CSIA in the News
Article of Interest
Computerworld, April 17, 2006
IT Execs Take Different Routes on Bird Flu Threat
The answer to the question of whether corporate IT departments would be ready to respond if an avian flu pandemic hit the U.S. is: Maybe. Based on interviews last week with 13 CIOs, business continuity directors and IT management consultants, U.S. companies continue to hold widely divergent views on the risk that a flu outbreak could force school closings or broad quarantines in hard-hit areas. Some IT leaders, mainly at large companies, said they are preparing for the worst in an effort to avoid being left short-staffed or unable to support vastly increased numbers of telecommuters on their networks if a pandemic strikes. Dave Berg, CIO at O.C. Tanner Co., a provider of employee-recognition products and services in Salt Lake City, also hasn't made planning for a possible flu outbreak an action item. Berg noted that most of his employees have secure, high-speed computer access at home and that most operations can be done remotely. Gartner has issued several advisories about a possible pandemic, urging IT shops to prepare for the need to upgrade broadband and virtual private network connections to the homes of key workers and beef up their online ordering capabilities for customers. In a 31-page report issued March 7, the consulting firm listed in stark detail three scenarios for a global spread of the avian flu or another virus, from mild to severe. In the most severe scenario, several million people would die and the pandemic could last for a year or longer, despite strict quarantines. Many businesses would cease to operate, travel would be restricted, and workplace communications would often be done via phone, videoconferencing and e-mail.
CSIA News
The Daily Record, April 7, 2006
Experts say too many attorneys are unaware of "data integrity" issue in records management
Kevin Gronberg, policy and regulatory counsel for the Virginia-based Cyber
Security Industry Alliance, a coalition of electronic security companies, said
some businesses and their lawyers are finally starting to pay attention. The
"Sarbanes-Oxley law really got people's attention," Gronberg said. As
part of Sarbanes-Oxley, passed in 2002 in the wake of Enron-type corporate
accounting scandals, executives must certify that the financial records they
give the Securities and Exchange Commission are accurate, he said. With those
requirements came a greater concern about how to make sure records have not
been compromised. At a Cyber Security Industry Alliance summit in January,
the participants ran through a mock case where data integrity was crucial,
Gronberg said. In the scenario, a company was suing its competitor, claiming
that the plaintiff developed a product that was taken by a former employee
and brought to the defendant, which then tried to claim the product as its
own invention. "The witness was an expert witness from the data [management
department] of one of the companies, and the issue was, 'how do you know that
the data, that records you have, actually are from the date you say they are?'"
Gronberg said. Tom Klaff, CEO of Herndon, Va.-based Surety Inc., which provides
unalterable time stamps for companies' electronic documents, said many companies
don't understand all the ways their data can be impeached during legal proceedings.
Some of his clients have had opposing counsel ask their employees or experts,
"'couldn't he have gone in and changed the date or changed the system clock
on a laptop where that e-mail was generated?'" Klaff said, "and the answer
[inevitably] was, 'yes, it's possible.'"
*By subscription only.
*Also appeared in Kansas City Daily Record, St. Louis Daily Record and St. Charles County Daily Record.
Internetnews.com, April 10, 2006
Security Group Calls on Congress
Public confidence in e-commerce will erode if Congress does not step
forward and pass a meaningful national data breach disclosure law
this year, according to the Cyber Security Industry Alliance (CSIA).
The industry advocacy group wrote congressional leaders last week
urging them to put aside political differences and put legislation
on President Bush's desk by the end of the year. The CSIA said more
than 52 million of Americans' personal records have been hacked, lost,
stolen or otherwise compromised over the last year. "These security
breaches, from medical records to Social Security numbers and credit
card accounts, were once front-page news," the letter states. "Today,
they have become so commonplace as to hardly seem newsworthy, but
their cumulative effect has been to corrode public confidence in the
security of private information." "Congress must demonstrate
leadership by passing legislation to foster the adoption of best practices
to protect consumers' personal information -- such as encryption that
renders stolen data unusable -- and standardize the requirements for
reporting breaches that do occur," the letter states. The CSIA
noted that state governments are moving into the void created by Congress,
with dozens passing laws mandating consumer notification of data breaches.
*Also appeared in eSecurityPlanet.
