.
Washington Internet Daily , May 12, 2006
Capitol Hill
The federal workforce lags far behind the private sector in its ability to
work offsite in response to a large-scale crisis such as pandemic influenza,
Cyber Security Industry Alliance (CSIA) Exec. Dir. Paul Kurtz told the House
Govt. Reform Committee Thurs. Committee Chmn. Davis (R-Va.) has previously
called for govt. to be able to decentralize their critical functions in an
emergency, but Kurtz said that hasn't been achieved. "Many agencies have
made strides within their own internal operations and continuity of operations
planning. But they have a long way to go before they are ready to work together
in a crisis like an outbreak of avian flu," he said. Most agencies' contingency
plans are designed for a maximum downtime of 2-3 days; a flu pandemic could
last as long as 18 months. The CSIA chief urged the govt. to invest in capabilities
that would let its employees function offsite under normal as well as adverse
conditions -- not only at home, under the traditional definition of telework,
but from anywhere, at any time. The bird flu scare might provide the impetus
to change the way govt. does business, he said.
*Subscription only.
Washington Technology ,
May 15, 2006
On
policy front, procurement and GSA loom large
For IT executives in Washington, pursuing policy goals takes a combination of offense and defense. As Congress shifts into high gear for the spring legislative session, contractors and their representatives are promoting policy initiatives, while also fighting a growing tide of protectionism and other moves they believe may restrict competitiveness. “Our first priority, one of our basic tenets really, is to promote competitiveness,” said Olga Grkavac, vice president of trade group Information Technology Association of America. IT contractors also are pushing efforts to secure cyberspace and strengthen overall information security as a matter of national security. Regarding cybersecurity and IT critical assets, the IT Sector Coordinating Council by September will have drafted a sector-specific plan for protecting the nation’s computer networks against a terrorist attack or disaster. Another IT industry group, the Cyber Security Industry Alliance, has criticized the Bush administration’s inaction on cybersecurity and the absence of a top IT official at the Homeland Security Department. Secretary Michael Chertoff in July 2005 said he would appoint an assistant secretary for cybersecurity, but the position is still vacant. “Without a doubt, the absence of an individual filling this slot almost a year later is not a good-news story for the department and for our level of preparedness in the event of a large-scale cyberevent,” Paul Kurtz, director of the alliance.
Washington Internet Daily , May 16, 2006
Internet People
Liz Gasster, ex-AT&T, joins Cyber Security Industry Alliance as general
counsel.
*Subscription Only
Washington Internet Daily , May 19, 2006
Experts Ponder Tolls Behind Phone Surveillance
The National Security Agency most likely is employing just a few software
systems to collect Americans' telephone records, according to technology specialists.
News broke last week that the NSA boasts a database with the calling records
of tens of millions of Americans. SAS, a top data-mining company, has software
that could handle the data sought by NSA to find patterns in phone calls and
make forecasts of anti-terrorism activity based on those patterns. "SAS
is used by all 15 major U.S. government departments," spokesman Trent
Smith said. "However, we are under nondisclosure agreements with many
of them, including the intelligence agencies we serve." Data-management
systems like Microsoft's SQL would allow NSA to find and sort information,
said Brian Garrett, a director for the Enterprise Strategy Group. He added
that the agency would face many technological and cost challenges if it wanted
to retain the records for lengthy times. Paul Kurtz, executive director of
the Cyber Security Industry Alliance, said the wider issue is the amount of
sensitive data available in the private sector, and Congress needs to address
that.
*Subscription Only.
