Volume 1, No. 8
April 2005
 
 

IN THIS ISSUE:


Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

When CSIA launched its newsletter last September, the first issue included a feature article on Spyware and some common characteristics attributed to it. This month, we turn our attention once again to Spyware. Spyware issues have exploded over the past several months, prompting us to revisit it and review the latest developments.

CSIA's April newsletter looks at Spyware from several perspectives — legislation re-introduced from 108th Congress plus new legislation added to the list, the proliferation of state legislation targeting Spyware, and industry-wide efforts to define Spyware. We also offer an article by this month's featured CSIA member firm, TechGuard, which takes a different look at Spyware as an enhancement of Remote Access Trojans (RATs). The Spyware issue is constantly evolving, and given the level of media attention it has received recently, CSIA will continue our work on this issue and will report on updates.

The April newsletter also features a Q&A with Federal Trade Commissioner Orson Swindle. He was honored at the RSA Conference 2005 as CSIA member firms chose Commissioner Swindle to receive the Policy Award for his diligent work on cyber security issues, particularly in the area of information assurance. Swindle has been a champion for the end user with his advocacy of awareness initiatives, and he deserves credit for making the consumer's role in information security a part of the U.S. National Strategy to Secure Cyberspace.

Finally, we invite you to browse the Upcoming Events section of the newsletter. CSIA has several events scheduled this spring, including an opportunity to learn more about SOX compliance on May 3rd at CSIA's SOX Summit. Held at the International Trade Center in Washington, DC, we will bring together key stakeholders from both the corporate management and auditing communities to shed light on the implications of SOX. On June 1-2, CSIA will hold a Workshop on Securing Voice Over IP, also in Washington, DC. Scientists, technologists, policy makers, and domain experts will meet at the first conference ever to address VoIP. Finally, we have two remaining CSIA/GMU Symposia on Cyber Security and the Law, scheduled for April 26 and May 26.

It's turning out to be a busy spring, so mark your calendar now. We hope to see you at some of our events!

Back to top


Focus on Spyware

We are still at the very early stages of understanding the full impact of spyware. Many consumer users and IT administrators are finding it impossible to keep track of the countless spyware programs in cyberspace, let alone to know the extent of damage each can cause. What they do know is that they are finding software on their computers that they did not install, it cannot be easily uninstalled, and the program is tracking their every movement through the Web.

Spyware is becoming a widespread concern.

IDC, a global market intelligence and advisory firm that analyzes and predicts technology trends, estimates that nearly two-thirds of consumer PCs harbor some form of spyware. In recent months, the issues surrounding spyware and adware have taken a very serious turn: we have seen lawsuits by spyware companies targeting security companies and service providers who are working to educate consumers and offer ways to identify and eliminate spyware. Nonetheless, security companies have a responsibility to inform and protect their customers, and any legislation surrounding spyware should recognize this.

There are serious security implications of spyware, or spyware masquerading as adware.

Unknown to users, these programs can disable security software and leave their computers exposed to hackers, viruses and worms. It should not be acceptable that programs can disable users' legitimate software without their knowledge. Some important examples of the ramifications of spyware include:

  • While downloading an application containing icons for popular IM clients, some bundled adware programs terminate the customer's antivirus and firewall applications, leaving them wide open to viruses and other attacks.
  • Some spyware programs automatically install search toolbars on a user's computers using standard technical mechanisms. The problems occurs when users try to manually or programmatically remove the search toolbars, instead of deleting the program's own registry keys, it deletes virtually the entire registry, rendering the users' entire operating system unusable.
  • While installing a supposed IE browser toolbar, a spyware program is installed on the user's computer that hides any files or folders that begin with the same letters as the name of the toolbar such that they are invisible from Explorer, even if Show Hidden Files and Folders is checked under Folder Options.
  • In many cases, adware programs download and install a host of other adware and spyware programs without the user's consent or knowledge, which leaves computers open to attack.

CSIA is working with both the public and private sectors to ensure that all issues are explored and discussed before legislation is finalized around these topics.

CSIA has been working closely with several members of Congress and their staffers to provide input for the Burns-Wyden legislation that is being currently considered before Congress. We commend Senator Burns and Senator Wyden for including the Good Samaritan provision in the legislation. It is critical that security companies can protect consumers from spyware, without legal ramifications. In addition to working with Congress, CSIA has joined a group of security providers headed by the Center for Democracy and Technology in creating a working group to confront the problem posed by spyware. CSIA looks forward to working with this group to develop best practices in dealing with the issues associated with spyware.

Congress has taken notice and anti-spyware litigation has increased.

Currently, several Federal bills related to spyware are pending. You can review these in the Spyware section of the Legislative Update below. At the state level, spyware legislation has taken on a life of its own, with 29 states introducing approximately 40 bills. Some states have up to four bills relating to spyware.

We will continue to provide updates each month on the status of spyware legislation and CSIA's input to new legislation.

