IN THIS ISSUE:
Executive Director’s Message
Paul Kurtz, CSIA Executive Director
We the People of the United States, in Order to form a more perfect
Union, establish Justice, insure domestic Tranquility, provide for
the common defence, promote the general Welfare, and secure the
Blessings of Liberty to ourselves and our Posterity, do ordain and
establish this Constitution for the United States of America.”
–Preamble, U.S. Constitution
Since 9-11, government and the private sector have struggled to
define respective roles and responsibilities in protecting the Homeland,
including securing cyberspace. The answers hold real-world consequences
with respect to resources and potential liability.
The Preamble of the U.S. Constitution states that the Federal government
is to “provide for the common defence.” The security
of cyberspace presents a challenge, given that the private sector
owns and operates the vast majority of the information infrastructure
and that the Internet is borderless, challenging state, national,
and international legal norms. Federal armies cannot defend against
invading or destructive bytes. So, how does the Federal government
provide for the “common defense”? If you expect to find
a clear answer in the following paragraphs - don’t hold
your breath. The answer will evolve over time. However, CSIA does
believe there are actions the Federal government can and should
take over the next four years to qualitatively improve cyber security,
which will help provide for the common defense.
The Cyber Security Industry Alliance presented an Agenda for the
Next Administration on December 7 at the National Press Club in
Washington, DC. The agenda specifies 12 concrete actions the government
should take to qualitatively improve cyber security. Our agenda
recognizes the importance of the President’s National Strategy
to Secure Cyberspace, released in February 2003, which remains salient
and timely. Our agenda is not meant to be exhaustive, and we recognize
the important role of the private sector in securing the information
infrastructure. We see action in each of the areas as continuing
to enable the IT revolution that is driving change across all sectors
of our economy.
We look forward to working with the Administration, the Congress,
and others in the private sector to implement the Agenda.
Back to top
CSIA Rolls Out Agenda for the Next Administration
On December 7th at the National Press Club in Washington, D.C.,
CSIA released its Agenda for the Next Administration, calling on
the Bush Administration and the Federal Agencies to take action
to improve cyber security and enable continued innovation on the
and high-level decision-makers from CSIA member firms joined Executive
Director Paul Kurtz for a panel presentation of the Agenda. Art
Coviello, President and CEO of RSA Security, discussed the importance
of raising the profile of cyber security; Steve Solomon, Chairman
and CEO of Citadel Security Software, presented issues of information
sharing, threat analysis and contingency planning; Krishna Kolluri,
President and General Manager of Juniper Networks, followed up on
Solomon’s remarks and also discussed the importance of boosting
efforts in research and development, and in security education.
The discussion was rounded out by comments in support of the Agenda
from Amit Yoran, former Director of the National Cyber Security
Division in the Department of Homeland Security.
The Agenda, which consists of 12 important recommendations identified
by the cyber security industry, was created to ensure that federal
agencies follow through on the President’s National Strategy
to Secure Cyberspace. The 12 points of the Agenda call on the Federal
- Dedicate an Assistant Secretary position in the Department
of Homeland Security
- Urge quick ratification of the Council of Europe’s Convention
- Encourage information security governance in the private sector
- Lead by example with federal procurement practices
- Close the strategic gap between government and private sector
information security efforts
- Strengthen Information Sharing and Analysis Centers (ISACs)
- Establish and test a survivable Emergency Coordination network
- Direct a federal agency to track the costs associated with cyber
- Increase R&D funding for cyber security
- Fund authorized responsibilities for NIST Computer Security
Division and White House Office of Management and Budget
- Strengthen the federal security certification process to improve
the quality of security in software
- Direct a task force to develop concrete actions that will secure
digital control systems used by utilities
By acting on these recommendations, the Administration will be
working to further protect the nation against cyber threats. In
addition, they will serve to strengthen the collaboration between
federal agencies and the private sector on information security
issues. "I think we've raised the profile, but I don't think
we got the support within the administration that we should have,"
said Art Coviello of RSA Security. "All of these (recommendations)
should be done and be done quickly."