Federal Computer Week , May 23, 2006
Americans want better
data security laws
The U.S. public wants stronger federal data security legislation as its confidence wanes in current laws intended to protect them on the Internet, according to a new survey the Cybersecurity Industry Alliance released today. The April survey of 1,150 adults found that only 18 percent – less than one in five – believe that existing laws are sufficient to protect them on the Internet. With so many Americans vulnerable to exploitation, “the survey reiterates that Americans are concerned with this issue and want to see an adequate legal framework” to protect them, said Shannon Kellogg, director of government and industry affairs at RSA Security and a member of the National Cyber Security Alliance’s Board of Officers. "Identity theft isn't just a Washington, [D.C.], issue, it's a kitchen table issue, and this is a strong signal that Americans want their government to take action on the problem -- before this November's elections," said Chris Voice, chief technology officer at Entrust. “While data security alone won’t be a deciding factor in an election, the survey does reveal that voters have serious doubts about candidates opposed to strong data security laws,” said Paul Kurtz, executive director of the Cybersecurity Industry Alliance. The survey also revealed little difference between Republicans and Democrats on cybersecurity policy issues. Data security has become personal for Americans, and constituents are complaining to their legislators to enhance protections, Kellogg said.
Finextra.com ,
May 23, 2006
Fraud fears scare
off US Web shoppers
Half of US consumers avoid making purchases online because they are afraid their financial information will be stolen, according to a study released by The Cyber Security Industry Alliance. The US-wide survey of 1150 adults conducted by Pineda Consulting found that only 44% feel their information is safe when engaging in e-commerce and only a third (34%) feel that Internet banking is as safe as banking in the branch. Paul Kurtz, executive director of CSIA, says the rash of high-profile data breaches over the past 18 months has compromised more than 55 million personal records, but Congress has spent more than a year debating data security legislation without results. "If we cannot create a trusted digital environment, it won't just impact e-business, it will impact all business because nearly every company's assumptions about growth involve the continued acceptance and usage of our digital networks," says Kurtz. "A loss of consumer confidence is a billion dollar problem and it is time for Congress to move forward with a national data security bill that assures Americans they are being protected online."
Government Technology , May 23, 2006
Poll Shows
Americans Want Congress to Do More to Protect Them Online
The Cyber Security Industry Alliance (CSIA) has released the results of its semi-annual survey dedicated to measuring the American public's confidence in the security of the nation's digital infrastructure. The results of the nationwide survey of 1,150 adults conducted on behalf of CSIA by Pineda Consulting demonstrate for the first time that Americans' lack of confidence in the Internet may have political consequences. In addition, the survey suggests that the lack of action by the U.S. government is manifesting itself through continued economic losses. Fewer than one in five Americans feel that existing laws are enough to protect them on the Internet. Moreover, voters express a clear preference for strong federal data security legislation even when presented with the argument that it will result in unwanted notices and higher prices with 70 percent of likely voters agreeing that Congress should pass a strong data security law. Nearly half (46 percent) of likely voters who think that Congress should pass a strong data security law report that they would have serious doubts about a candidate that opposes swift action. The survey also revealed little difference between Republicans and Democrats on cyber security policy issues.
IDG News , May 23, 2006
Survey:
Data security becoming political issue
Less than half of U.S. residents believe their personal information is safe
when they shop online, and half avoid making online purchases because of security
fears, according to a survey released Tuesday. U.S. voters are also beginning
to see cybersecurity as an issue they will judge political candidates on, the
Cyber Security Industry Alliance (CSIA) said. Forty-six percent of the likely
voters surveyed said they would have serious doubts about a candidate who does
not support swift action to pass laws requiring customer notification after
data breaches, and 71 percent of respondents said they want the U.S. Congress
to pass a breach notification law, the CSIA said. "We are seeing economic
and political consequences come about from that lack of confidence," said
Paul Kurtz, CSIA's executive director. "The issue is starting to resonate
with people." A handful of data-breach notification bills remain stuck
at various stages in Congress, but a data breach at the U.S. Department of
Veterans Affairs (VA) may push the legislation forward, Kurtz said. On Monday,
the VA announced that the personal records of 26.5 million U.S. military veterans
and their spouses were stolen after a VA analyst took the data home. "If
you're looking for a wake-up call for Congress to do something, this is one
hell of a wake-up call," Kurtz said. "I don't know what other kind
of wake-up call we need." U.S. consumer confidence in cybersecurity has
declined slightly since the CSIA's last survey released in December, the group
said. Forty-four percent of respondents said they think their personal information
is safe when they use e-commerce sites, and only 24 percent said businesses
are placing the right emphasis on protecting information systems and networks.