Back to top


Report on the CSIA/GMU Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion — State Level

On Tuesday, March 22, CSIA and George Mason University School of Law, Critical Infrastructure Protection Program co-sponsored the first in a series of forums on state, federal and international cyber security legislation. This first event focused on state level legislative efforts.

Chris DeLacy of Holland and Knight discussed state efforts such as the Utah's spyware legislation and California privacy bill AB 1950. Virginia Delegate David Albo offered a review of the Commonwealth of Virginia's 2005 computer crimes statutes. David Oblon of Albo and Oblon and Gene Fishel of the Virginia Attorney General's office presented different viewpoints on the first felony prosecution of Internet spam distributors.

Over the course of the evening, a range of discussions emerged from the speaker presentations, including the complexity of laws at state, federal and international levels and how they interrelate; the challenges in crafting effective legislation dealing with ever-evolving technology; the jurisdictional challenges in enforcing these laws due to the global reach of the internet; and the role of technical solutions versus legislative efforts regarding end user self-help against cyber-criminals.

The next CSIA/GMU Symposium looks at Federal-level legislation, and will be held on April 26th at 6:00 pm.

Back to top


CSIA Member Spotlight


Name:TechGuard Security

Chair/CEO/President: Suzanne Joyce

CoCEO/CTO: James Joyce

Founded: 2000

Headquarters: St. Louis, MO; Baltimore, MD

About TechGuard: TechGuard Security was founded in direct response to PDD 63 to address US Critical Infrastructure Security and to address issues of National Cyber Defense. TechGuard provides enterprises, government and defense agencies with Information Assurance Science and Technology, products, services and training. TechGuard performs Artificial Intelligence-based network security product development, combining cutting edge research with industry best practice security and future combat systems design. TechGuard Security is a GSA multiple award holder, an experienced research grant winner, a trusted Information Assurance services provider, and a Booz Allen Hamilton protégé selection for the DISA Mentor-Protégé Program.

Areas of Specialization: TechGuard specializes in hardware (GWOF), software and consulting solutions that address existing and future challenges of Internet security and privacy. Specifically, TechGuard maximizes firewall integrity, and minimizes network vulnerabilities and security concerns inherent in e-commerce initiatives and global Internet connections.

Back to top

Spyware – Enhanced Remote Access Trojans (E–RATs) Are Spying on Your Systems

by James Joyce, Co-CEO and CTO, TechGuard Security

Spyware is defined as a program that surreptitiously monitors your actions. While sometimes sinister, like a remote control program used by a hacker, software companies have been known to use Spyware to gather data about customers. Regardless of the source of the Spyware (malicious hacker, legitimate software company, industrial espionage operative, etc.), it is invariably loaded onto a computer without the user's knowledge and/or consent.

While the industry has relatively recently coined the term Spyware, media sources have picked up on this and have helped to create the public perception that Spyware is a “new thing”. As a consequence, many in the computer security sector are working on anti-Spyware software in an attempt to handle the specific threat. As well, legislators are working on new anti-Spyware legislation (SPYBLOCK).

To set the record straight, Spyware is not a new thing – it is simply and enhancement of Remote Access Trojan (RAT) technology. RATs are programs that are loaded into a computer which allow an individual at a remote location to take control of the computer and, by extension, its data. Well-known examples of RATs are Netbus and SubSeven, which are still widely in use today.

Spyware represents the natural evolution of RAT technology. Not only does it give an unauthorized individual/organization access to your computer/data, but it also automates the process of collecting said data, such as Internet browsing information, passwords, social security numbers, credit card numbers, etc. To put it more simply, and tying it in with another topical media issue, Spyware is nothing more than RAT technology on steroids, which is why I like to refer to Spyware as Enhanced Remote Access Trojan technology, or E-RATs.

Putting Spyware on someone else's computer does constitute an illegal intrusion into that computer. As such, Title 18 U.S.C. Statute 1030 already provides a legal means to deal with perpetrators of this type of malware. Congress should not have any difficulty in tying Spyware, specifically, into existing legislation; although, this effort may not be entirely necessary from a legal perspective.

The technical aspects of dealing with E-RATs are, however, another matter. Current efforts to defend against E-RATs invariably center on signature-based systems, much akin to Intrusion Detection System (IDS) solutions. New or modified malware hits the Internet and new detection signatures are written and deployed, and this cycle repeats ad infinitum. This is a perpetual race condition in which the malicious hacker has the upper hand, with the security industry in a reactive mode, especially given the fact that hackers will always be able to write around explicit signature filters.

The solution to this problem and future threats is not to continue the race condition, rather to develop new security technologies that look at software “behavior” as opposed to looking for explicit signatures. The questions to answer include:

  • What does this new Spyware / malicious threat / request do?
  • Does it behave differently from the behavior expected for the system in question?
  • Is it trying to send information stealthily to an unknown domain?

Adaptive heuristic (or Artificial Intelligence-based) systems will ultimately provide the solution to the E-RATs problem along with Trojans, viruses, and worms. Adaptive, heuristic systems are modeled on the human brain and are specifically geared towards dealing with problems of pattern recognition and generalization. As opposed to current security technology that must have an exact signature match, heuristic systems can look at, for example, unknown new code and determine if it is “similar” to known malware. Not only will this technology exterminate the E-RAT infestation, but also its implementation will put an end to the current race condition by moving cyber-security ahead of the malicious hackers.