“CSIA is committed to working with the administration to
act on the President’s National Strategy to Secure Cyberspace
in a collaborative effort to improve cyber security across the public
and private sectors,” said John W. Thompson, Chairman and
Chief Executive Officer of Symantec and Chairman of the CSIA. “We
face serious threats and vulnerabilities to the national information
infrastructure that must be met head on with strong leadership by
For additional information, see:
Paper on the Agenda for the Next Administration
release announcing the Agenda for the Next Administration
from the Rollout Event for the Agenda for the Next Administration
Back to top
Name: Juniper Networks
Chairman and CEO: Scott Kriens
Headquarters: Sunnyvale, CA
Worldwide Offices: Juniper has its European
Headquarters in Surrey, UK; Asian-Pacific Headquarters in
Central, Hong Kong; and Japanese Headquarters in Tokyo
Number of Employees: 2,500
About Juniper: Juniper Networks is a leading
global provider of networking and security solutions. It focuses
on customers who derive critical infrastructure from their
networks. Juniper’s customers include major network
operators, enterprises, government agencies, and research
and educational institutions globally. Juniper Networks delivers
a portfolio of networking solutions that support the complex
scale, security, and performance of the world's largest and
most demanding mission-critical networks, including the world's
top 25 service providers and 8 of the top 15 Fortune 500 companies.
Areas of Specialization: Juniper Networks
provides a portfolio of industry-leading technical support,
professional services, and education programs that helps customers
and partners gain the maximum value from their network and
- Juniper Networks portfolio of Support Services provides
backup support and allows customers to select from a variety
of options to augment their in-house technical expertise.
- The Juniper Networks Professional Services group provides
expertise and customized consulting services to assist customers
in planning new services and technologies.
- Juniper Networks Educational Services deliver education
and technical certification programs to help customers build
their IP network expertise through standard technical programs,
web-based courses, customized workshops, and hands-on lab
Back to top
Juniper's Infranet Vision
The Internet has flourished in recent years because it provides
widespread connectivity at a relatively low cost. Even so, the Internet
in its current state has some major drawbacks, including marginal
performance, low value, unreliability, and perhaps most importantly,
a lack of security.
Network security breaches are escalating in number and complexity.
Security breaches are on track to grow 600% from 2000 levels (source:
CERT Coordination Center). In order for business, government, and
consumers to entrust their mission-critical data and personal information
to the public network, it must play a fundamental role in securing
transmission and filtering attacks.
Today’s challenges cannot be solved by conventional
private or public networking approaches. At Juniper, we see
the solution as neither a public Internet nor a private network
infrastructure; it is instead the best of both.
The solution is an infranet. An infranet
is a move away from closed networks and proprietary solutions to
selectively open networks and industry collaboration. An infranet
is a way to give each business and user a unique slice of a secure
public infrastructure and to change user expectation as to its value,
performance, predictability, and perhaps most importantly, security.
It is a way for businesses and consumers to select and be billed
for the range of services and level of experience that is right
An infranet, as envisioned by Juniper and the other members
of the Infranet Initiative Council, is comprised of three
fundamental building blocks:
- Expected experience driven by the user’s application:
‘User Request” enables users to automatically
get the experience they require, based on the application
they are using. The application dynamically requests the
level of security, quality and bandwidth it requires from
- Predictability throughout the network: ‘Assured Deliver’
provides a network foundation to ensure that services are delivered
throughout the network with the specifications required by the
- Realistic implementation for next-generation mass-market communication:
Carrier connections are required to make global services economically
viable and to deliver the true value of the networked community.
Just as the industry has developed successful carrier connections
for voice and mobile networks, the same must be done on the public
Infranets will be built independently by each service provider
and will be interconnected. Over time, a new global meta-network
will emerge, similar in some respects to today’s PSTN and
Internet, yet built to deliver a very different set of applications
and with very different user expectations about its capabilities
The benefits of an infranet are commensurate with the magnitude
of the problems it solves.