*Also appeared in CIO, InfoWorld and Help Net Security.
InternetNews.com , May 23, 2006
VA Data
Breach Stirs Washington
Somewhere out there is a thief with the names and Social Security numbers of every veteran discharged after 1975. In the second-largest data breach on record -- and the biggest Social Security numbers breach ever -- the Department of Veterans Affairs (VA) disclosed Monday approximately 26.5 million veterans are at risk of identity theft. The question looming over Washington Tuesday is does the thief know what he or she has? "We just don't know. [The thief] is either very unsophisticated or getting more sophisticated by the hour as news reports keep coming out," said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA). The bill before the House Commerce Committee does not require mandatory disclosure to consumers after a data breach. Instead, the legislation requires a company suffering a breach to conduct an investigation to determine if notification is necessary. The House Judiciary bill increases criminal penalties for data theft and notification to law enforcement officials in the event of a "major security breach" of more than 10,000 people. Two Senate committees have already passed data breach legislation.
National Journal’s Technology Daily ,
May 23, 2006
Privacy
A new public survey shows that 70 percent of likely voters want Congress
to pass a strong data-security law. Of those urging the crackdown 46 percent
said they would have "serious doubts" about a candidate opposing
the move. Some 94 percent cited identity theft as a serious problem. Fewer
than 20 percent said existing laws are enough to protect them online. The results
showed little difference between Democrats and Republicans on cyber-security
issues. The Cyber Security Industry Alliance released its semi-annual survey
of 1,150 people Tuesday. Executive Director Paul Kurtz said the issue is on
Americans' minds because of "a rash of high-profile data breaches over
the past 18 months has compromised more than 55 million personal records." Kurtz
does not believe data security will decide an election. But he said the survey
shows that the issue is becoming increasingly to consumers, while Congress
still has not cleared legislation.
*Subscription Only
SC Magazine , May
23, 2006
CSIA
study: Less than a fifth feel protected on internet
Fewer than one in five Americans feel that existing laws are enough to protect them on the internet, a new survey revealed. The poll of 1,150 adults for the Cyber Security Industry Alliance (CSIA) by research company Pineda Consulting found that only 18 percent of respondents think that existing laws are enough to protect consumer privacy. The CSIA cited the research findings as having “political consequences” and that “the lack of action by the U.S. government is manifesting itself through continued economic losses.” The survey found that many expressed a clear preference for strong federal data security legislation even when presented with the argument that it will result in unwanted notices and higher prices with 70 percent of likely voters agreeing that Congress should pass a strong data security law. Nearly half of likely voters (46 percent) who think that Congress should pass a strong data security law report that they would have serious doubts about a candidate that opposed swift action. The survey also revealed little difference between Republicans and Democrats on cybersecurity policy issues. Paul Kurtz, executive director of CSIA said that Congress has spent more than a year debating legislation while data security matters have “been rising in the public consciousness”. “While data security alone won’t be a deciding factor in an election, the survey does reveal that voters have serious doubts about candidates opposed to strong data security laws,” said Kurtz. “Consumers are beginning to understand the link between their privacy and data security and they are looking to their government leaders for action.”
UPI , May 23, 2006
Poll:
Americans fear online data theft
Half of Americans do not shop or conduct other transactions online due to
security worries, a slight rise from six months ago, says a new survey Tuesday.
The Cyber Security Industry Alliance, a computer industry lobby group, commissioned
the poll of over 1000 Americans last month and released the results Tuesday.
Fifty percent of Internet users interviewed said they avoid any kind of online
financial transactions out of fear that their personal data might be compromised,
a rise of 2 percent since the last survey six months ago. Internet users are
becoming less rather than more confident about making purchases on-line," says
the report. Fewer than 20 percent believe existing laws are enough to protect
them on the Internet, the survey found, adding that -- even when warned that
strong federal data security legislation could lead to higher prices -- 70
percent of likely voters still support such legislation. The survey also revealed
little difference between Republicans and Democrats on cyber security policy
issues.
