Protecting Internet Business Infrastructures:
CSIA Member Spotlight
Name: Internet Security Systems, Inc.
Chairman and CEO: Thomas Noonan
Headquarters: Atlanta, GA
Worldwide Offices: Internet Security Systems maintains offices in more than 20 countries worldwide and is publicly traded on NASDAQ (ISSX)
Number of Employees: 1200
About ISS: Internet Security Systems is a global leader in enterprise information security, providing research, products and services that preemptively protect critical infrastructures against Internet threats. ISS celebrated its 10th anniversary in 2004 and has spent the last decade commanding the leading edge of security innovation with the invention of cornerstone technologies such as vulnerability assessment and intrusion detection/prevention. The company con-tinues to innovate the security space with its ProventiaŽ Enterprise Security Platform (ESP), offering enterprise-wide preemptive protection that is tightly integrated with existing IT business processes.
Areas of Specialization: ISS provides complete network, server and desktop protection from viruses, worms and other Internet attacks with its Proventia product family. The ISS Proventia Platform provides complete Intrusion detection and prevention, firewalls, vulnerability assessment, integrated security appliances, Web filtering, mail security and a centralized management system. This combination of complete security and centralized management of monitoring and reporting all work to maximize network uptime and minimize the need for active administrator involvement.
The past year revealed several new trends in cyber attacks. Internet Security Systems' (ISS) X-ForceŽ Research and Development team has documented a growing relationship between traditionally separate attack methodologies. Cyber criminals are using a combination of exploits to attack smaller or less well known vulnerabilities for greater penetration and damage. For example, spam could be used to install spyware that could then launch an application to exploit Voice over Internet Protocol (VoIP) call processing software. These trends represent an alarming interest by cyber criminals in disrupting world businesses and financial stability.
With an eye on these evolving threats, the U.S. government has asked for help from the private sector to stop their spread. In 2001, President Bush signed Executive Order 13231, creating the National Infrastructure Advisory Council (NIAC), acknowledging that protecting cyberspace is a task best addressed through a combination of public and private ingenuity. The NIAC is a 30-member group of today's most influential heads of academia, government and private-sector companies like ISS.
Reporting to the White House, and working closely with the Department of Homeland Security, NIAC Working Groups have already responded to the increasing challenges of protecting our cyber economy. Incorporating input from international business leaders, the NIAC has provided direction and support for projects such as the Prioritization of Cyber Vulnerabilities, the Evaluation and Enhancement of Information Sharing and Analysis (EEIS), Risk Management, Intelligence Coordination, Internet Hardening, Best Practices for Government Security Enhancement and a Common Vulnerability Scoring System.
As the Chair of the EEIS Working Group, ISS was directly involved in the recommendations to secure funding from the government for building necessary communications infrastructures in the Information Security and Analysis Centers (ISAC). ISACs are sector-specific groups of businesses working together to form a threat identification and notification matrix to protect their sector's interests. ISS has also been instrumental in helping to develop policies for protecting critical business infrastructures here in the U.S.
Since the government first proposed building ISACs in 1996, every major business sector - chemical, financial, energy, food and agriculture, water, electricity, transportation, telecommunications and government emergency services - has created such a network of information sharing to disseminate threat information to its respective members and key government agencies. These clearinghouses for threat identification and notification have been a resounding success and provide clear direction for other security initiatives in the future.
If ISACs are a shining example of intra-sector partnership, the NIAC represents a milestone in public and private cooperation. Though the call for an active public-private partnership may seem idealistic, I have seen it work firsthand. ISS already practices effective information sharing among various private-sector, government and academic institutions. This voluntary process has been most effective, not because of any legislative mandates, but because of the self-regulated best practices we, the business community, have put into place and the commitment we share to overlook competitive differences for the sake of protecting cyberspace.
When it comes to protecting the Internet, government can't be the only entity looking for a solution. This conclusion has nothing to do with political philosophy. The nature of the Internet makes it a requirement. Instead, a new model of partnership that recognizes the unique nature of this relatively new medium has been found through the creation of the NIAC. Moving forward, I envision a growing coalition of organizations dedicated to the same goals.