Back to top


Federal Spotlight

Commissioner Orson Swindle, Federal Trade Commission

Born: Thomasville, Georgia, March 8, 1937

Sworn in: December 18, 1997

Education: Georgia Tech, BS (Industrial Management), 1959; Florida State University, MBA, 1975

Notable: Distinguished military career in the U.S. Marine Corps; served in the Reagan Administration from 1981-1989; worked in the US Department of Commerce and the US Department of Agriculture; Recipient of 2004 Privacy Leadership Award from the International Association of Privacy Professionals (IAPP); Recipient of CSIA/RSA Policy Award at RSA Conference 2005.

Orson Swindle was sworn in as a Republican Commissioner on the Federal Trade Commission (FTC) on December 18, 1997. During his tenure as a Commissioner, he has strived to keep information security issues a visible and high priority of both the government and the private sector. He has facilitated a dialogue on this topic between government and industry officials, both nationally and internationally, and he is a tireless advocate for awareness initiatives for end users.

While with the FTC, he was appointed in December, 2001 as head of the United States Delegation to the Organization for Economic Cooperation and Development (OECD) Experts Group to review the 1992 OECD Guidelines for the Security of Information Systems. His leadership and participation allowed the Guidelines to be reviewed and approved promptly. The document, as it stands now, offers recommendations to member countries to establish procedures concerning the security of information systems, encourages international collaboration to develop compatible standards and measures for information systems security, and urges a review of the Guidelines every five years to continuously improve international co-operation on issues relating to the security of information systems. In addition to his work with the OECD, Commissioner Swindle deserves credit for making the consumer’s role in information security a part of the U.S. National Strategy to Secure Cyberspace.

Recently, Commissioner Swindle was the recipient of 2004 Privacy Leadership Award from the International Association of Privacy Professionals (IAPP), which recognized his understanding of, and continued work on, information security and privacy issues. In February, 2005, Commissioner Swindle was recognized at the RSA Conference 2005, receiving the CSIA/RSA Policy Award for his significant contribution and leadership in the field of cyber security public policy.

Prior to being sworn in as a Commissioner on the Federal Trade Commission, Commissioner Swindle served in the Reagan Administration from 1981 to 1989 directing financial assistance programs to economically distressed rural and municipal areas of the country. As Assistant Secretary of Commerce for Development, he managed the Department of Commerce's national economic development efforts directing seven offices across the country. Mr. Swindle was State Director of the Farmers Home Administration for the U.S. Department of Agriculture financing rural housing, community infrastructure, businesses, and farming.

In 1992, Mr. Swindle became the first national leader of United We Stand America, and in 1993 he worked with Jack Kemp, Vin Weber, William Bennett and Ambassador Jeanne Kirkpatrick to form Empower America. In 1994 and in 1996, he was a Republican candidate for Congress in Hawaii's 1st Congressional District.

In addition to his remarkable civilian work, Commission Swindle has had a distinguished military career. As a Marine aviator serving in South Vietnam on November 11, 1966, Mr. Swindle was shot down from the skies over North Vietnam while flying his 205th and last combat mission. He was captured by the North Vietnamese and held Prisoner of War in Hanoi for the next six years and four months. On March 4, 1973, Mr. Swindle was released from captivity.

Mr. Swindle retired from the U.S. Marine Corps in 1979 with the rank of Lieutenant Colonel. His 20 military decorations for valor in combat include two Silver Stars, two Bronze Stars, and two Purple Hearts.

Commissioner Swindle’s career path and achievement are truly remarkable. He has been a force in improving information security and consumer protection and his commitment to the issues is admirable. CSIA has enjoyed working with the Commissioner over the past year and we hope to carry on his efforts in information security.

What is the biggest vulnerability we face in cyber security today?

I wish I could simply single out a threat or vulnerability and list it as our biggest challenge. Unfortunately, there are multiple vulnerabilities to our information systems and networks. Since there is no such thing as “perfect security,” all new technology will have vulnerabilities as well. Therefore, the biggest challenge we face is the effort needed to make cyber security a true priority for everyone who uses information technology — consumers, businesses, and government. It has proven very difficult to raise awareness that each user has a role to play to minimize vulnerabilities, and also to inspire each user to take to action.

Consumers, for example, may not fully recognize that our information systems are all interconnected and that they themselves are a vital link in the security of these systems. Good information security practices and safe computing simply must become just another part of our daily lives. Increasing this awareness will take a massive, continuous education effort.

Industry also must place greater emphasis on information security. The information technology industry must focus on minimizing vulnerabilities in product design, production, and service. In addition, all corporate leaders must make good information security and privacy practices an essential part of their business operations — literally, a part of their corporate culture.

The cost of vulnerabilities in real money and ever-diminishing confidence in the medium is already far beyond acceptable.

What do you believe is the role of government in cyber security?