- A secure and predictable public network means that enterprises
and governments will be able to reap the full benefits of Web-enabling
their businesses - benefits that dramatically impact the
bottom line. In addition, organizations will be able to leverage
productivity enhancements inherent in the rapidly growing area
of machine-to-machine communications.
- Consumers and enterprises will achieve a confidence level in
network security that is critical to the growth of the online
economy. Widespread content distribution over the public network
will become more viable and less costly by using infranets to
deliver a quality experience. Service providers can match network
quality and pricing with the required user experience.
- Infranets will unlock true person-to-person next-generation
communication. A small business may opt to pay for a high-quality
conference with a client while friends may share pictures in real
time via a digital camera phone.
As an industry, we understand that the success of the infranet
model will rely upon developing inter-carrier connections
that can support a wide range of automatic application delivery
between networks. These inter-carrier connections must be
able to provide the following:
- The ability for premise equipment and end applications
to communicate quality, security, and bandwidth requirements
to the network so that users get their expected experience.
- The ability for networks to communicate applications-appropriate
levels of service and security when handing off traffic
and to implement those service levels when receiving traffic.
- Accounting mechanisms that will enable carriers to bill
each other for traffic handed off between their networks.
- Appropriate interfaces that meet regulatory requirements
by allowing regulated networks to signal and communicate
fairly and consistently with unregulated networks.
Industry participants must collaborate to develop required specifications
and sponsor them to the appropriate standards bodies for ratification.
At Juniper, we believe that no one company can build the basic
infranet structure. An infranet requires a fundamental shift from
closed networks to vender and carrier cooperation. We firmly believe
that industry collaboration is the only way to build the network
of the future that will benefit all parties; service providers,
vendors, content providers, businesses and consumers.
Infranet Initiative Council Members include:
Time Warner Telecom
Back to top
Nominate the Next Public Policy Award Winner!
Each year, the RSA Conference presents awards for excellence in
a variety of categories. For 2005, the award for public policy is
co-sponsored by the Cyber Security Industry Alliance. Entries
will be judged by CSIA members and Executive Director Paul Kurtz
will present the award to the recipient(s).
The RSA Conference Award for Public Policy is designed to recognize
significant contribution and leadership in the field of cyber security
public policy. The judging committee seeks to reward nominees who
hold elected or appointed office, are associated with public interest
organizations, or are associated with an organization that has significantly
contributed to the development or application of current information
CSIA newsletter readers are welcome and encouraged to submit nominations
for the Award.
To submit your nominee(s), go to:
Past recipients include:
U.S. Senator, Utah
U.S. Representative, New York
U.S. Representative, Virginia
NIST Advanced Encryption Standard Committee
Ed Gillespie and Jack Quinn
Executive Director and Co-Chairman of Americans for Com
For more information on the RSA Conference Award for Public Policy,
Back to top
H.R. 10/S.2845 - The National Intelligence Reform
Act of 2004
The National Intelligence Reform Act of 2004, which includes recommendations
from the 9/11 Commission Report, was signed by President Bush on
Dec. 17. The law amended the Clinger-Cohen Act to include cyber
security as a requirement for systems planning and acquisition by
agencies. The law, however, did not contain the provision creating
an Assistant Secretary for Cyber Security in the Department of Homeland
Congressional supporters of the provision indicated that an Assistant
Secretary position will be a priority for them in the 109th Congress.
CSIA will work with both the Administration and the 109th Congress
to ensure an Assistant Secretary position is created at DHS.