ISS is honored to serve alongside other committed members like the Cyber Security Industry Alliance. With their help, the NIAC will be able to expand on its work within the government to influence policy, and work in the private community to encourage cyber security awareness and education. This year we'll see many changes in the cyber security landscape. Together with the NIAC and CSIA, ISS will continue to effect change towards a more secure business Internet infrastructure.
Latest Update: Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” On January 6, Congresswoman Bono re-introduced her bill from the 108th Congress that aims to protect computer users against internet privacy invasion. A subcommittee markup is scheduled for Wednesday, February 16 at 10:00 am in room 2123 of the Rayburn House Office Building. In October 2004, the original bill passed overwhelmingly in the House of Representatives, but did not pass the Senate before the 108th Congress came to a close.
Summary: This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs be easily identifiable and removable, and allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.
Latest Update: Also known as the “Internet Spyware (I-SPY) Prevention Act of 2005.” On February 10, Representatives Bob Goodlatte, Zoe Lofgren (D-CA-16) and Lamar Smith (R-TX-21) reintroduced the Internet Spyware (I-SPY) Prevention Act of 2005. This legislation was originally introduced during the 108th Congress and passed the House of Representatives by a vote of 415-0. Currently, there are no plans for hearings or mark-up, however, this bill is expected to move quickly.
Summary: This bill addresses the most egregious activities that are conducted via spyware. It would make the following activities criminal offenses:
The legislation includes language to preempt States from creating civil remedies based on violations of this act.
Latest Update: Rep Rodney Frelinghuysen introduced H.R. 91 on January 4. It was referred to the Committee on Homeland Security (Select), and also referred to the Committees on Transportation and Infrastructure, the Judiciary, and Energy and Commerce for consideration of provisions as they fall within the jurisdiction of the committee concerned.
Summary: H.R. 91 modifies the DHS grant program, authorizing the Secretary of Homeland Security to make grants to first responders. One new criteria will be "Threats to major communications nodes, including cyber and telephonic nodes."
Latest Update: Sen. Hillary Clinton introduced S. 140 on January 24. It was referred to the Senate Committee on Homeland Security and Governmental Affairs.
Summary: S. 140 provides for a domestic defense fund to improve the Nation's homeland defense. It modifies the DHS grant program to include new criteria such as:
Latest Update: Also known as the Department of Homeland Security Cybersecurity Enhancement Act of 2005. On January 6, Congressman Mac Thornberry and Congresswoman Zoe Lofgren reintroduced bipartisan legislation to create an Assistant Secretary for Cybersecurity position within the Department of Homeland Security's Information Analysis and Infrastructures Protection Directorate. The Assistant Secretary position was originally introduced on the 108th Congress in H.R. 10, the 911 Recommendations Implementation Act, where it was approved by the House of Representatives, but ultimately was not included in the final version of the bill.
Summary: The legislation would allow for the Assistant Secretary to have primary authority within the Department for all cyber security-related critical infrastructure protection programs of the Department, including policy formulation and program management. The legislation touts strong support from the technology, education, and financial sectors.
Born: Minot, North Dakota, January 5, 1949
Elected: 1994 (began sixth term in January 2005)
Committee Assignments: House Committee on Government Reform (Chair); House Homeland Security Committee
Education: Amherst College, B.A. (Political Science); University of Virginia, J.D.
Notable: Spent four years as a U.S. Senate Page; Vice President and General Counsel of PRC, Inc., a high technology and professional services firm headquartered in McLean, Virginia; founded the Information Technology Working Group, which focused on promoting a better understanding of issues important to the computer and technology industries; sponsored the Y2K Act; recipient of the Electronic Industry Alliance’s 1999 Congressional Technology Policy Award; inducted into the American Electronics Association’s High Tech Hall of Fame in Spring 2000; received awards from Americans for Tax Reform, the National Federation of Independent Businesses, the Information Technology Association of America, the Information Technology Industry Council, US Chamber of Commerce, the National Association of Chief Information Officers, the IT Industry Council, and the Coalition for Government Procurement.