Government's role is multi-faceted and it includes:

  • Taking law enforcement action
  • Educating consumers and businesses about their role in minimizing vulnerabilities and improving security
  • Partnering with industry and others to seek solutions to cyber security issues, to achieve more secure information technology, and to educate consumers about good information security practices
  • Considering and implementing new legislation when existing law is inadequate

What are the responsibilities of the private sector in supplying good software? What are the responsibilities of the end user?

It is paramount that the private sector provides better and better software, especially with respect to information security and privacy. Information technology development is at a point where security features and safeguards should be “baked in.” No consumer buys a car today without reliable safety features. Information technology should be no different.

The private sector must provide end users with effective products and easy-to-use tools, but then end users must employ those tools properly. Recognize that “end user” includes consumers, small businesses, and other entities. This again highlights the importance of education to raise awareness of our shared responsibility to use good information security practices. Industry, however, bears a heavier burden to not only make the tools available, but to educate end users as well.

What is your most significant contribution in advancing cyber security?

This is definitely a question that is better answered by others. I'd like to think that my involvement helped to stimulate a dialogue among industry, consumer groups, and government — both domestically and internationally — about the importance of information security and the urgent need for each group to take action to address vulnerabilities. We must all work together on these issues, and we must continue to learn from each other and challenge each other to address the problem.

How can policy organizations, such as CSIA, be of the greatest help to the efforts of Congress and the Administration?

Policy organizations need to constantly work with government in its efforts to educate all users of information technology on the importance of sound privacy and security practices. They should demand higher standards of quality and effectiveness of information security safeguards in new products, always working to minimize vulnerabilities. Policy and trade associations also can encourage their members — and indeed all businesses and entities — to make information security and privacy an essential element of corporate governance. In addition, these associations need to more effectively tell their story to policy and lawmakers about progress being made in cyber security.

Protecting the privacy and security of personal information and making information systems and networks secure will be an enormous challenge for years to come. We all must work together to find solutions to these critical, and often expensive and dangerous problems. We have a long way to go and a short time to get there.

Back to top


Legislative Update

Spyware

New! S. 687 – Software Principles Yielding Better Levels of Consumer Knowledge Act (SPYBLOCK Act) – Senator Conrad Burns (R-MT) and Senator Ron Wyden (D-OR)

Latest Update: S. 687 was introduced by Sen. Burns on H.R. 1080 on March 20 and was referred to the Committee on Commerce, Science, and Transportation. CSIA worked closely with Sen. Wyden's staff to include the Good Samaritan provision, which protects anti-spyware software firms from frivolous lawsuits.

Summary: S. 687 regulates the unauthorized installation of computer software, to require clear disclosure to computer users of certain computer software features that may pose a threat to user privacy.

H.R. 29 – The SPY ACT – Congresswoman Mary Bono (R-CA)

Latest Update: Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” On January 6, Congresswoman Bono re-introduced her bill from the 108th Congress that aims to protect computer users against internet privacy invasion. On February 4, the bill was marked up, passed the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection, then forwarded on to the full committee for mark-up. On March 9, the full committee ordered the bill to be reported by a vote of 43-0. In October 2004, the original bill passed overwhelmingly in the House of Representatives, but did not pass the Senate before the 108th Congress came to a close.

Summary: This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs be easily identifiable and removable, and allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.

H.R. 744 – The I-SPY Prevention Act of 2005 – Congressman Bob Goodlatte (R-VA)

Latest Update: Also known as the “Internet Spyware (I-SPY) Prevention Act of 2005.” On February 10, Representatives Bob Goodlatte, Zoe Lofgren (D-CA-16) and Lamar Smith (R-TX-21) reintroduced the Internet Spyware (I-SPY) Prevention Act of 2005. It was then referred to the House Committee on the Judiciary. This legislation was originally introduced during the 108th Congress and passed the House of Representatives by a vote of 415-0. Currently, there are no plans for hearings or mark-up, however, this bill is expected to move quickly.

Summary: This bill addresses the most egregious activities that are conducted via spyware. It would make the following activities criminal offenses:

  • Intentionally accessing a computer without authorization, or intentionally exceeding authorized access, by causing a computer program or code to be copied onto the computer and using that program or code to:
    • Further another federal criminal offense (punishable by fine or imprisonment for up to 5 years)
    • Intentionally obtain or transmit “personal information” with the intent of injuring or defrauding a person or damaging a computer (punishable by fine or imprisonment for up to 2 years)
    • Intentionally impair the security protections of a computer (punishable by fine or imprisonment for up to 2 years)

The legislation includes language to preempt States from creating civil remedies based on violations of this act.

Phishing

S. 472 – Anti-Phishing Act of 2005 – Senator Patrick Leahy (D-VT)

Latest Update: On February 28, Sen. Leahy introduced his anti-phishing legislation, which is similar to legislation he introduced during the 108th Congress (S. 2636). S. 472 was referred to the Senate Judiciary Committee, where it is awaiting further action.