Government Technology, April 11, 2006
CSIA Board Urges Congressional Leadership on Consumer Data Protection
The Cyber Security Industry Alliance (CSIA) delivered letters to members of the bipartisan leadership of the House and Senate, urging party leaders, committee chairmen and other members to "set aside their differences and focus on protecting Americans' private, personal information." "Over the past year more than 52 million records of Americans' private personal information — an average of 142,000 per day — have been hacked into, lost, stolen or otherwise compromised from digital databases," states the letter, signed by all 12 board members of the CSIA. "Once front-page news, such breaches have become commonplace and have corroded public confidence in the security of private personal information." For the first time, said the CSIA in a release, surveys now show a decrease in Americans' interest in doing business online. "Perhaps part of the reason is that the average identity theft victim — and there were 3.4 million of them last year — spends $834 and 77 hours just clearing their name."
Government Technology, April 11, 2006
"U.S. Not Ready for Significant Disruption of Information Infrastructure" Warns Industry Group
The Cyber Security Industry Alliance (CSIA) last week urged Department of Homeland Security Assistant Secretary Michael Jackson to fill the long-vacant position of assistant secretary for cyber security and telecommunications and establish an all hazards national information assurance policy focused on a number of critical areas. Art Coviello, president and CEO of RSA Security and a Member of CSIA's Board of Directors, praised Jackson for sitting down to meet the CSIA Board and soliciting their input on issues from industry best practices to the emergency reconstitution of communications systems after a natural disaster or terrorist attack. "Deputy Secretary Jackson and Secretary Chertoff have a number of challenges before them and we appreciate their recognition that cyber security is of high importance." In a letter to DHS Secretary Michael Chertoff, the CSIA Executive Director Paul Kurtz outlined six priorities, such as identifying and prioritizing critical information systems, improving situational awareness and contingency planning, and increasing research and development.
Financial Times, April 12, 2006
Federal data security law reaches turning point in Congress
Many Americans were horrified to learn last week, as they finalised
their tax returns, that the Internal Revenue Service wants to allow
their sensitive tax information to be sold by their tax preparers
– for marketing purposes. Little did they know that big tax-preparation
companies have long been able to do just that. But American attitudes
to their personal information have changed, in the wake of a series
of high-profile data breaches that may have endangered the credit
and identity of millions of consumers. Protecting personal data has
become a vote-getter, and state legislatures across the country have
rushed to implement new data security bills to protect home-state
consumers. Three more states – Utah, Wisconsin and Indiana – have
recently passed new data security laws, bringing the total to 23 states,
each with a slightly different standard for protecting information
and notifying consumers when it is compromised. However, the US business
community – which is pushing hard to have just one federal law to
replace the patchwork of state laws – has begun to worry that time
will run out to reach a compromise, in a congressional year truncated
by mid-term elections in November. "If it's not done in the next
few weeks, it's dead," says Art Coviello, chief executive of
RSA Security, a big data security firm and member of the Cyber Security
Industry Alliance, one of the groups pushing for federal legislation.
Complying with 23 different state laws puts too big a burden on financial
institutions and others that do business nationally, he says.
*Also appeared in MSN Money and MSNBC.
Washington Internet Daily, April 12, 2006
Capitol Hill
The Cyber Security Industry Alliance (CSIA) wrote to House and Senate
leaders, urging a bipartisan push this session to pass consumer data
protection bills. Members should "set aside their differences
and focus on protecting Americans' private, personal information," CSIA
said. The letter notes that in the past year 52 million-plus records
of Americans' private personal information -- 142,000 per day -- have
been hacked, lost, stolen or otherwise compromised. All 12 board members
signed the memo.
*By subscription only.
Washington Internet Daily, April 18, 2006
Data Sharing among Agencies Still Slack, GAO Warns
More than 4 years after the 9/11 attacks, govt. policies to help
agencies work with terror-related information still are lacking, the
GAO said. Duties for pushing federal data- sharing shifted from the
White House to OMB and then to the Dept. of Homeland Security (DHS)
-- but none has completed the task, the watchdog agency said Mon.
The report follows a 2006 Federal Information Security Management
Act (FISMA) scorecard from the House Govt. Reform Committee deeming
agencies' progress "disappointing." FISMA progress among
agencies is "mixed at best," GAO Information Security Dir.