Tom Davis’s list of legislative accomplishments began almost as soon as he took office in 1994, when he was given control of the Government Reform Committee's Subcommittee on the District of Columbia. During his first year in Congress, Tom authored and co-sponsored several important bills that were enacted into law, including the D.C. Financial Control Board Act; the Unfunded Mandates Reform Act of 1995; the Federal Acquisition Reform Act; and the Securities Litigation Reform Act of 1995.
Congressman Davis serves as one of four co-chairs of the Information Technology Working Group, a group he founded to promote a better understanding of issues important to the computer and technology industries. In May 1999 he sponsored the Y2K Act, legislation which ensured that businesses spent their money on Y2K compliance rather than saving it for costly lawsuits that might have otherwise arisen. Congressman Davis was the recipient of the Electronic Industry Alliance's 1999 Congressional Technology Policy Award and was inducted into the American Electronics Association’s High Tech Hall of Fame in Spring 2000.
In January 2001, Congressman Davis was named chairman of the newly formed Government Reform Subcommittee on Technology and Procurement Policy. He also reclaimed his seat on the Energy and Commerce Committee, with a spot on the Subcommittee on Telecommunications and the Internet. In just two years, Congressman Davis successfully passed several important bills through Congress, including the Digital Tech Corps Act, the E-Gov Act of 2002, the Federal Information Security Act, and the Critical Infrastructure Information Act. And, in keeping with his belief that the top source of waste in government can be found in spending on goods and services, Congressman Davis’s vigilant oversight of large dollar federal contracts resulted in hundreds of millions of dollars saved for the taxpayers.
Congressman Davis’s legislative accomplishments were recognized in January 2003, when he was elected to chair the House Government Reform Committee for the 108th Congress. In 2004, Congressman Davis authored significant portions of 9-11 Implementations Act, including streamlining the security clearance process and strengthening the FBI’s personnel procedures. Under Congressman Davis’s leadership, the Committee conducted oversight on and investigated matters related to the effective administration of government programs of great public interest, including the role of the National Guard in national security and homeland defense, and management of the Department of Homeland Security.
In addition, Congressman Davis held hearings on emergency preparedness in the Capital Region and threats to Government information networks presented by peer-to-peer file sharing programs; approval of a report on the Committee’s years-long investigation of the FBI’s use of informants; review of consumer safeguards on Internet pharmacy websites; hearings on contract mismanagement at the Department of Energy and other departments and agencies; and inquiries into the training and testing of airline passenger screeners and implementation of the historic US-VISIT program.
In January 2005, Tom was reappointed to serve as chair of the House Government Reform Committee. The committee will focus on legislation including driver’s license security; reauthorization of Executive Reorganization Authority; Presidential appointments process streamlining; reorganization of the General Services Administration; and further acquisition reform. On the oversight side, the Committee will focus on the GAO’s high-risk list; management of the Department of Homeland Security; the evolving role of the National Guard; and the misuse of federal grant money in the District of Columbia, among other issues.
Congressman Davis’s list of accomplishments, awards and recognition for his work only demonstrates that, as a leader in Congress, he is effective, knowledgeable and well-respected. He is a friend to the industry and we look forward to working with him in the 109th Congress.
1. What is the biggest vulnerability we face in cyber security today?
Our biggest vulnerability is the lack of education on cyber security and the scope of threats we face. Given the interconnectivity of systems across cyberspace, all it takes is one weak link to break the chain. The vulnerabilities of our systems are significant, and the potential damage that can be done is a lot more than any plane flying into a building; that’s the reality. Therefore, everyone must protect his or her piece of cyberspace. All users – whether they are at home, school, or work – need to understand the impact of weak security and the measures that should be taken to prevent or respond to cyber attacks. The most powerful tool we can use to combat this weakness is better information sharing between the public and private sectors and between different levels of government. So far, this issue hasn’t been given enough attention.
2. What is your most significant contribution in advancing cyber security?
I developed and sponsored the Federal Information Security Management Act (FISMA). It requires all federal agencies establish and implement a comprehensive risk-based framework for agency-wide information security management, which includes risk assessments, risk management policies, security awareness training, and periodic reviews.
I also wrote the Critical Infrastructure Information Act, which regulates the use and disclosure of information voluntarily submitted to DHS by the private sector about vulnerabilities and threats to critical infrastructure. This act is intended to encourage information sharing between the federal government and the private sector owners and operators of critical infrastructures.