Summary: The Anti-Phishing Act of 2005 criminalizes phishing, making it illegal to knowingly send out spoofed email that links to websites with the intention of committing a crime. The legislation is also intended to penalize those who falsely represent themselves as being a legitimate online business and solicits an e-mail recipient to provide identification to the phisher.

H.R. 1099 – Anti-Phishing Act of 2005 – Congresswoman Darlene Hooley (D-OR)

Latest Update: Rep. Dooley introduced H.R. 1099 on March 3, when it was then referred to the House Committee on the Judiciary.

Summary: H.R. 1099 criminalizes phishing, making it illegal to knowingly carry on any activity that links to websites with the intention of committing a crime. The legislation is also intended to penalize those who falsely represent themselves as being a legitimate online business and solicits an e-mail recipient to provide identification to the phisher. This legislation is similar to S. 472.

Data Warehouses

S. 500 – Information Protection and Security Act – Senator Bill Nelson
(D-FL)

Latest Update: Sen. Nelson introduced the Information Protection and Security Act on March 3 and it was then referred to the Committee on Commerce, Science, and Transportation. H.R. 500 is identical to H.R. 1080, sponsored by Rep. Ed Markey (D-MA).

Summary: S. 500 regulates information brokers and protects individual rights with respect to personally identifiable information. Specifically, it authorizes the Federal Trade Commission (FTC) to promulgate regulations requiring information brokers to update the information they store and allow individuals to access their information; upon request by the individual, the information brokers must disclose what information they distribute and to whom it was given; the information brokers must also authenticate users before allowing usage; finally, H.R. 1080 authorizes enforcement by FTC and allows individuals the right to private action against the brokers.

H.R. 1080 – Information Protection and Security Act – Congressman Ed Markey (D-MA)

Latest Update: H.R. 1080 was introduced on March 3 by Rep. Markey and was referred to the House Committee on Energy and Commerce. H.R. 1080 is identical to S. 500, sponsored by Sen. Bill Nelson (D-FL).

Summary: H.R. 1080 regulates information brokers and protects individual rights with respect to personally identifiable information. Specifically, it authorizes the Federal Trade Commission (FTC) to promulgate regulations requiring information brokers to update the information they store and allow individuals to access their information; upon request by the individual, the information brokers must disclose what information they distribute and to whom it was given; the information brokers must also authenticate users before allowing usage; finally, H.R. 1080 authorizes enforcement by FTC and allows individuals the right to private action against the brokers.

Privacy / Identity Theft Protection

New! S. 751 – Notification of Risk to Personal Data Act – Senator Dianne Feinstein (D-CA)

Latest Update: S. 751 was introduced on April 11, 2005 and referred to the Committee on Commerce, Science, and Transportation. This bill is based on California law, which is the first and currently the only State law requiring notification of individuals.

Summary: S. 751 requires a business or government entity to notify an individual in writing or email when it is believed that personal information has been compromised, with the exception of situations relating to criminal investigation or national security purposes. Examples of personal information include: Social Security number, driver's license or state identification number, or credit card or bank account information. The bill covers both electronic and non-electronic data, as well as encrypted and non-encrypted data.

New! S. 768 – Comprehensive Identity Theft Prevention Act – Senator Charles Schumer (D-NY) and Senator Bill Nelson (D-FL)

Latest Update: Introduced on April 12, 2005, and referred to the Committee on Commerce, Science, and Transportation.

Summary: S. 768 regulates information brokers, cracks down on the sale of Social Security numbers, and notifies Americans when their personal information is compromised. Creates a new Federal Trade Commission (FTC) office to help victims restore their identities. Creates an Assistant Secretary for Cyber Security in the Department of Homeland Security.

New! H.R. 1263 – Consumer Privacy Protection Act of 2005 – Congressman Cliff Stearns (R-FL)

Latest Update: Introduced on March 10 and referred to the House Subcommittee on Commerce, Trade and Consumer Protection on March 22.

Summary: Protects and enhances consumer privacy by instituting a number of requirements for data collection organizations, specifically to provide notification to consumers and to establish a privacy policy with respect to the collection, sale, disclosure for consideration, or use of the consumer's information.

S. 29 – Social Security Number Misuse Prevention Act – Senator Dianne Feinstein (D-CA)

Latest Update: S. 29 was introduced on Jan. 24 by Sen. Feinstein and was referred to the Committee on the Judiciary.

Summary: This bill amends the Federal criminal code to prohibit the display, sale, or purchase of social security numbers without the affirmatively expressed consent of the individual, except in specified circumstances. It directs the Attorney General to study and report to Congress on all the uses of social security numbers permitted, required, authorized, or excepted under any Federal law, including the impact of such uses on privacy and data security. S. 29 establishes a public records exception to the prohibition and directs the Comptroller General to study and report to Congress on social security numbers in public records. The Attorney General is granted rulemaking authority to enforce this Act's prohibition and to implement and clarify the permitted uses occurring as a result of an interaction between businesses, governments, or business and government.

S. 116 – Privacy Act of 2005 – Senator Dianne Feinstein (D-CA

Latest Update: S. 116 was introduced on Jan. 24 by Sen. Feinstein and was referred to the Committee on the Judiciary.