Gregory Wilshusen told Davis's committee last month. More systems
than previously meet key performance measures, but the percentage
of agency systems reviewed fell, as did the number of employees and
contractors getting security awareness training, he said. Breach response
plans were also rare, Wilshusen said. Given the FISMA scores, GAO
analysis is "hardly a surprise," a Cyber Security Industry
Alliance (CSIA) spokesman told us. "What we don't want is for
it to become so unnewsworthy that people give up hope that the federal
government will ever get its act together, and just move on. At least,
until the next attack," he said.
*By subscription only.
Washington Internet Daily, April 19, 2006
Security
SurfControl joined the Cyber Security Industry Alliance (CSIA),
citing the increasing complexity of the IT infrastructure. "The
landscape has changed -- it's not just about threats that impact corporate
networks, it's about having insight into those environments," SurfControl
CEO Patricia Sueltz said.
*By subscription only.
National Journal’s Technology Daily, April 24, 2006
Crime
The Cyber Security Industry Alliance on Monday urged companies to
complete a government-issued survey to measure the costs of computer
crimes. The survey, which was issued in February by the Homeland
Security and Justice departments, includes questions about information
security, computer-security indictments and cyber-crime safeguards.
Responses will be collected by RAND, and they will remain confidential. "Everyone
knows that cyber crime and other computer incidents are a growing
problem," CSIA Executive Director Paul Kurtz said in a release. "But
no one really knows how large, how fast it's growing or where the
problems are concentrated. And you can't manage what you can't measure.
The more we know about the extent of cyber crime, the
better we'll all be able to combat it."
*Subscription only.
Computing, April 27, 2006
Allied against the cyber crime threat
Computing spoke with CSIA executive director Paul Kurtz, previously
special assistant to the US President and senior director for critical
infrastructure protection on the White House’s Homeland Security Council.
Q. In the US the CSIA has played a role in advising and lobbying government
on IT security issues. Why are you now looking to move into Europe?
A. When I look at Europe, much like in the US, there isn’t an industry
organisation focused on information security public policy issues.
There is the 2010 Lisbon Agenda initiative in the European Union (EU)
and we need to build security around that infrastructure. The EU has
been drafting that for a while and it should be coming out shortly.
Our effort is to highlight the importance to government of retaining
data, but we are also saying do not forget to understand that you
need to secure it and that there are privacy issues. When we came
to Europe last year we were scouting out the landscape. Since then
we have a firm representing us in Brussels and we are hiring people
to represent us full-time. Q. Should the IT security industry be regulated?
A. The free-market approach is the best way to go, but we need to
get the building blocks in place to secure critical infrastructure.
The financial services sector is heavily regulated, and that is because
we must maintain trust in the global economy. If it is not secured
properly then we have significant problems. With sensitive personal
information that may be collected or sold, that is also part of the
fundamental building blocks. It doesn’t matter what industry or sector
you are in. If you are a data broker, a healthcare company or an educational
facility that holds the crown jewels of personal information, then
you need to protect it.
*Also appeared in WhatPC? and VNUNet.com.
Government Computer News, April 27, 2006
Better organization, focus needed for cybersecurity
The government needs to establish clear lines of authority and clarify responsibility for an effective national information assurance policy, former presidential adviser Paul Kurtz said Thursday. "We have a growing body of law and regulation bearing on information security," Kurtz said at the GovSec conference in Washington. But, "we are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there." Kurtz, executive director of the Cyber Security Industry Alliance, proposed a two-tiered framework for cybersecurity, in which critical functionality could be identified for government attention, while less pressing issues are passed to the private sector. "The government doesn't have to solve everyone's problem here," Kurtz said. Market forces and self-interest could be leveraged to handle problems of public awareness, education and coordinating information. Kurtz and Tom Leighton, chief scientist for the content delivery network operator Akamai Technologies, described cyberspace as a tough neighborhood that is getting tougher. "We have to anticipate that terrorist groups will get involved in disrupting cyberinfrastructure," along with nation states, Kurtz said. We also must anticipate that attacks will succeed, and build infrastructure to survive and respond to them, they said.