3. What do you believe is the role of government (Executive Branch/Congress) in cyber security?
We must ensure that federal agencies have strong management frameworks in place that protect federal systems. That's why federal agencies' compliance with the FISMA is critical. The Government Reform Committee will continue its aggressive oversight of FISMA. Specifically, the Committee will release Federal Agency FISMA compliance scorecards and review FISMA implementation to determine whether there is a need to amend or clarify provisions.
Government must also focus on facilitating better communication between the public and private sector to protect critical infrastructure, including our cyber infrastructure. It’s important for government to ensure that information sharing is a two-way street. For instance, it is not enough for the private sector to share information about its vulnerabilities with federal agencies. The government needs to do a better job of sharing information with the private sector about potential cyber threats and response plans so it can better protect its critical infrastructure assets.
4. What are the responsibilities of the private sector in supplying good software? What are the responsibilities of the end user?
IT training programs offered in the workplace should have an increased focus on security. In fact, this Congress I will examine the information security training program available to federal employees to determine whether it is adequate.
Education is another critical factor. From Chief Information Officers to students to small business owners, everyone must know how to respond to cyber attacks. When a new flaw is identified in ubiquitous software, users must take preemptive action to minimize damage from the inevitable hacker attacks. For example, security patches released by software manufacturers can be installed in systems to correct these flaws. When patches are announced, one has to act quickly to install them. So, does the average computer user know what software he is running? Does he know if the alert applies to him? If so, does he know where to find the patch and how to apply it? End users must understand why and how they need to secure their systems. They need to understand the fundamentals of computer protection and be able to differentiate between safe online behavior and actions that will expose vulnerabilities.
The bottom line is that basic facts about cyber security need to be second nature to all computer users. The aggressive push to implement e-government initiatives means that federal computer systems are communicating with computers in homes and businesses (e.g., IRS e-filing). If non-federal computers are not adequately secured, there is added risk to our federal systems. We are all in this together and we must rely on one another to do each other's part.
5. How can policy organizations, such as CSIA, be of the greatest help to the efforts of Congress?
It’s very important for CSIA and similar organizations to educate Congress about not only the issues that are important to the private sector, but cyber security in general, as well. Few members – maybe 10 out of 535 – know what FISMA is. I think a lot of members understand the concepts. But if you don't have constituent interest in this area, there are few incentives for members to get involved until there is some downside – either a cyber Pearl Harbor, companies lose money, or people get hurt. We need to educate our members before something awful happens and that’s where policy organizations can help.
Federal Computer Week, January 24, 2005
The Davis Plan
Rep. Tom Davis (R-VA) is a man with a plan. That has become increasingly evident as Davis has become one of the most influential people in the information technology community. Davis sat down with Federal Computer Week staff on Jan. 13 to discuss his agenda for the 109th Congress and offer his views on a variety of subjects including cyber security. Some cybersecurity experts say that other changes may be needed, too. “Federal cybersecurity could be undermined if executive staffing levels are not corrected”, said Paul Kurtz, executive director of the Cyber Security Industry Alliance. Kurtz said alliance members favor increasing the number of staff members who work on cybersecurity policy and standards at the Office of Management and Budget and the National Institute of Standards and Technology.
SecurityStockWatch.com, January 31, 2005
Security Initiatives: Mr. Paul Kurtz, Executive Director of the Cyber Security Industry Alliance
In this profile article, Paul Kurtz discusses the mission of the Cyber Security Industry Alliance and the near-term priorities of the organization. He discusses the role of phishing and what customers and businesses can do to minimize their exposures to these types of scams. Paul also mentions the need for bringing clarity to the IT security implications of Sarbanes-Oxley. He comments that, “Publicly-traded corporations are spending millions this year to comply with the law, but in the case of IT security, it is unclear what compliance means.”
