Cyber Security Industry Alliance Newsletter • Volume 1, Number 9 • May 2005

CSIA in the News

Article of Interest

Information Week, May 2, 2005
Data Losses Blamed on Stores and Software
The recent disclosures that customer information was lost or stolen from retailers have led security experts to focus on two areas: poor security practices by the retailers and weaknesses in the software used to process credit-card payments. Retail Ventures Inc. and Polo Ralph Lauren Corp. are the latest in a string of companies to report that customer credit-card information may have been stolen or lost. But a lawsuit involving IBM has highlighted the importance of what’s known as Track II data, which contains customer and account information. BJ’s Wholesale Club sued IBM last year for allegedly failing to turn off a feature in its payment software that stored Track II data from a credit card’s magnetic stripe after a transaction was approved. As a result, BJ’s claims, Track II data on cards belonging to customers who made transactions between July 2003 and February 2004 may have been stolen and misused.

CSIA Coverage

Federal Computer Week, April 8, 2005
Industry group draws scrutiny
Government officials recently scaled back their involvement in a newly formed public/private council of security officers amid controversy about the appearance that a select group of vendors could have undue influence on public policy. O’Keeffe and Co., an Alexandria, Va.-based public relations and marketing agency, spearheaded development of the Chief Information Security Officers (CISO) Exchange as a forum for discussions between government officials and industry executives. Backers have used the participation of Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, and the CIO Council’s sponsorship as selling points in materials aimed at soliciting industry members. While observers praise the concept of a CISO Exchange in the hopes of raising the visibility of cyber-security issues, the controversy swirling around the change has instead raised questions about similar organizations and the appropriateness of holding events for government officials that industry representatives pay to attend. Paul Kurtz, executive director of the Cyber Security Industry Alliance, said he’s in a wait-and-see mode. "I'd like to learn more from Congressman Davis’ staff as to what their roles are going to be," he said. Efforts to raise the profile of information security should be welcomed, "but the devil’s in the details," he added.

BusinessWeek, April 15, 2005
Personal Data Theft: It’s Outrageous
Americans seem to be concerned, but not outraged, by news in recent weeks that two big data collectors sold detailed personal information on nearly 500,000 people to buyers who had absolutely no business getting it. Maybe this is because we’ve become inured to the supposed inevitability of our personal data being available to anyone who looks hard enough. But it’s time for some outrage -- and long past time for the legal system to hold the people who assemble this information without our knowledge or consent accountable for what happens to it. Given the current state of nonregulation of this industry, it’s something of a wonder that we even know of the breaches. "We don't want legislation about every specific problem," says Arthur W. Coviello, CEO of RSA Security (RSAS), who was one of a group of tech-security CEOs in Washington, D.C. as part of a Cyber Security Industry Alliance lobbying campaign. "We want a comprehensive approach." Still, government can do only so much. Attacking the broad problem successfully will require action by both business and consumers. "We know how to behave in the physical world. For example, we know not to walk down certain streets at night," says John Thompson, CEO of Symantec (SYMC). "We don't have a clue how to behave in the cyber world. We need businesses to take a higher level of care. But we also need to bring public knowledge of the digital world to a much higher level."

IDG News Service, April 15, 2005
Vendors call for more gov’t cybersecurity focus
The U.S. government needs to get more serious about cybersecurity, but Congress should look at broader ways to combat security problems than focusing on bills that address specific issues such as spam or spyware, a group of executives from IT security product vendors said this week. Members of the Cyber Security Industry Alliance (CSIA), meeting in Washington, D.C., Thursday, repeated their call for Congress to create an assistant secretary for cybersecurity position at the U.S. Department of Homeland Security (DHS). The administration of President George Bush released its National Strategy to Secure Cyberspace in February 2003, but cybersecurity has taken a back seat to physical security issues since then, said Art Coviello, president and CEO at RSA Security. Members of the year-old CSIA, meeting as a rash of data breaches have been announced in recent months, said they committed this week to helping Congress and administration officials understand cybersecurity issues.

CNET, April 14, 2005
Putting teeth into U.S. cybercrime policy
It wasn’t so long ago that interest in the topic of online crime was limited to a small circle of technologists. Nowadays, senior government officials talk about it as a potential national security threat. That’s where Paul Kurtz comes in. As the executive director of the Cyber Security Industry Alliance, a consortium of CEOs pressing for more-effective cybersecurity legislation, Kurtz is hoping to make sure any new regulations carry real weight. And since the 41-year-old Kurtz’s resume includes a stint on the White House's National Security Council, as well as a period as senior director for national security at the Office of Cyberspace Security, it’s a good bet that he’ll find an audience willing to hear him out. Unlike industry efforts that have criticized the government for doing too little, or policy groups that have called for action and failed to consider the implications of technology-oriented legislation, Kurtz is looking for middle ground. The security expert believes that by helping the government see the big picture, tech-wise, and aiding politicians in writing laws that have real teeth against cybercriminals, true progress against the tide of online threats can be made.