Reuters, April 27, 2006
Lifting the Lid: SEC must fix data security weaknesses
The SEC, an investor protection agency that demands tight internal
controls from the companies it oversees, was recently criticized by
congressional investigators for not having its own house in order
when it comes to cyber security. The Government Accountability Office
(GAO) said last month the SEC had failed to limit remote access to
its servers, establish controls over passwords, securely configure
all network devices, and adopt security monitoring procedures. A successful
hacker could use nonpublic information to make trouble for a targeted
company or rival. "It wouldn't necessarily be manipulation" of
data by a hacker that would do the most harm, said Paul Kurtz, a former
White House cyber security official. "It would be to expose information
to damage another firm." The GAO staff spent five months last
year assessing security at the agency's headquarters, a relatively
new building in Washington D.C., and at its computer facility in nearby
Alexandria, Virginia. "Overall, the SEC has not effectively implemented
information security controls to properly protect the confidentiality,
integrity, and availability of its financial and sensitive information
and information systems," the GAO concluded. Kurtz, who is now
executive director of the Cyber Security Industry Alliance, an information
security advocacy group, agreed with Booth that SEC employees must
help guard systems. "This is not all about technology (such as)
'Do you have the right firewall and the right authentication technology?"'
*Also appeared on Washington Post.com, Wave 3 TV and MSN Money.
SC Magazine, April 27, 2006
NCSA launches small business security campaign
The National Cyber Security Alliance (NCSA) today unveiled the latest initiative in its on-going campaign to educate small businesses about cyber-security issues. As part of NCSA's small business campaign, and in conjunction with the Cyber Security Industry Alliance (CSIA), the following tips have been developed to help small businesses operate more securely: Ensure that all employees use effective passwords. Encourage passwords that are comprised of different characters and change them every 60 to 70 days, but no longer than 90 days. Consider using multi-factor authentication as a way to better secure your systems. Protect your systems. Install and use anti-virus, anti-spyware and anti-adware programs on all computers in your business. Ensure that your computers are protected by a firewall. Keep all software up-to-date. Ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software). Create backups. Make regular (weekly) back-up copies of all of your important data/information. Store a secured copy away from your office location and use encryption to protect any sensitive information about your company and customers. Be prepared for emergencies. Create a contingency plan for your business so you can recover if you experience an emergency. Include plans to continue business operations at an alternate location when necessary. Make sure to erase all data on the hard drive before recycling or throwing away a computer.
Washington Internet Daily, April 28, 2006
Cyber Security
The government needs to establish clear lines of authority and accountability
in national information security, according to a former presidential
adviser. Government Computer News reports that Paul Kurtz, now executive
director of the Cyber Security Industry Alliance, said at the GovSec
conference on Thursday that the nation is "not ready for a major
disruption of the information infrastructure today, and we have a
long way to go to get there." Kurtz proposed a two-tiered framework
for cyber security. "We have to anticipate that terrorist groups
will get involved in disrupting cyber infrastructure," along
with nation-states, he said.
* Subscription only
Washington Internet Daily, April 28, 2006
CSIA Calls for Presidential Directive to Beef Up Cyber Security
The federal govt. must take the lead in building a stronger national
information assurance policy, a former DHS adviser said Thurs. A 2-tier
structure would help the federal govt. establish priorities among
escalating cyber security breaches, said Paul Kurtz, exec. dir.-Cyber
Security Industry Alliance. The first tier would emphasize U.S. economic
and national security and involve emergency exercises that would help
the federal govt. prepare contingency plans, Kurtz said. This tier
would require a President directive that would combine multiple agencies
that currently replicate each others' work, he added. "We must
do our best to make this resilient to weather an attack," Kurtz
said at the Govt. Security Expo, in a panel on IT security threats: "We
are not ready for a major disruption of infrastructure today and have
a long way to go before we get more." The federal govt. has conducted
2 emergency exercises and is encouraging them at the state level.
The 2nd tier involves creating stronger public and private sector
partnerships to emphasize coordination, education and preparedness,
Kurtz said. The govt. also needs more authentication technologies,
secure fundamental protocols, modeling test beds for new technologies,
and stricter cyber forensics, said Thomas Leighton, chmn. of the President's
IT Advisory Committee. The DoD budget doesn't give civilian cybersecurity
enough money, Leighton said. His committee requested $90 million for
the effort. "The state of cybersecurity is bad and it's getting
worse," he said: "We are being exploited on a daily basis."
* Subscription only