InformationWeek, January 24, 2005
Federal Role In Ensuring Cybersecurity Isn't Clear
Larry Greenemeier from InformationWeek comments on the vast amount of work that needs to be done to shore up cybersecurity for the nation's energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial-services firms. So far, the Bush administration has done a good job of laying out a cybersecurity strategy, notes Paul Kurtz, CSIA's executive director and former senior director of critical infrastructure protection for the White House's Homeland Security Council. “Having said that, I think the level of institutional leadership — applying resources and senior thinking against the issue — has been less than is necessary in order to ensure that we continue to show leadership in this space,” Kurtz says.
CNET News.com, January 12, 2005
Yet Another Cybersecurity Chief Steps Down
In an interview with Rob Lemos of CNETnews.com, Paul Kurtz is quoted regarding the resignation of Robert Liscouski, the Department of Homeland Security's top bureaucrat in charge of cybersecurity and physical-infrastructure protection. “The problems of the past have been largely because of the fallout of 9/11 and the focus of the federal government on physical security,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance. “Cybersecurity has been put in the backseat.”
Member Release, February 1, 2005
Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group exclusively focused on cyber security policy issues, today announced that iPass Inc. (NASDAQ: IPAS), a leader in enabling remote and mobile workers to connect simply and securely to their enterprise networks, has joined the organization at the highest level as a Charter member, with a seat on CSIA’s Board of Directors for its Chairman and CEO, Ken Denman.
Featuring 9/11 Commissioner Jamie S. Gorelick and Former Special Advisor to the President for Cyberspace Security Richard Clarke
The Cyber Security Industry Alliance is pleased to host a Town Hall Meeting to discuss homeland security, critical infrastructure protection, and cyber security in the post-9/11 era, and the steps that are being taken to enhance security measures.
WHAT: CSIA Town Hall Meeting
WHEN: Wednesday, February 16, 12:45-1:45 pm
WHERE: Moscone Convention Center, Gateway 104, San Francisco, CA
The Town Hall Meeting, which will take place during the RSA Conference 2005, will feature Jamie S. Gorelick of the 9/11 Commission, and Richard Clarke, Former Special Advisor to the President for Cyberspace Security.
Gorelick is a partner at Wilmer, Cutler & Pickering in Washington, DC and is a member of the Council on Foreign Relations and the American Law Institute. She co-chaired, with Senator Sam Nunn, the Advisory Committee of the President's Commission on Critical Infrastructure Protection, and currently serves on the Central Intelligence Agency's National Security Advisory Panel, as well as the President's Review of Intelligence. She will offer her insights on homeland security, critical infrastructure protection, and cyber security issues.
Clarke most recently served on the US National Security Council as Special Advisor to the President for Cyberspace Security; National Coordinator for Security, Infrastructure Protection, and Counterterrorism; and chaired the Counterterrorism Security Group. Prior to his time with the National Security Council, Clarke worked in the US Department of State as Deputy Assistant Secretary of State for Intelligence, and then as Assistant Secretary of State for Politico-Military Affairs. Just after leaving the government in 1993, Clarke testified before the National Commission on Terrorist Attacks Upon the United States on March 24, 2004. Clarke has been an on-air consultant for ABC News and is Chairman of Good Harbor Consulting, LLC.
Paul Kurtz, CSIA Executive Director, and former Special Assistant to the President for Critical Infrastructure Protection on the White House’s Homeland Security Council, will host the town hall meeting.
Please RSVP for the Town Hall Meeting at [email protected]. Snacks and beverages will be provided. We hope to see you there!
To register for RSA Conference 2005, please visit http://2005.rsaconference.com/us/.
Join us for CSIA’s First Birthday Party and celebrate our first year of extraordinary accomplishments! The celebration will be held during the RSA conference. We hope to see you there!
WHAT: CSIA’s First Birthday Celebration
WHEN: Tuesday, February 15, 8:30-11:00 pm
WHERE: Thirsty Bear Restaurant • Mezzanine Level, 2nd Floor, 661 Howard Street
Register for CSIA’s First Birthday Celebration at https://www.csialliance.org/news/events/register.
CSIA is pleased to present Orson Swindle, a Commissioner on the Federal Trade Commission (FTC), with the 2005 RSA Conference Award for Public Policy for his significant contributions and leadership in the field of cyber security public policy.