*Also appeared in GigaLaw.com.
Consumer Affairs , May 24, 2006
Consumers
Want A Safer Cyberworld
Not too long ago, Americans were up in arms about street crime. Now they're irate that Congress isn't doing more to keep them safe online, according to a survey conducted by the Cyber Security Industry Alliance (CSIA). The survey found that consumers' increased wariness is costing online businesses billions of dollars in lost revenue. Fifty percent of the individuals polled were concerned about their financial information being safe online, and 24 percent performed fewer transactions online as a result. Ninety-five percent of the respondents felt that identity theft was a prime concern, and fewer than 19 percent felt that existing privacy and data security legislation was sufficient to protect consumers from online fraud. "If Americans are not given assurances about the security of the networks that connect us, many will not participate – just like the 24 percent of Internet users who do not make purchases on the Internet despite all the potential conveniences," the survey authors wrote. "Those 38 million people represent the economic potential that will not be realized unless government and industry works together to make our networks safer." The CSIA, a trade group of networking and security firms that includes such big names as Symantec, McAfee, and Citrix, conducted the survey in conjunction with Pineda Consulting, a strategic research firm based out of Pasadena, CA. The survey polled 1,150 random individuals via telephone.
Network World , May 24, 2006
Poll
shows nation wants stronger data security laws
The poll, taken every six months to gauge public confidence in the U.S. digital infrastructure, was most recently conducted in April by Pineda Consulting for the alliance and drew answers from 1,150 adults. According to the alliance, April’s poll revealed for the first time that there may be political ramifications linked to lack of confidence in the security of the Internet. Specifically, the poll showed that 46% of respondents who said they want Congress to pass stronger data security laws also said they would have “serious doubts” about candidates who would oppose such action. The alliance attributes these sentiments to the dozens of high-profile data breaches that have occurred in the past few years -- which became public knowledge because of state laws established in roughly half of the country that force any organization doing business in those states to disclose data breaches that could result in stolen identities -- combined with the lack of federal laws to govern national data security. More than 10 bills have been introduced since early 2005 that include provisions for national data-breach notification, but none have gathered enough support to make it through Congress. In April, the alliance organized a group of security vendor executives to visit Washington and push for a national data-breach bill, but the event left some participants doubtful that Congress will take action anytime soon.
SecurityProNews , May 24, 2006
Poll
Shows Citizens Want More Online Protection
The Cyber Security Industry Alliance (CSIA) has released the results of its
survey dedicated to measuring the public's confidence in the security of the
nation's digital infrastructure. Results of the nationwide survey of 1,150
adults by Pineda Consulting demonstrate for the first time that Americans'
lack of confidence in the Internet may have political consequences. The survey
suggests that the lack of action by the U.S. government is manifesting itself
through continued economic losses. Less than 20 percent of Americans feel that
existing laws are enough to protect them online, according to the CSIA survey.
Voters expressed a clear preference for strong federal data security legislation
even when presented with the argument that it will result in unwanted notices
and higher prices with 70 percent of likely voters agreeing that Congress should
pass a strong data security law. "The rash of high-profile data breaches
over the past 18 months has compromised more than 55 million personal records.
Meanwhile, Congress has spent more than a year debating data security legislation
without results as the issue of data security has been rising in the public
consciousness," said Paul Kurtz, executive director of CSIA.
*Also appeared in WebProNews
TechWeb , May 24,
2006
Data
Security Could Be Potent November Election Issue
The American public has little confidence in the security of the country's
digital infrastructure, a poll released Tuesday by the Cyber Security Industry
Alliance (CSIA) said. According to the advocacy group, the issue could play
a part in upcoming November elections. "While data security alone won't
be a deciding factor in an election, the survey does reveal that voters have
serious doubts about candidates opposed to strong data security laws," said
Paul Kurtz, the CSIA's executive director, in a statement. "Consumers
are beginning to understand the link between their privacy and data security
and they are looking to their government leaders for action." Fewer than
1 in 5 of the 1,150 U.S. adults surveyed believed that existing laws can protect
them from fraud, identity theft, and other crimes on the Internet. Meanwhile,
over two-thirds (70 percent) want Congress to pass strong data protection legislation.
