Cyber Security Industry Alliance Newsletter •  Volume 2, Number 9 • May 2006

CSIA in the News

Article of Interest

Computerworld, April 17, 2006
IT Execs Take Different Routes on Bird Flu Threat

The answer to the question of whether corporate IT departments would be ready to respond if an avian flu pandemic hit the U.S. is: Maybe. Based on interviews last week with 13 CIOs, business continuity directors and IT management consultants, U.S. companies continue to hold widely divergent views on the risk that a flu outbreak could force school closings or broad quarantines in hard-hit areas. Some IT leaders, mainly at large companies, said they are preparing for the worst in an effort to avoid being left short-staffed or unable to support vastly increased numbers of telecommuters on their networks if a pandemic strikes. Dave Berg, CIO at O.C. Tanner Co., a provider of employee-recognition products and services in Salt Lake City, also hasn't made planning for a possible flu outbreak an action item. Berg noted that most of his employees have secure, high-speed computer access at home and that most operations can be done remotely. Gartner has issued several advisories about a possible pandemic, urging IT shops to prepare for the need to upgrade broadband and virtual private network connections to the homes of key workers and beef up their online ordering capabilities for customers. In a 31-page report issued March 7, the consulting firm listed in stark detail three scenarios for a global spread of the avian flu or another virus, from mild to severe. In the most severe scenario, several million people would die and the pandemic could last for a year or longer, despite strict quarantines. Many businesses would cease to operate, travel would be restricted, and workplace communications would often be done via phone, videoconferencing and e-mail.


The Daily Record, April 7, 2006
Experts say too many attorneys are unaware of "data integrity" issue in records management

Kevin Gronberg, policy and regulatory counsel for the Virginia-based Cyber Security Industry Alliance, a coalition of electronic security companies, said some businesses and their lawyers are finally starting to pay attention. The "Sarbanes-Oxley law really got people's attention," Gronberg said. As part of Sarbanes-Oxley, passed in 2002 in the wake of Enron-type corporate accounting scandals, executives must certify that the financial records they give the Securities and Exchange Commission are accurate, he said. With those requirements came a greater concern about how to make sure records have not been compromised. At a Cyber Security Industry Alliance summit in January, the participants ran through a mock case where data integrity was crucial, Gronberg said. In the scenario, a company was suing its competitor, claiming that the plaintiff developed a product that was taken by a former employee and brought to the defendant, which then tried to claim the product as its own invention. "The witness was an expert witness from the data [management department] of one of the companies, and the issue was, 'how do you know that the data, that records you have, actually are from the date you say they are?'" Gronberg said. Tom Klaff, CEO of Herndon, Va.-based Surety Inc., which provides unalterable time stamps for companies' electronic documents, said many companies don't understand all the ways their data can be impeached during legal proceedings. Some of his clients have had opposing counsel ask their employees or experts, "'couldn't he have gone in and changed the date or changed the system clock on a laptop where that e-mail was generated?'" Klaff said, "and the answer [inevitably] was, 'yes, it's possible.'"
*By subscription only.
*Also appeared in Kansas City Daily Record, St. Louis Daily Record and St. Charles County Daily Record., April 10, 2006
Security Group Calls on Congress

Public confidence in e-commerce will erode if Congress does not step forward and pass a meaningful national data breach disclosure law this year, according to the Cyber Security Industry Alliance (CSIA). The industry advocacy group wrote congressional leaders last week urging them to put aside political differences and put legislation on President Bush's desk by the end of the year. The CSIA said more than 52 million of Americans' personal records have been hacked, lost, stolen or otherwise compromised over the last year. "These security breaches, from medical records to Social Security numbers and credit card accounts, were once front-page news," the letter states. "Today, they have become so commonplace as to hardly seem newsworthy, but their cumulative effect has been to corrode public confidence in the security of private information." "Congress must demonstrate leadership by passing legislation to foster the adoption of best practices to protect consumers' personal information -- such as encryption that renders stolen data unusable -- and standardize the requirements for reporting breaches that do occur," the letter states. The CSIA noted that state governments are moving into the void created by Congress, with dozens passing laws mandating consumer notification of data breaches.
*Also appeared in eSecurityPlanet.