Through his work with the FTC, Commissioner Swindle has been a key contributor in protecting consumers against cyber fraud and attacks. He has actively worked to shape public policy in the areas of anti-spam regulations, online privacy and consumer protection. He has testified before Congress and addressed industry groups on issues of privacy, identity theft and online security practices.
“Mr. Swindle’s diligent and focused work in the area of cyber security public policy is unmatched and certainly deserving of this award,” said Paul Kurtz, executive director of CSIA. “Not only has he provided critical leadership to raise consumer, business and general public awareness of why we must all use safe computing and Internet practices, but he has called for stronger direction by industry, academia and government to work together on the important task of greater cyber security.”
Commissioner Swindle’s long list of accomplishments include his leadership role in revising the Guidelines for the Security of Information Systems and Networks issued by the Organization for Economic Cooperation and Development (OECD), an international organization of industrialized, market-economy countries. He also launched the FTC’s Internet security initiative aimed at educating consumers and businesses about safe computing practices. In 2004, he was recognized by the International Association of Privacy Professionals (IAPP) for shaping public policy in the areas of anti-spam regulations, online privacy, information security, consumer protection, international privacy and electronic data protection.
CSIA First Birthday Celebration
Tuesday, February 15
8:30 pm – 11:00 pm
Thirsty Bear Restaurant, Mezzanine Level, 2nd Floor
661 Howard Street
Register at https://www.csialliance.org/news/events/register
Town Hall Meeting / Roundtable
Moderator: Paul Kurtz
Panelists: 9/11 Commissioner Jamie S. Gorelick and Former
Counterterrorism Coordinator Richard Clarke
Wednesday, February 16
12:45 pm – 1:45 pm
Moscone Convention Center, Gateway 104
RSVP to [email protected]
Sarbanes-Oxley Part I: Security Governance & Policy
Moderator: Steve Wu
Panelists: Paul Kurtz, John Tritak and Lee Zeichner
Wednesday, February 16
3:25 pm – 4:25 pm
Moscone Convention Center, South Hall
International Current Events
Panelists: Paul Kurtz, Behnam Dayanim, Francisco Mingorance and Roland Mueller
Friday, February 18
11:10 am – 12 pm
Moscone Convention Center, South Hall
Security Week, now in its’ 4th edition, is one of the Latin American premier events, conferences and exposition for the information security sector. The event is a traditional launching platform for new technologies and discussion of trends and critical issues. Executive Director Paul Kurtz of CSIA will be presenting a keynote address on A Global Sarbanes-Oxley Compliance Strategy.
InfoSec World 2005 tackles the full spectrum of security challenges and offers real-world, unbiased solutions. This conference covers every angle of security featuring case studies, demos, and hands-on exercises, three visionary keynotes, and a vendor expo with over 150 exhibitors. Paul Kurtz, Executive Director of CSIA, will be participating in the CISO Executive Summit on April 3 and will be presenting on Cyber Terrorism on April 4.
Exclusive Savings for CSIA Members: MIS Training Institute is offering a 25% discount off the regular conference registration fee to CSIA Members — a savings of over $300! Register online today at http://www.misti.com/01/os05eb13reg_infosecworld.html . Please use OS05/EB13 as your Registration Code to receive your discount. (This savings does not apply to optional workshops, CISO Executive Summit or The CBK Review Seminar. This offer cannot be combined with any other discount.)
CSIA SOX Summit
CSIA will host a SOX Summit at the International Trade Center in Washington, DC, bringing together key stakeholders from both the corporate management and auditing communities to address that question and shed light on the implications of SOX.
CSIA’s newsletter is issued monthly, to keep you informed and up-to-date on activities, issues and breaking news that affect cyber security public policy. If you have comments or questions, please send a message to Laura Brown, CSIA Policy Analyst, [email protected].
To view past editions of the CSIA newsletter, please visit: https://www.csialliance.org/news.
To share your comments about this newsletter or to submit information, send a message to [email protected].
Stay in touch with CSIA:
Membership questions: [email protected]
CSIA (Cyber Security Industry Alliance)
1201 Pennsylvania Avenue, NW
Suite 300, #3011
Washington, DC 20004
To leave this list, please send a message with your request to [email protected].
© 2005 Cyber Security Industry Alliance. All rights reserved.