The desire to see something done crosses party lines, the survey revealed.
Although Democrats were more likely to support stronger data security laws
(78 percent), Republicans were not far behind, with 68 percent of them favoring
strict legislation. Representatives run a risk if they oppose passing some
kind of law, the CSIA said in its analysis. "If a Member of Congress votes
against a strong data security bill this session, the survey suggests that
the Member’s opponents will bring up the issue in the fall campaign," the
survey's associated report read. Congress got off to a quick start on new data
laws in the first half of 2005, but since then it's been stalled.
*Also appeared in CRN, InformationWeek, Network Computing and Small Business
Pipeline.
Washington Internet Daily ,
May 24, 2006
Data Show Consumers Shakier about Online Transactions
Americans' suspicion about security in the digital world is rising and affecting
politics and the economy, said the Cyber Security Industry Alliance. Nearly
50% of Americans avoid buying online for fear of identity theft, the survey
found. Less than one American in 5 feels existing laws protect them on the
Internet. About 70% of likely voters want a federal data security law. Scant
difference is evident between Republicans and Democrats on cyber security. "The
rash of high-profile data breaches over the past 18 months has compromised
more than 55 million personal records," CSIA exec. dir Paul Kurtz said: "Congress
has spent more than a year debating data security legislation without results
as the issue of data security has been rising in the public consciousness.
While data security alone won't be a deciding factor in an election, the survey
does reveal that voters have serious doubts about candidates opposed to strong
data security laws." Only 34% of Americans feel banking online is as safe
as banking in person. And only 24% say businesses are protecting their own
information systems.
*Subscription Only
Washington Internet Daily ,
May 24, 4006
Small Business Vulnerable to Data Security Proposals
Congress shouldn't ignore how data security proposals will affect small businesses,
witnesses told the House Small Business oversight subcommittee Tues. Small
businesses face an disproportianate threat from cyberattacks, given their scarce
resources and weaker infrastructures, said Paul Kurtz, Cyber Security Industry
Alliance exec. dir., in prepared testimony. A Symantec report this year found
small businesses were in the top 3 most targeted groups for cyberattacks, a
point Kurtz made in a March subcommittee hearing. But those firms can improve
security through many federal programs, such as the National Institute of Standards & Technology's
(NIST) SecureBiz workshops and NIST's computer security publications available
online, in addition to low-cost security suites and development by businesses
of best practices, Kurtz said. The feasibility of small businesses using encryption
was contested between witnesses otherwise in agreement. "We wouldn't be
having the flash of news we're having today" if businesses had deployed
encryption more widely, Kurtz said, adding that encryption is "more seamless
and easy to apply today" than 4-5 years ago.
*Subscription Only
Cardline , May 26, 2006
Poll: Consumers Will Pay for Data Security
Americans support stronger federal legislation covering data security even
if it means higher prices, according to a survey released today. conducted
for. The Cyber Security Industry Alliance, a trade group for data security
providers that sponsored the survey, reports that 70% of Americans want a federal
law addressing data security even if they receive unwanted notices and the
law results in higher prices. The poll found that half of Americans avoid making
purchases online because of security concerns and only 24% believe businesses
are putting enough emphasis on protecting information systems. Members of the
Arlington, VA-based alliance include Visa International, RSA Security Inc.,
and Symantec Corp. The alliance supports a national approach to data breaches
that supersedes state laws, says Paul Kurtz, executive director. In the event
of data theft or loss, a firm that scrambles stored data using widely accepted
encryption standards should not be required to notify their consumers, says
Kurtz.