Government Technology, April 11, 2006
CSIA Board Urges Congressional Leadership on Consumer Data Protection

The Cyber Security Industry Alliance (CSIA) delivered letters to members of the bipartisan leadership of the House and Senate, urging party leaders, committee chairmen and other members to "set aside their differences and focus on protecting Americans' private, personal information." "Over the past year more than 52 million records of Americans' private personal information — an average of 142,000 per day — have been hacked into, lost, stolen or otherwise compromised from digital databases," states the letter, signed by all 12 board members of the CSIA. "Once front-page news, such breaches have become commonplace and have corroded public confidence in the security of private personal information." For the first time, said the CSIA in a release, surveys now show a decrease in Americans' interest in doing business online. "Perhaps part of the reason is that the average identity theft victim — and there were 3.4 million of them last year — spends $834 and 77 hours just clearing their name."

Government Technology, April 11, 2006
"U.S. Not Ready for Significant Disruption of Information Infrastructure" Warns Industry Group

The Cyber Security Industry Alliance (CSIA) last week urged Department of Homeland Security Assistant Secretary Michael Jackson to fill the long-vacant position of assistant secretary for cyber security and telecommunications and establish an all hazards national information assurance policy focused on a number of critical areas. Art Coviello, president and CEO of RSA Security and a Member of CSIA's Board of Directors, praised Jackson for sitting down to meet the CSIA Board and soliciting their input on issues from industry best practices to the emergency reconstitution of communications systems after a natural disaster or terrorist attack. "Deputy Secretary Jackson and Secretary Chertoff have a number of challenges before them and we appreciate their recognition that cyber security is of high importance." In a letter to DHS Secretary Michael Chertoff, the CSIA Executive Director Paul Kurtz outlined six priorities, such as identifying and prioritizing critical information systems, improving situational awareness and contingency planning, and increasing research and development.

Financial Times, April 12, 2006
Federal data security law reaches turning point in Congress

Many Americans were horrified to learn last week, as they finalised their tax returns, that the Internal Revenue Service wants to allow their sensitive tax information to be sold by their tax preparers – for marketing purposes. Little did they know that big tax-preparation companies have long been able to do just that. But American attitudes to their personal information have changed, in the wake of a series of high-profile data breaches that may have endangered the credit and identity of millions of consumers. Protecting personal data has become a vote-getter, and state legislatures across the country have rushed to implement new data security bills to protect home-state consumers. Three more states – Utah, Wisconsin and Indiana – have recently passed new data security laws, bringing the total to 23 states, each with a slightly different standard for protecting information and notifying consumers when it is compromised. However, the US business community – which is pushing hard to have just one federal law to replace the patchwork of state laws – has begun to worry that time will run out to reach a compromise, in a congressional year truncated by mid-term elections in November. "If it's not done in the next few weeks, it's dead," says Art Coviello, chief executive of RSA Security, a big data security firm and member of the Cyber Security Industry Alliance, one of the groups pushing for federal legislation. Complying with 23 different state laws puts too big a burden on financial institutions and others that do business nationally, he says.
*Also appeared in MSN Money and MSNBC.

Washington Internet Daily, April 12, 2006
Capitol Hill

The Cyber Security Industry Alliance (CSIA) wrote to House and Senate leaders, urging a bipartisan push this session to pass consumer data protection bills. Members should "set aside their differences and focus on protecting Americans' private, personal information," CSIA said. The letter notes that in the past year 52 million-plus records of Americans' private personal information -- 142,000 per day -- have been hacked, lost, stolen or otherwise compromised. All 12 board members signed the memo.
*By subscription only.