Back to top
Born: San Mateo, California, December 21, 1947
Elected: 1994 (will begin sixth term in January
Committee Assignments: House Select Committee on
Homeland Security: Ranking Member, Subcommittee on Cybersecurity,
Science, Research & Development; Subcommittee on Rules; House
Judiciary Committee: Subcommittee on the Courts; The Internet and
Intellectual Property Subcommittee; Subcommittee on Immigration
and Claims; House Committee on Science: Subcommittee on Research;
Subcommittee on Environment, Technology and Standards
Education: Stanford University, B.A. 1970 (Political
Science); University of Santa Clara School of Law, J.D., cum laude,
Career: Staff Assistant to Congressman Don Edwards;
worked on impeachment proceedings, the Equal Rights Amendment, and
creation of the Don Edwards National Wildlife Refuge in the South
San Francisco Bay; Lawyer; Law Professor; Served on Santa Clara
County Board of Supervisors, 1981-1994.
Notable: Introduced legislation to accelerate
the development of fusion as a long-term energy source, which was
included in the comprehensive House energy bill (H.R. 4); successfully
fought to initiate the “e-rate” that provides affordable
Internet access for schools, libraries, and rural health centers;
served as Democratic floor manager for the 21st Century Patent Improvement
Act; initiated the SAFE Act to ease export control on encryption;
TechNet Founder’s Circle Award, May 2000; named “Cyber
Champion” by Business Software Alliance; named “Congressional
Leader” by Semiconductor Industry Association and presented
with the Congressional Leadership Award in 1998; dubbed “Leader
of the Pack” on high-tech issues by C/Net News.com; named
one of Top 10 high-tech supporters in Congress by Tech Law Journal.
Congresswoman Zoe Lofgren has consistently been recognized as a
leader of high tech issues since she was first elected to Congress
in 1994. As Representative of California’s 16th District,
which includes the Silicon Valley, high tech issues are on her doorstep
every day. The list of initiatives, programs, and legislation she
has sponsored and co-sponsored for the benefit of the high tech
industry is staggering.
In the 105th Congress, she worked with Rep. Bob Goodlatte (R-VA),
co-sponsoring the Safety and Freedom through Encryption Act (SAFE).
This legislation guaranteed all Americans the right to use any encryption
product, without key escrow, and loosened export restraints. Although
the bill ultimately did not pass, it was met with wide support by
the computer and Internet industry, demonstrating Lofgren’s
understanding of industry issues.
Lofgren has also led the fight to ensure that schools receive
Internet access, and she is always advocating for schools and crime-prevention
projects in her district. On the high-tech front, the Congresswoman
played a crucial role in crafting the compromises that generated
broad bipartisan support for the Biomaterials Access Assurance Act,
which was passed to end the shortage of biomaterials available to
medical device manufacturers. She also was a leader in securing
the passage of the Securities Litigation Uniform Standards Act to
apply uniform federal standards to securities litigation, and the
Internet Tax Freedom Act to impose a moratorium on Internet taxes.
In 1999, the House Democratic Whip, Rep. David Bonior (D-MI),
appointed Lofgren to the position of At-Large Whip for the 106th
Congress. Bonior stated that she "is a strong advocate for
the concerns of America's working families and has a keen understanding
of high tech issues."
Congresswoman Lofgren is a member of the House Select Committee
on Homeland Security, where she serves as Ranking Member on the
Subcommittee on Cybersecurity, Science, Research & Development
and sits on the Subcommittee on Rules. Additionally, she serves
on the House Judiciary Committee’s Subcommittee on the Courts,
the Internet and Intellectual Property Subcommittee and the Subcommittee
on Immigration and Claims. Finally, Lofgren is a member of the House
Committee on Science’s Subcommittee on Research and Subcommittee
on Environment, Technology and Standards.
Congresswoman Lofgren has taken advantage of her roles on these
Congressional committees to bring improvements to the high tech
industry, working closely with her Republican colleagues. Of particular
note, as Ranking Member of the Subcommittee on Cybersecurity, Lofgren
and Chairman William “Mac” Thornberry (TX-13) have held
fifteen bipartisan hearings and briefings on cybersecurity and science
and technology matters during the 108th Congress. The Subcommittee
reached out to diverse groups and individuals on ways to improve
cybersecurity for the nation. The Subcommittee heard from private
sector experts who own and operate critical information infrastructure.