*Subscription Only
Dark Reading , May 26, 2006
Data
Losses Erode User Confidence
Recent high-profile data losses are eroding online consumers' buying confidence and affecting corporations' bottom lines, according to a study published earlier this week. Fifty percent of Internet users currently avoid making purchases online because they are afraid their financial information may get stolen, according to a survey released this week by the Cyber Security Industry Alliance , an advocacy group led by top security vendors. That figure has grown by 2 percent since last year, the CSIA said. The findings won't surprise many, especially given some recent headlines that point as much to negligence as malice. Sixty-four percent of consumers believe that online banking puts the user's financial information at risk. On a scale of one to ten, consumers gave the Internet a 7.4 for performance, according the survey, which polled 1,150 respondents. However, they rated the Internet's security at 5.0. "The American public is very concerned that nobody is minding the new store," the CSIA said. This attitude is costing enterprises money, the CSIA reports. According to the survey, 91 percent of consumers with a high level of confidence in Internet security buy products online, spending about $116 per month. If all consumers were as confident, the CSIA postulates that online spending would increase by approximately $3.8 billion per month in the U.S. alone.
Processor.com ,
May 26, 2006
MarketPlace
News
Scott Kriens, chairman and CEO of Juniper Networks, and Paul Kurtz, executive director of the Cyber Security Industry Alliance, told U.S. lawmakers that government agencies are ill-prepared should the need for long-term telecommuting arise. With fears of the avian flu spreading, Kriens and Kurtz emphasized that telecommuting would be vital to keeping government agencies operating should a massive disaster occur. Similarly, Telework Exchange found 71% of U.S. government employees polled believe their agency is not prepared to continue operating should a flu pandemic occur.
The New York Times , May 28, 2006
For
Data Security, Sometimes Small Is Not Beautiful
It's wonderful, isn't it, that information can be packed into such an infinitesimal space that vital facts about millions of people can fit on a few little computer disks. Farewell, bulky file cabinets; hello, vast empty spaces that can be used, say, for meditating on the joys of miniaturization. But any such meditation was rudely interrupted last week by yet another reminder that there is a hazardous flip side to all this. And the latest breach was a big one: Social Security numbers and other personal information on up to 26.5 million veterans were stolen from the home of a Department of Veterans Affairs employee. All the more reason, then, to take note of a survey for the Cyber Security Industry Alliance that shows, among other things, that nearly half of likely voters may turn against any member of Congress who opposes swift action on data security. And that survey, of course, was taken before the loss of the veterans' data. Suddenly those nice, bulky, hard-to-transport file cabinets don't look so bad.
IDG News , May 29, 2006
Commuting to slow
bird flu pains?
Parts of the U.S. government could shut down during a much-feared outbreak
of avian influenza unless the government develops better telecommuting plans,
two IT leaders told lawmakers recently. Paul Kurtz, executive director of the
Cyber Security Industry Alliance, and Scott Kriens, chairman and CEO of Juniper,
told the U.S. House of Representatives Government Reform Committee that government
agencies lack plans for long-term telecommuting. Even as world health officials
worry that the ever-spreading avian flu could mutate and begin being transferred
from human to human, most federal agencies' telecommuting plans assume employees
will be out of work for two or three days, Kurtz said. Strains of deadly avian
flu, often called bird flu, have been reported in flocks of domesticated and
wild birds in Asia, the Middle East and Eastern Europe since 2003. Despite
fears that the viruses could spread among humans, there have been reports of
only about 200 people contracting bird flu since 1997, and most of those people
had direct contact with infected poultry, according to the U.S. Centers for
Disease Control and Prevention. "Business managers realize that telework
is a way to get optimal performance from their workers, allowing employees
to get work done from home or the road," Kriens said in written testimony. "I
find it ironic that many government managers reportedly equate telework with
reduced employee work hours and lower productivity, believing in the outdated
management philosophy that 'if I can't see you, I can't manage you.' "
*Also appeared in Network World.
InformationWeek , May 29, 2006
No More Excuses
A VA analyst took home electronic data from the office to do after-hours
work on his personal computer. The data included names, Social Security numbers,
and dates of birth on 26.5 million people. The laptop and an external hard
drive the analyst was using, along with the data, were stolen in a May 3 burglary.