Washington Internet Daily, April 18, 2006
Data Sharing among Agencies Still Slack, GAO Warns

More than 4 years after the 9/11 attacks, govt. policies to help agencies work with terror-related information still are lacking, the GAO said. Duties for pushing federal data- sharing shifted from the White House to OMB and then to the Dept. of Homeland Security (DHS) -- but none has completed the task, the watchdog agency said Mon. The report follows a 2006 Federal Information Security Management Act (FISMA) scorecard from the House Govt. Reform Committee deeming agencies' progress "disappointing." FISMA progress among agencies is "mixed at best," GAO Information Security Dir. Gregory Wilshusen told Davis's committee last month. More systems than previously meet key performance measures, but the percentage of agency systems reviewed fell, as did the number of employees and contractors getting security awareness training, he said. Breach response plans were also rare, Wilshusen said. Given the FISMA scores, GAO analysis is "hardly a surprise," a Cyber Security Industry Alliance (CSIA) spokesman told us. "What we don't want is for it to become so unnewsworthy that people give up hope that the federal government will ever get its act together, and just move on. At least, until the next attack," he said.
*By subscription only.

Washington Internet Daily, April 19, 2006

SurfControl joined the Cyber Security Industry Alliance (CSIA), citing the increasing complexity of the IT infrastructure. "The landscape has changed -- it's not just about threats that impact corporate networks, it's about having insight into those environments," SurfControl CEO Patricia Sueltz said.
*By subscription only.

National Journal’s Technology Daily, April 24, 2006

The Cyber Security Industry Alliance on Monday urged companies to complete a government-issued survey to measure the costs of computer crimes. The survey, which was issued in February by the Homeland Security and Justice departments, includes questions about information security, computer-security indictments and cyber-crime safeguards. Responses will be collected by RAND, and they will remain confidential. "Everyone knows that cyber crime and other computer incidents are a growing problem," CSIA Executive Director Paul Kurtz said in a release. "But no one really knows how large, how fast it's growing or where the problems are concentrated. And you can't manage what you can't measure. The more we know about the extent of cyber crime, the better we'll all be able to combat it."
*Subscription only.

Computing, April 27, 2006
Allied against the cyber crime threat

Computing spoke with CSIA executive director Paul Kurtz, previously special assistant to the US President and senior director for critical infrastructure protection on the White House’s Homeland Security Council. Q. In the US the CSIA has played a role in advising and lobbying government on IT security issues. Why are you now looking to move into Europe? A. When I look at Europe, much like in the US, there isn’t an industry organisation focused on information security public policy issues. There is the 2010 Lisbon Agenda initiative in the European Union (EU) and we need to build security around that infrastructure. The EU has been drafting that for a while and it should be coming out shortly. Our effort is to highlight the importance to government of retaining data, but we are also saying do not forget to understand that you need to secure it and that there are privacy issues. When we came to Europe last year we were scouting out the landscape. Since then we have a firm representing us in Brussels and we are hiring people to represent us full-time. Q. Should the IT security industry be regulated? A. The free-market approach is the best way to go, but we need to get the building blocks in place to secure critical infrastructure. The financial services sector is heavily regulated, and that is because we must maintain trust in the global economy. If it is not secured properly then we have significant problems. With sensitive personal information that may be collected or sold, that is also part of the fundamental building blocks. It doesn’t matter what industry or sector you are in. If you are a data broker, a healthcare company or an educational facility that holds the crown jewels of personal information, then you need to protect it.
*Also appeared in WhatPC? and

Government Computer News, April 27, 2006
Better organization, focus needed for cybersecurity

The government needs to establish clear lines of authority and clarify responsibility for an effective national information assurance policy, former presidential adviser Paul Kurtz said Thursday. "We have a growing body of law and regulation bearing on information security," Kurtz said at the GovSec conference in Washington. But, "we are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there." Kurtz, executive director of the Cyber Security Industry Alliance, proposed a two-tiered framework for cybersecurity, in which critical functionality could be identified for government attention, while less pressing issues are passed to the private sector. "The government doesn't have to solve everyone's problem here," Kurtz said. Market forces and self-interest could be leveraged to handle problems of public awareness, education and coordinating information. Kurtz and Tom Leighton, chief scientist for the content delivery network operator Akamai Technologies, described cyberspace as a tough neighborhood that is getting tougher. "We have to anticipate that terrorist groups will get involved in disrupting cyberinfrastructure," along with nation states, Kurtz said. We also must anticipate that attacks will succeed, and build infrastructure to survive and respond to them, they said.