eWeek, April 25, 2005
Cyber-Czar Bill Moves Forward
The effort to install a cyber-security czar in Washington gained momentum last week when a bill that would create a new assistant secretary position at the Department of Homeland Security won the approval of a House subcommittee. The industry, particularly the security software sector, has long pressed for the appointment of a top-level government official dedicated to cyber-security. Ever since Richard Clarke left his advisory position at the White House in early 2003, the responsibilities have fallen to individuals who, while competent, did not wield sufficient power to get things done, said Paul Kurtz, executive director of the Cyber Security Industry Alliance, in Washington. "When you look at the balance of the responsibilities that DHS has in cyber-security, it is silly to think this could be handled with anything less than an assistant secretary," Kurtz said.

SC Magazine, April 25, 2005
House subcommittee approves new cybersecurity post
A bill that would create an assistant secretary for cybersecurity in the Department of Homeland Security was unanimously approved this week by a House Homeland Security subcommittee. H.R. 285, also known as the DHS Cybersecurity Enhancement Act of 2005, was proposed earlier this year by U.S. Reps. Zoe Lofgren (D-Calif.) and Mac Thornberry (R-Texas). The secretary would have primary authority in DHS for all cybersecurity-related critical infrastructure programs. In testimony to the subcommittee, Cyber Security Industry Alliance Executive Director Paul Kurtz supported the creation of the new post. "We are seeing increased threats and vulnerabilities associated with our information infrastructure. We rely upon our information infrastructure, yet there is not one clearly in charge of coordinating its security and reliability," he said. "The Department's responsibilities to identify critical information infrastructure, develop emergency communications, contingency and reconsititution plans are compelling, yet the leadership is not," he said. Last week the Cyber Security Industry Alliance told Congress it should take a comprehensive approach to cybersecurity instead of its current way of dealing with spyware, phishing, and data warehouse security on a piecemeal basis.

The Washington Post, April 25, 2005
Watchdogs Seek Out The Web's Bad Side
Aaron Weisburd slogged up to his attic at 5 a.m. to begin another day combing through tips he had received about possible pro-terrorist activity on the Internet. It did not take long for one e-mail to catch his attention: was offering instructions on how to steal people’s personal information off their computers. It was a new development for an Islamic discussion site accustomed to announcing "martyrdom operations," or suicide bombings, against U.S. troops and others in Iraq. It was another small victory for Weisburd, one of a new breed of Internet activists. Part vigilantes, part informants, part nosy neighbors, they search the Web for sites that they say deal in theft, fraud and violence. For his part, Weisburd insists that he uses only legal means to go after his targets. Government agencies and others are not sure what to make of him. Some law enforcement officials praise his efforts, but others say that he is making more trouble than he is doing good. Without due process, evidence could be tainted and become unusable in court cases or, worse, targets could be condemned as guilty when they are really innocent, said Paul Kurtz, executive director of the Cyber Security Industry Alliance, a coalition of tech company chief executives. "When we all become 'law enforcement officers’ justice becomes very blurry," he said.
*Story also appeared in MSNBC

Government Technology, April 22, 2005
Bill to Create Assistant Secretary for Cybersecurity at DHS Delivered to Full House
Yesterday, the House of Representatives Subcommittee on Economic Security, Infrastructure Protection and Cyber Security held a hearing and markup to review and put in final form for submission to the full House of Representatives a bill that would create an Assistant Secretary for Cyber Security within the Department of Homeland Security. "A Director-level position does not have the sufficient stature or programmatic authority for accountability, or to reach across sectors," Paul Kurtz, Executive Director of the Cyber Security Industry Alliance testified at a House Subcommittee on Economic Security, Infrastructure Protection and Cyber Security hearing. "A leader in securing the critical infrastructure must have the authority and resources to accomplish this important and complex mission. This leader must be at least at the Assistant Secretary level to have the impact that is needed."

Computerworld, April 21, 2005
House panel elevates cybersecurity position
A bill that would create a high-level cybersecurity official in the U.S. Department of Homeland Security (DHS) was approved Wednesday by a House of Representatives subcommittee. The Department of Homeland Security Cybersecurity Enhancement Act, approved by the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity, would create the position of assistant secretary for cybersecurity at DHS. This month, the Cyber Security Industry Alliance (CSIA), a vendor trade group, repeated its calls for an assistant secretary for cybersecurity, and Information Technology Association of America (ITAA) President Harris Miller testified at Wednesday’s hearing in support of the bill. CSIA, in a report titled "Policy Considerations for Securing Electronic Data" released Wednesday, called for some of the same actions, as well as a national law requiring companies to notify customers when personal data has been breached. CSIA supports one national breach notification law instead of several state laws now being considered. CSIA also called on Congress to investigate incentives, such as tax benefits, to encourage businesses to better focus on cybersecurity.
*Story also appeared in IDG News, Computerworld Singapore and Network World

