Cyber Security Industry Alliance Newsletter • Volume 1, Number 9 • May 2005

Executive Director’s Message

Cyber Security: Seeing the Forest for the Trees

The recent wave of data security breaches at banks, retailers, hospitals, and universities across the country has dramatically elevated the issues of personal information protection and privacy before Congress and the nation as a whole. Undoubtedly, the protection of information must be one of our nation's top priorities. This is an issue of both national security and economic stability. The way we address issues of security and privacy today will have ramifications for years to come. A holistic approach to ensuring the security, integrity and availability of global information systems is fundamental to economic and national security.

As we all know, information technology has become the very heart of our economy. Hospitals, universities, corporations, and even governments are running their operations almost entirely on information. Over the years, the benefits have been abundant – more access to information, better customer service, more efficient operations. Unfortunately, these benefits have also led to risks. The reality is that underlying our information economy is data, often personally identifiable data, which is gathered, transferred and stored in large databases.

In the past few weeks, a number of laws and regulations have been introduced and passed at various levels to address information security and privacy. We expect many more to surface. These attempts to address security issues on a piecemeal basis are simply not effective. In many cases, new legislation conflicts with already existing law, leads to inefficiencies and confusion in the business community, and distracts us from solving the real problem of protecting our nation's personal information.

At this critical time of technology development and innovation, the United States, as an economic force and a global technology leader, must carefully determine a public policy approach to information security that continues to encourage development while also providing protections.

In this context, CSIA recommends that Congress consider the following:

  • Take a holistic approach to addressing cyber security. Currently, Congress is considering cyber security problems such as spyware, phishing, and data warehouse security on an individual basis. In fact, each of these problems has at least one issue in common: the attacker is seeking and individual’s personal information in order to commit financial fraud. We can anticipate similar exploits in the future.

  • Harmonize any new legislation with existing legislation at the federal level, filling gaps rather than duplicating requirements already contained in existing law, such as the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accounting Act (HIPAA), and the Fair Credit Reporting Act (FCRA). Use existing security standards wherever possible, rather than creating new ones. This approach would provide a framework for identifying areas of risk, as well as encouraging industry best practices.

  • Avoid a piecemeal approach that, in conjunction with the numerous laws states are passing, will present consumers and businesses with a “patchwork quilt” of confusing laws and complicated compliance issues. States are already stepping into the void and creating a confusing patchwork of legislation on the issue. Legislation regulating Spyware has been introduced in 24 state legislatures this year, with approaches ranging from studies to changes in criminal code. Anti-phishing legislation is sitting on the Governor’s desk in Hawaii, and pending in states including Texas and Florida. More than 300 bills on identity theft are pending in our nation’s state legislatures. A federal preemption of the many laws recently passed or currently contemplated at the state level related to spyware, phishing, and data broker security would alleviate much of the concern and consternation within the private sector as a whole. However, any preemptive federal law should maintain, at the minimum, the security standards already put in place by corresponding state legislation.

  • Encourage broader use of security technologies without mandating specific technology solutions. Urge adoption of the approach utilized in CA 1386 which calls for disclosure of a breach involving unencrypted data.

  • To encourage stronger cyber security, investigate incentives, including “safe harbors,” tax benefits, 3 rd party or self certification, insurance and the adoption of best practices , without mandating specific technology solutions. Dictating a specific technology is counter-productive as it stifles innovation and discourages creativity.

  • Increase penalties for identity theft and other cyber crimes as well as ensure appropriate resources are available to law enforcement authorities. The Senate should swiftly ratify the Council of Europe’s Convention on Cybercrime which would create a global framework for investigating and prosecuting cyber criminals.

  • Take a long-term view of information security. There is no coherent cyber security R&D agenda. Significant Federal funding is closeted in classified programs. While our national security needs must be met, we must anticipate that privately owned and operated networks will be attacked as well. We need to develop resilient, fault tolerant networks which degrade gracefully under attack.

Leadership in information technology is a constantly moving target. As the technology changes and improves, so must its security. Likewise, as the need for public protection evolves, so must our public policy. We call on Congress and the Administration to work with the private sector to develop a holistic approach to the protection of our nation's personal information.