With the VA having done wrong by 26.5 million veterans and their relatives,
members of Congress were in speech-making mode last week. Sen. Larry Craig,
R-Idaho, wondered whether the VA really needs to retain all the data it has. "But
I also know that when Americans contact their government or veterans file a
claim, they expect in this day and age that [the government] will have their
information," said Craig, chairman of the Senate's Committee on Veterans'
Affairs. A high-profile data breach that affects the nation's veterans could
be just the thing to shake Congress out of its foot-dragging on data privacy
and breach-notification legislation. Last week, the House Energy and Commerce
Committee and the House Financial Services Committee each proposed data privacy
and protection legislation to the speaker of the House, who will decide which
version the House moves forward. It's not clear what the timeframe is for a
full House vote, however, and this proposed legislation, as well as bills in
the Senate, has been around for months. Fewer than one in five of 1,150 U.S.
adults surveyed by the Cyber Security Industry Alliance say they think existing
laws can protect them from fraud, identity theft, and other Internet crimes.
More than two-thirds want Congress to pass stronger legislation.
*Subscription Only
Washington Technology , May 29, 2006
News
in brief
Confidence in the nation’s IT infrastructure fell to 57 on a 100-point scale, a decrease of one point from six months ago, according to a survey of 1,150 adults sponsored by the Cyber Security Industry Alliance, an industry group. As a result some adults aren’t making purchases online, among other activities, the alliance said. Also in the survey, 70 percent of likely voters agreed that Congress should pass a strong data security law.
SearchSecurity , May 30, 2006
Veterans
Affairs data theft should be 'call to arms'
The public was already worried about data security before 26.5 million U.S.
veterans were put at risk for identity theft following a recent burglary. "This
should be a major wake-up call that one small event can have a potentially
dramatic impact on millions of lives," said Paul Kurtz, executive director
of the Arlington, Va.-based Cyber Security Industry Alliance. "I would
think this should raise more awareness in the public consciousnesses." There
were signs on Capitol Hill Thursday that fuel had indeed been added to the
fire. The House Judiciary Committee approved a bill mandating that companies
notify customers when there's a security breach. Critics though are already
complaining, according to media reports, that the so-called Data Accountability
and Trust Act (DATA) isn't as tough on government agencies as it is on private
businesses. Whatever comes of the DATA bill, Kurtz said Congress will face
increasing public pressure to pass something. He said his organization's latest
semiannual poll of 1,150 adults measuring the country's security confidence
showed that people were already preoccupied with data fraud before the VA incident.
Respondents also suggested for the first time that the mounting data thefts
are shaking their confidence in the Internet and that there may be political
consequences, he said. He added that a loss of consumer confidence in cyberspace
is a billion-dollar problem and that it's time for Congress to move forward
with a national data security bill "that assures Americans they are being
protected online."
*Also appeared in SearchOracle.com.
National Journal’s Technology Daily ,
May 31, 2006
Government
Reform; Government Reform Panel to Examine VA Breach
The committee that gave the Veterans Administration an "F" for
its computer security practices plans a hearing June 8 to ask for an update
on the department's reforms. House Government Reform Committee Staff Director
Dave Marin said the focus of the hearing will be whether tighter laws are needed
to prevent another incident like the security breach in which personal data
on 26.5 million veterans was stolen from a department employee's home. "The
technology exists today to secure this information," said Paul Kurtz,
executive director of the Cyber Security Industry Alliance. He said encryption
is much more user friendly than it was three years ago. Chris Parkerson, a
data security manager at RSA Security, said encrypting the personal data on
the 26.5 million veterans in such a case would have taken "a matter of
seconds." He said encrypting becomes more complicated and slower when
the system is complicated like in a financial transaction. Parkerson said often
companies try to encrypt too much, like an entire hard drive, rather than just
the personal data. He said that could cause encryption to slow down a process
ten times. But he said solving the problem in the veterans' department security
breach is easy -- and cheap. "There are tons of products on the market
than can do that that are very inexpensive. We're talking a few hundred bucks
to lock down a few laptops," Parkerson said.
*Also appeared in Government Executive.