Federal, state, and local government officials and academic experts
testified on the need to fortify the nation's cybersecurity. A variety
of oversight sessions were also held on the Department of Homeland
Security's role and responsibilities in helping to improve cybersecurity.
Chairman Thornberry and Ranking Member Lofgren continued their
efforts by introducing two bills to enhance cybersecurity and science
and technology. H.R. 5068 and H.R. 5069 focused on several cyber
security issues, such as the creation of a National Cybersecurity
Office, headed by an Assistant Secretary for Cybersecurity, a national
response system, an awareness and training program that identifies
vulnerabilities, and a grant program for institutions of higher
education for the purpose of cybersecurity professional development.
Although the bills never left committee, key elements from H.R.
5068 are in H.R. 10, the 9/11 Recommendations Implementation Act,
which was passed on December 7, 2004.
We will continue to look to Congresswoman Lofgren’s leadership
on the Subcommittee on Cybersecurity, Science, and Research &
Development and her ongoing efforts to elevate awareness and make
cybersecurity a top-level agenda item.
What is the biggest vulnerability we face in cybersecurity
Our economy and infrastructures are dependent on the durability
of our computer networks and systems. This interdependence makes
our economy and security vulnerable to cyber attack. We are also
vulnerable to a cyber attack that is combined with a physical attack.
Unfortunately, both within and outside the government, we are
not adequately prepared. Systems and technologies were, and continue
to be, deployed without giving sufficient consideration to security.
The Department of Homeland Security is failing to provide the leadership
necessary to protect cyberspace. This is due to the de-prioritization
of cybersecurity by the current administration. Two years ago, the
government's top advisor on cybersecurity sat in the White House.
Today, the position is buried four levels down in the Department
of Homeland Security bureaucracy.
Congressman Mac Thornberry and I listened to the experts in technology,
banking, business, and academia and introduced legislation to remedy
this problem by creating an Assistant Secretary of Cybersecurity.
I hope we can reintroduce this bill in the coming Congress so we
can make sure that the top government cybersecurity personnel has
the access and authority to get the job done.
The creation of this position will also help protect our physical
and converged physical-cyber infrastructures by hopefully putting
experts - not bureaucrats - in charge.
Incredibly, when I recently reviewed California's list of critical
assets and resources in the National Asset Database, many if not
most of what should be assessed and protected had not even made
it onto the list. State and local law enforcement, which are our
first responders, do not even know about the lists. The Department
cannot possibly conduct meaningful analysis if it is using incomplete
and inaccurate data as a foundation.
What do you believe is the role of government (Executive
Branch/Congress) in cybersecurity?
The U.S. Government has an important leadership role to play in
the cybersecurity arena. The majority of the nation's cyber-infrastructure
is in private hands.
The Department of Homeland Security must work with the private
sector to identify vulnerabilities and encourage cybersecurity improvements.
The Department and other parts of the Executive Branch also lead
by example and secure their own systems and networks. If the government
simply employed better procurement and internal security practices,
it would be making significant progress. Today, government systems
are so insecure that many in the private sector fear sharing information
with the government lest that information be compromised.
In Congress, we must conduct vigorous oversight of the Department
of Homeland Security to make sure that the job is getting done.
We must also encourage the private sector - from large companies
to the home-user - to make cybersecurity a priority. One way
to do this is to work with the private sector in understanding insurance
and incentives options that could aid in this effort.
Government also has an important role to play in research and education.
Congress can assist this effort by providing sufficient funding
to existing programs, especially those created by the Cybersecurity
Research and Development Act.
One thing we should not do is be overly prescriptive and regulatory.
The technology is moving too fast to attempt to legislate prescriptive
solutions. The code writers are faster than the legislative process!