Summary: S. 116 prohibits the sale and disclosure of personally identifiable information by a commercial entity to a non-affiliated third party unless prescribed procedures for notice and opportunity to restrict such disclosure have been followed. The bill grants the Federal Trade Commission (FTC) enforcement authority. S. 166 also amends Federal criminal law to prohibit the display, sale, or purchase of social security numbers (SSNs) without the affirmatively expressed consent of the individual. This legislation prohibits the use of SSNs on checks issued for payment by governmental agencies and driver's licenses or motor vehicle registrations. It prohibits a commercial entity from requiring disclosure of an individual's SSN in order to obtain goods or services, and it establishes criminal and civil monetary penalties for misuse of an SSN.

H.R. 82 – Social Security On-line Privacy Protection Act – Congressman Rodney Frelinghuysen (R-NJ)

Latest Update: Rep. Frelinghuysen introduced H.R. 82 on Jan. 4 and it was referred to the Subcommittee on Commerce, Trade and Consumer Protection of Feb. 4.

Summary: H.R. 82 prohibits an interactive computer service from disclosing to a third party an individual's Social Security number or related personally identifiable information without the individual's prior informed written consent. The bill also requires such service to permit an individual to revoke any consent at any time.

H.R. 84 – Online Privacy Protection Act of 2005 – Congressman Rodney Frelinghuysen (R-NJ)

Latest Update: Rep. Frelinghuysen introduced H.R. 84 on Jan. 4 and it was referred to the Subcommittee on Commerce, Trade and Consumer Protection.

Summary: H.R. 84 requires the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by the Children's Online Privacy Protection Act of 1998 (age 13 and above) on the Internet. It makes it unlawful for an operator of a Web site or online service to collect, use, or disclose personal information concerning an individual in a manner that is in violation of prescribed regulations, requiring such operators to protect the confidentiality, security, and integrity of personal information it collects from such individuals. H.R. 84 also provides greater individual control over the collection and use of that information by creating a process for such individuals to consent to or limit the disclosure of such information. Additionally, H.R. 84 directs the FTC to provide incentives for efforts of self-regulation by operators to implement appropriate protections for such information. Finally, it authorizes the States to enforce such regulations by bringing actions on behalf of residents, requiring the State attorney general to first notify the FTC of such action.

H.R. 220 – Identity Theft Prevention Act of 2005 – Congressman Ron Paul (R-TX)

Latest Update: H.R. 220 was introduced on Jan. 4 by Rep. Paul. It was then referred to the Committee on Ways and Means and the Committee on Government Reform.

Summary: H.R. 220 Amends title II (Old Age, Survivors and Disability Insurance) of the Social Security Act and the Internal Revenue Code to prohibit using a Social Security account number except for specified Social Security and tax purposes. The bill also prohibits the Social Security Administration from divulging the Social Security account number of an individual to any Federal, State, or local government agency or instrumentality, or to any other individual. Conversely, no Federal, State, or local government agency or instrumentality may request an individual to disclose his Social Security account number on either a mandatory or a voluntary basis, among other prohibitions.

Internet

H.R. 214 – Advanced Internet Communications Services Act of 2005 – Congressman Cliff Stearns (R-FL)

Latest Update: Rep. Stearns introduced this bill on January 14 and on Feb. 4, it was referred to House Subcommittee on Telecommunications and the Internet.

Summary: The bill aims to promote deployment of and investment in advanced Internet communications services. It gives the Federal Communications Commission (FCC) exclusive authority regarding advanced Internet communications services, allowing the FCC to impose specific requirements or obligations on providers of advanced Internet communications voice service.

Homeland Security

S. 140 – Domestic Defense Fund Act of 2005 – Senator Hillary Clinton (D-NY)

Latest Update: Sen. Hillary Clinton introduced S. 140 on January 24. It was referred to the Senate Committee on Homeland Security and Governmental Affairs.

Summary: S. 140 provides for a domestic defense fund to improve the Nation's homeland defense by authorizing the Secretary of Homeland Security to award grants to States, units of local government, and Indian tribes for homeland security development. The grant awardees are required to develop a homeland security plan identifying both short- and long-term homeland security needs, among other items. 70 percent of grant funds are required to be allocated among metropolitan cities and urban counties based on the Secretary's calculations of various infrastructure vulnerabilities and threats such as proximity to international borders, nuclear or other energy facilities, air, rail or water transportation, and national icons and Federal buildings.

H.R. 91 – Smarter Funding for All of America's Homeland Security Act of 2005 – Congressman Rodney P. Frelinghuysen (R-NJ)

Latest Update: Rep Rodney Frelinghuysen introduced H.R. 91 on January 4. It was referred to the Committee on Homeland Security (Select), and also referred to the Committees on Transportation and Infrastructure, the Judiciary, and Energy and Commerce for consideration of provisions as they fall within the jurisdiction of the committee concerned. On February 25, it was referred to the Subcommittee on Health, where it currently is waiting for action by the Chairman.