Federal Computer Week, April 21, 2005
Cybersecurity office bill gains steam
The House subcommittee in charge of cybersecurity has approved a bill that would create a new cybersecurity czar. The House Homeland Security Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity on Wednesday voted unanimously in favor of H.R. 285, the Department of Homeland Security Cybersecurity Enhancement Act of 2005. Before the vote, a panel of IT and homeland-security executives told the subcommittee that the bill addresses inadequacies in DHS’ approach to cybersecurity. "A director-level position does not have the sufficient stature or programmatic authority to be successful," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "A leader in securing the critical infrastructure must have the authority and resources to accomplish this important and complex mission. This leader must be at least the assistant secretary level to have the impact that is needed."
*Story also appeared in USA Today

SC Magazine, April 21, 2005
Industry group offers cybersecurity recommendations to Congress
Congress should take a comprehensive approach to cybersecurity instead of its current way of dealing with spyware, phishing, and data warehouse security on a piecemeal basis, according to the Cyber Security Industry Alliance (CSIA). CSIA, a group of cybersecurity vendors, on Wednesday issued a report with several recommendations for Congress to consider as it weighs various proposals to protect consumers’ personal data. The group supports a federal requirement for security breach notification to preempt the many breach notification laws being passed by state lawmakers. It also recommends that any new legislation fill gaps in existing legislation, such as HIPAA and the Gramm Leach Bliley Act, instead of duplicating requirements already included in those laws. Lawmakers should investigate incentives, such as tax benefits, to encourage companies to implement stronger cybersecurity, according to CSIA, which also suggested that Congress encourage broader use of security technologies without mandating specific solutions.

SC Magazine, April 21, 2005
Professional groups push for EU ratification
In a letter to the Senate Committee on Foreign Relations today, an IT industry group and various artists’ associations urged support for ratification of the Council of Europe Convention on Cybercrime. The Business Software Alliance (BSA) and 20 coalition partners in the Copyright Assembly, including the likes of the American Federation of Musicians, the Motion Picture Association of America and the Screen Actors Guild, sent the letter to chairman of the committee Republican Senator Richard Lugar of Indiana. The groups argued that ratification of the treaty would help address the problem of cybercrime internationally -- namely, "by requiring nations to adopt effective criminal laws against hacking, child pornography, computer-facilitated fraud, and infringements on copyright." They continued: "It would also make these laws easier to enforce by improving international law enforcement cooperation. And, importantly, the Treaty would not require a single change in current U.S. law." Paul Kurtz, executive director for the Cyber Security Industry Alliance, said that the U.S., as part of its efforts to tackle IT security crimes, must ratify this Convention. "Without a doubt, we need to see an increase in civil and criminal convictions in [the IT] space," he said, noting ratification of such an international treaty would only aid in this goal.

Washington Internet Daily, April 21, 2005*
Higher Official Needed to Push Cybersecurity in DHS, Experts Tell Subcommittee
The Homeland Security Dept. needs an asst. secy. leading a reorganized National Cybersecurity Office, rather than keeping the National Cyber Security Div. (NCSD) and its director under the asst. secy. of infrastructure protection, security experts told the Cybersecurity Subcommittee Wed. HR-285, sponsored by Reps. Thornberry (R-Tex.) and Lofgren (D-Cal.), would create that position. "Cyberattacks won't necessarily be abrupt" like physical attacks, and could easily fly under the public radar, Cyber Security Industry Alliance Exec. Dir. Paul Kurtz said. "We had a big pedestal to stand on" with other countries with the White House special assistant position, Kurtz said, but other countries don’t take U.S. efforts seriously given the job’s existing status.
*Subscription required to access full article

Washington Internet Daily, April 21, 2005*
Congress should set national policies to guard personal information, working with the private sector to define areas of risk, needs for security solutions and best practices, the Cyber Security Industry Alliance (CSIA) said Wed. In its report, the CEO-led advocacy group asked lawmakers to address cybersecurity in general as they discuss individual bills on spyware, phishing and data warehouse security. CSIA supports federal preemption of data breach notification laws cropping up in state legislatures, the group said, encouraging investigation of incentives, such as tax benefits, to get businesses to beef up security. Ensuring security and privacy means guarding storage of information such as names, addresses, social security numbers, dates of birth and credit reports, plus protecting data in transit, CSIA said, noting that technical safeguards involve data storage security, systems security and network security. "Every breach of personal information is another reason for consumers to lose trust in our information systems," said CSIA Exec. Dir. Paul Kurtz: "The right approach to securing consumers’ sensitive data requires a blend of appropriate policies, technical expertise and security technologies."
*Subscription required to access full article.