What are the responsibilities of the private sector in
supplying good software? What are the responsibilities of the end
The old cliché: "You are only as strong as your weakest
link" comes to mind. Everyone has a role to play. We are all
interconnected - from the government to the producers of hardware
and software to the corporate enterprise to the home user -
so we must work together to protect our cyber infrastructure. I
suspect that in the end we are also going to continue to have a
greater involvement by ISPs relative to home user security. Indeed,
the steps taken in a recent month by some ISPs to integrate AV into
their services shows this trend.
As you might expect, the technology sector is generally well ahead
of other parts of the economy in caring about cybersecurity. However,
“Old Economy” industries are, today, as reliant on technology
as the companies in Silicon Valley, my home. Yet, many of the companies
in these sectors appear to be less aware than they should be about
their vulnerabilities. And, of course, successful attacks against
them would have quite an important and adverse impact on our American
economy as a whole.
How can policy organizations, such as CSIA, be of the greatest
help to the efforts of Congress?
The creation of CSIA this past year has been vital in helping to
educate the public about cybersecurity. It and other policy organizations
must continue these education efforts. These issues are very complex
and we need to hear from the people on the front lines about the
threat and the best ways to fight back. CSIA can also help Congress
understand how existing federal and state laws are working in the
Back to top
in the News
For Full CSIA Agenda Coverage visit: https://www.csialliance.org/news/inthenews/
MSNBC, December 7, 2004
cyber security measures urged
Saying the nation’s vital infrastructure is too vulnerable
to cyber terrorism and computer crime, a group of industry experts
called on the Bush administration to take tougher counter measures.
The Cyber Security Industry Alliance chose the anniversary of
the Pearl Harbor attacks to sound the alarm over a new threat
to America. "We are already under significant attack: It's
not one big one, it’s daily," said Arthur Coviello,
CEO of RSA Security.
This article is the written supplement to a CNBC Closing Bell
Reuters, December 7, 2004
Push for More Computer Security Efforts
Computer-security experts, including former government officials,
urged the Bush administration on Tuesday to devote more effort
to strengthening defenses against viruses, hackers, and other
online threats. The Bush administration should spend more on computer-security
research, share threat information with private-sector security
vendors, and set up an emergency computer network that would remain
functional during Internet blackouts, a computer-security trade
This article also appeared in the following publications:
CNN, The Washington Post and Wired News
The Wall Street Journal, December 7, 2004
Tighter Cyber Protection Is Urged By Computer-Security Industry
Computer-security executives are pressing the Bush administration
to address threats to the nation's information-technology systems
-- which they say were neglected during the president's first
term. Seizing on the shake-up in top leadership at the Department
of Homeland Security, the executives plan today to issue a dozen
recommendations, including creating a backup communications network
in the event of a major Internet outage and improving security
for electronic controls used in electricity transmission, subways
and other critical systems.
This article is by subscription only.
Back to top
RSA Conference 2005
Moscone Center, San Francisco, CA
The RSA® Conference, the most prestigious information
security event of the year, is also the most authoritative
source for uncovering new ways to thwart cyber-criminals trying
to smuggle themselves into today's businesses. As such, it
is a "must attend" event for organizations that
deploy, develop or investigate data security or cryptography
products. Stay tuned for event details in our January newsletter!
Back to top
New CSIA Members
CSIA welcomes our new members!
CEO: Mark Templeton
Emerging Security Partner:
CEO: Suzanne Joyce
Co-CEO/CTO: James Joyce
Emerging Security Partner:
CSIA’s newsletter is issued monthly, to keep you informed
and up-to-date on activities, issues and breaking news that affect
cyber security public policy. If you have comments or questions,
please send a message to Laura Brown, CSIA Policy Analyst, [email protected].
To view past editions of the CSIA newsletter, please visit: https://www.csialliance.org/news
To share your comments about this newsletter or to submit information,
send a message to [email protected].
Stay in touch with CSIA:
Membership questions: [email protected]
CSIA (Cyber Security Industry Alliance)
1201 Pennsylvania Avenue, NW
Washington, DC 20004
To leave this list, please send a message with your request to
© 2004 Cyber Security Industry Alliance. All rights reserved.