Summary: H.R. 91 modifies the DHS grant program, authorizing the Secretary of Homeland Security to make grants to first responders. One new criteria will be "Threats to major communications nodes, including cyber and telephonic nodes."

H.R. 285 – Department of Homeland Security Cybersecurity Enhancement Act of 2005 – Congressman Mac Thornberry (R-TX) and Congresswoman Zoe Lofgren (D-CA)

Latest Update: Also known as the Department of Homeland Security Cybersecurity Enhancement Act of 2005. On January 6, Congressman Mac Thornberry and Congresswoman Zoe Lofgren reintroduced bipartisan legislation to create an Assistant Secretary for Cybersecurity position within the Department of Homeland Security's Information Analysis and Infrastructures Protection Directorate. The Assistant Secretary position was originally introduced on the 108th Congress in H.R. 10, the 911 Recommendations Implementation Act, where it was approved by the House of Representatives, but ultimately was not included in the final version of the bill.

Summary: The legislation would allow for the Assistant Secretary to have primary authority within the Department for all cyber security-related critical infrastructure protection programs of the Department, including policy formulation and program management. The legislation touts strong support from the technology, education, and financial sectors. 

Back to top


CSIA in the News

Article of Interest

Information Week, March 21, 2005
Uncovering Spyware
The technology industry wants to stamp out spyware, but first there's a question of semantics: Just what is it? Everyone agrees spyware is a growing menace—one that has become a security concern for many IT departments—but defining it hasn't been easy. Now, an effort is under way to better understand the pesky programs that are clogging up computers, at the same time IT professionals are hustling to contain them. The problem is complicated by the fact that a fuzzy line separates intrusive spyware from legitimate online-marketing programs called adware. Earlier this month, the Federal Trade Commission issued a report, based on an industry workshop it hosted last year, that calls on the business community to come up with a definition of spyware.

CSIA Coverage

PC World, March 7, 2005
Policing the Virus Writers: Good News?
A recent spate of high-profile arrests of malware writers is no cause for comfort, say computer crime experts. While law enforcement authorities have recently arrested numerous virus writers and hackers, these arrests—and the stiff prison sentences that may follow—are likely to discourage only the most casual malware writers, say experts, and will probably have minimal impact on hardened criminals, particularly those overseas. “Any arrest of a malware developer or someone perpetrating an attack is a good thing,” says Paul Kurtz, Executive Director of the Cyber Security Industry Alliance. He adds, however, that “the threat, I believe, is migrating. In other words, we've gone from script kiddies to hackers to what I've seen now: organized crime getting involved in this area. This means we'll have much more sophisticated and stealthy criminal activities.” He describes the threat as “a trend where it's getting stealthier, [the criminals] have more money, and they want to cover their tracks. What ultimately happens to the money they steal is also worrisome.”

eWeek, March 14, 2005
Homeland Security Vacancies Strain Agenda
The power vacuum atop the Department of Homeland Security's cyber-security division is straining the DHS' relationship with key private-sector allies and hampering government efforts to improve security on public and private networks. According to insiders, the situation has industry representatives set to take action on their own after five reports on security have failed to produce any federal action. The lack of direction from the top of the department and the uncertainty surrounding the search for a permanent NCSD head have been tough to overcome. “It's not that DHS isn't involving the private sector. The problem has been leadership and attention paid to cyber-security at a high level,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance, in Arlington, Va. “The entire division doesn't have leadership.”

That lack of leadership has led industry officials to put more energy into private efforts, such as the National Cyber Security Partnership, a coalition of vendors, industry organizations and others concerned with information security. Formed in 2003, the NCSP last spring delivered to DHS five reports with recommendations on improving security. But DHS officials never responded to the recommendations, and little progress has been made on implementing them. As a result, NCSP members have decided to move ahead on their own.

CIO, March 15, 2005
How to Save the Internet
Professor Hannu H. Kari of the Helsinki University of Technology is a smart guy, but most people thought he was just being provocative when he predicted, back in 2001, that the Internet would shut down by 2006. So far, the information security complex—vendors, researchers, developers, users, consultants, the government, you—have demonstrated remarkably little will to wage this war. Instead, we fight fires, pointing hoses at uncontrolled blazes, sometimes inventing new hoses, but never really dousing the flames and never seeking out the fire's source in order to extinguish it. That's why we concocted this exercise, trolling the infosecurity community to find Big Ideas on how to fix, or begin to fix, this problem.

A surgeon general-like figure for security is not only a Big Idea; it's a popular one. Several folks suggest creating some kind of “government leader” or “public CIO for security,” none more vocally than Paul Kurtz, the executive director of the Cyber Security Industry Alliance. “We need more leadership at a higher level of government,” he says. At the Department of Homeland Security, he says, cybersecurity has been buried, and he believes DHS should have an assistant secretary-level person for cybersecurity. At press time, that proposal had been floated but didn't make it into the intelligence reform bill.