Reuters, April 27, 2006
Lifting the Lid: SEC must fix data security weaknesses

The SEC, an investor protection agency that demands tight internal controls from the companies it oversees, was recently criticized by congressional investigators for not having its own house in order when it comes to cyber security. The Government Accountability Office (GAO) said last month the SEC had failed to limit remote access to its servers, establish controls over passwords, securely configure all network devices, and adopt security monitoring procedures. A successful hacker could use nonpublic information to make trouble for a targeted company or rival. "It wouldn't necessarily be manipulation" of data by a hacker that would do the most harm, said Paul Kurtz, a former White House cyber security official. "It would be to expose information to damage another firm." The GAO staff spent five months last year assessing security at the agency's headquarters, a relatively new building in Washington D.C., and at its computer facility in nearby Alexandria, Virginia. "Overall, the SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems," the GAO concluded. Kurtz, who is now executive director of the Cyber Security Industry Alliance, an information security advocacy group, agreed with Booth that SEC employees must help guard systems. "This is not all about technology (such as) 'Do you have the right firewall and the right authentication technology?"'
*Also appeared on Washington, Wave 3 TV and MSN Money.

SC Magazine, April 27, 2006
NCSA launches small business security campaign

The National Cyber Security Alliance (NCSA) today unveiled the latest initiative in its on-going campaign to educate small businesses about cyber-security issues. As part of NCSA's small business campaign, and in conjunction with the Cyber Security Industry Alliance (CSIA), the following tips have been developed to help small businesses operate more securely: Ensure that all employees use effective passwords. Encourage passwords that are comprised of different characters and change them every 60 to 70 days, but no longer than 90 days. Consider using multi-factor authentication as a way to better secure your systems. Protect your systems. Install and use anti-virus, anti-spyware and anti-adware programs on all computers in your business. Ensure that your computers are protected by a firewall. Keep all software up-to-date. Ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software). Create backups. Make regular (weekly) back-up copies of all of your important data/information. Store a secured copy away from your office location and use encryption to protect any sensitive information about your company and customers. Be prepared for emergencies. Create a contingency plan for your business so you can recover if you experience an emergency. Include plans to continue business operations at an alternate location when necessary. Make sure to erase all data on the hard drive before recycling or throwing away a computer.

Washington Internet Daily, April 28, 2006
Cyber Security

The government needs to establish clear lines of authority and accountability in national information security, according to a former presidential adviser. Government Computer News reports that Paul Kurtz, now executive director of the Cyber Security Industry Alliance, said at the GovSec conference on Thursday that the nation is "not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there." Kurtz proposed a two-tiered framework for cyber security. "We have to anticipate that terrorist groups will get involved in disrupting cyber infrastructure," along with nation-states, he said.
* Subscription only

Washington Internet Daily, April 28, 2006
CSIA Calls for Presidential Directive to Beef Up Cyber Security

The federal govt. must take the lead in building a stronger national information assurance policy, a former DHS adviser said Thurs. A 2-tier structure would help the federal govt. establish priorities among escalating cyber security breaches, said Paul Kurtz, exec. dir.-Cyber Security Industry Alliance. The first tier would emphasize U.S. economic and national security and involve emergency exercises that would help the federal govt. prepare contingency plans, Kurtz said. This tier would require a President directive that would combine multiple agencies that currently replicate each others' work, he added. "We must do our best to make this resilient to weather an attack," Kurtz said at the Govt. Security Expo, in a panel on IT security threats: "We are not ready for a major disruption of infrastructure today and have a long way to go before we get more." The federal govt. has conducted 2 emergency exercises and is encouraging them at the state level. The 2nd tier involves creating stronger public and private sector partnerships to emphasize coordination, education and preparedness, Kurtz said. The govt. also needs more authentication technologies, secure fundamental protocols, modeling test beds for new technologies, and stricter cyber forensics, said Thomas Leighton, chmn. of the President's IT Advisory Committee. The DoD budget doesn't give civilian cybersecurity enough money, Leighton said. His committee requested $90 million for the effort. "The state of cybersecurity is bad and it's getting worse," he said: "We are being exploited on a daily basis."
* Subscription only