SC Magazine, March 21, 2005
Washington Has a New Champion
Dave Cullinane, SC's CSO of the Year, tells Illena Armstrong why infosec professionals need to be at the center of decision-making — and the best way to kill phishing sites. As CISO of Washington Mutual, Dave Cullinane has shut down around 930 phishing sites since last October. Dealing with phishing attacks and overall identity theft issues has been one of the biggest challenges for this year's winner of SC Magazine's CSO of the Year award. “What we're trying to create is an educational forum where we can provide information to [CSOs] quickly,” says Cullinane. “We're trying to do some things with federal CISOs to merge our two groups together and start some information sharing at that level. Paul Kurtz [of The Cyber Security Industry Alliance] has been helping us with that. Amit Yoran, [former US director of the Department of Homeland Security's Cyber Security Division] was before he left.”

Back to top


Upcoming Events

SOX Summit on May 3

Since its passage, the Sarbanes-Oxley Act of 2002 (SOX) has engendered spirited debate over the law’s implications for corporate information security, especially with respect to the internal control provisions of Section 404. A legal review commissioned by CSIA found that compliance with Section 404 requires publicly traded companies to employ information security to the extent necessary to ensure the effectiveness of internal controls over financial reporting.

To address the issues relating to IT security and SOX, CSIA, the Information Systems Security Association and George Mason University's CIP Program are hosting a daylong roundtable discussion of lessons learned from SOX Compliance. The conference will address whether additional guidance from the Federal government or professional associations is needed or desired in light of collective experiences.

The event will feature four panels covering: 1) corporate and financial management, 2) internal and external audit, 3) corporate and outside counsel, and 4) information security professionals.

To register, go to http://pfidc.com/sox.

Back to top

Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion

The Cyber Security Industry Alliance and The Critical Infrastructure Protection Program at George Mason University School of Law present a three-part symposium on the emerging landscape of cyber security legislation and compliance. The frequency and complexity of legislation surrounding cyber security has exploded in the past two years. As our lives and commerce become increasingly dependent on IT systems, the interaction of existing laws and proposed legislation becomes more and more complex. This symposium series explores the complex emerging framework of multi-level legal and technology compliance requirements.

Next Symposium: April 26 (Federal Level). Speakers include:

  • Michael Sozan, office of Senator Bill Nelson (D-FL)
  • Frank Cavaliere, office of Senator George Allen (R-VA)
  • Rod Nydam, GMU
  • Jessica Herrera, Minority House Homeland Committee
  • Steve Devine, Majority House Homeland Committee

For details, see https://www.csialliance.org/news/events/CSIA_GMU_Symposium.html.

Back to top

Workshop on Securing Voice Over IP on June 1-2

VoIP (Voice over IP) is the next generation technology for networks supporting voice, video and multimedia services over Internet. Security and survivability for the deployment of this technology in both government agencies and service provider networks has generated great concern, because VoIP depends on the Internet, which is vulnerable to attacks and requires continuous availability. Secure deployment of VOIP must also be seen in the context of existing or planned Federal regulations and policies. CSIA and George Mason University have joined with University of North Texas and the University of Tulsa to organize a workshop in Washington focusing on Federal activities in the area of VOIP.

For more information or to register, see http://pfidc.com/voip.

Back to top


April

April
26

Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion — Federal Level

6:15-8:00 pm at GMU Law School Main Atrium

May

May
3

CSIA SOX Summit

Washington, DC

CSIA will host a SOX Summit at the International Trade Center in Washington, DC, bringing together key stakeholders from both the corporate management and auditing communities to address that question and shed light on the implications of SOX.

May
26

Symposium on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion — International Level

6:15-8:00 pm at GMU Law School Main Atrium

June

June
1-2

CSIA Workshop on Securing Voice Over IP

Washington, DC

CSIA is sponsoring this Workshop on Securing Voice Over IP. Scientists, technologists, policy makers, and domain experts will meet at the first conference ever to address VoIP technology, research, law, and policy at the same event.

For more information or to register, see http://pfidc.com/voip.

Back to top



CSIA Has Moved

Please note our new address and phone number:

Cyber Security Industry Alliance, Headquarters
2020 North 14th Street
Suite 750
Arlington, VA 22201
Phone: +1 703-894-2742


CSIA Members

Charter Members

   

 

Principal Members

 

Emerging Security Partner

 

CSIA’s newsletter is issued monthly, to keep you informed and up-to-date on activities, issues and breaking news that affect cyber security public policy. If you have comments or questions, please send a message to Laura Brown, CSIA Policy Analyst, [email protected].

To view past editions of the CSIA newsletter, please visit: https://www.csialliance.org/news/newsletters.

To share your comments about this newsletter or to submit information, send a message to [email protected].

Stay in touch with CSIA:
Membership questions: [email protected]
Phone: +1 781-876-6205

CSIA (Cyber Security Industry Alliance)
2020 North 14th Street
Suite 750
Arlington, VA 22201
Phone: +1 703-894-2742

http://www.csialliance.org

To leave this list, please send a message with your request to [email protected].
© 2005 Cyber Security Industry Alliance. All rights reserved.