To read the newsletter in your Web browser, go to https://www.csialliance.org/news.

IN THIS ISSUE:

• Executive Director’s Message
• White House Budgeting for IT Security
• Preview of the 109th Congress
  • Gauging the Priority of Cyber Security by Congressional Leaders
  • Cyber Security Issues in the 109th Congress
  • Update on Cyber Security: Committees of the 108th and 109th Congress
• Tom Noonan, CEO of ISS on Protecting Internet Business Infrastructures: A Cooperative Approach
• CSIA Member Spotlight – Internet Security Systems (ISS)
• Legislative Update
• Congressional Spotlight – Representative Tom Davis
• CSIA in the News
• CSIA at the RSA Conference
  • CSIA Town Hall Meeting
  • CSIA’s First Birthday Celebration
  • Orson Swindle Wins 2005 RSA Award for Public Policy
  • Full Schedule of CSIA Events
• Upcoming Events

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

Welcome to CSIA's Special Edition Newsletter, where we are featuring the 109th Congress. In this issue, CSIA analyzes the changes from the 108th to the 109th Congress, including committee jurisdiction and membership, issue areas to watch, emerging leaders, and potential cyber security "champions." We have also provided hotlinks to websites of relevant committees and biographies of chairs and ranking members leading committees and relevant subcommittees.

CSIA recognizes the importance of tracking events in Congress, maintaining close contact with decision-makers and their staff to provide industry expertise, and understanding the roles of committees. Their actions will certainly have a strong impact on our industry. We hope our readers find this special issue to be informative as we detail the makeup of the 109th Congress and identify the challenges and opportunities on the horizon.

CSIA was invited to attend an off-the-record briefing by the White House's Office of Management and Budget (OMB) on the IT Budget for FY2006. We have included highlights of the cyber security aspects of the IT Budget.

CSIA will continue to provide updates on Capitol Hill events and actions. We hope the guide provided here gives you the foundation to follow us through the 109th Congress.

Back to top

White House Budgeting for IT Security

On Friday, February 4th, CSIA was invited to attend a briefing by the White House's Office of Management and Budget (OMB) on the IT Budget for FY2006. The full budget was released the following Monday. Clay Johnson, Deputy Director for Management, OMB; Karen Evans, Administrator, Office of E-Government and IT, OMB; and Phil Bond, Under Secretary for Technology at the Department of Commerce, presided over the meeting. Highlights of the cyber security aspects of the IT Budget are listed here.

The Numbers

The President is requesting $65 billion for IT in FY '06. This is nearly a $5 billion increase over the IT budget for FY '05, or just over 7%. The increase is interesting given the expectation that spending would go down this year following the Administration's comments about reducing the deficit and reigning in Federal spending.

The Department of Homeland Security's IT budget stands to gain the most. The President has requested $5.9 billion for DHS, over 4.7 from last year, or a 24.7% increase.

The President has requested a 4.9% increase in DOD spending, though no specific numbers were available.

OMB broke out IT security spending for civilian agencies (non-DOD). IT security would increase by 113 million, from $1,572.1 to $1,685.1 billion, or 7.2%. Those agencies with the biggest increase:

OMB is Exploring Establishing a Line of Business for Cyber Security

The Federal government has established lines of business (LOBs) for finance, health care, grants management, and HR. LOBs are designed to streamline common functions and services among shared service centers in order to yield cost savings and improved mission performance. OMB announced at the briefing that it is investigating establishing a line of business for cyber security. An interagency task force will examine the following question between now and July and report recommendations to OMB management:

"Could the consolidation of common processes, services, and technologies improve the government's security performance while also increasing efficiency and reducing costs?"

Federal Health Architecture Due by the End of the Fiscal Year

The Department of Health and Human Services is supposed to complete a target Federal Health Architecture by the end of FY '05. The goal is to improve the efficiency, standardization, reliability, and availability of health information solutions through a common framework. This work will be carried out by the Office of the National Coordinator for Health Information Technology at HHS.

CSIA Comments

CSIA staff will track developments in each of these areas over the next year. We welcome your comments and questions.

Back to top

Preview of the 109th Congress:

Gauging the Priority of Cyber Security by Congressional Leaders

While the national press has focused intensely on Iraq, Social Security privatization and tax reform, one of the hallmarks of the 109th Congress could be a renewed focus on fiscal restraint. The House leadership, in response to conservatives inside and outside of Congress expressing their displeasure with large deficits over the past few years, is seeking to reign in spending.

To accomplish this goal, the House leadership is attempting to reduce the influence of the Appropriations Committee. As an example, the new House Appropriations Committee Chairman, Jerry Lewis (R-CA), was approved only after he pledged to reduce spending. To fulfill this promise, Chairman Lewis has proposed eliminating three of the thirteen appropriations subcommittees, and more significantly, eliminating three subcommittee chairs who are referred to as "Cardinals" because of their immense power. It is unclear at this time whether this proposal will be implemented and whether the Senate will follow suit. But this new focus on reducing spending may impact a broad range of issues, including Federal R&D; and cyber security spending.

Another important development in the House has been the designation of the Select Committee on Homeland Security to a permanent committee. This decision by the House leadership went against the wishes of several powerful committee chairman (most notably the Judiciary, Transportation, Armed Services, and Government Reform Committees), who did not want to share jurisdiction with a robust Homeland Security Committee. Not surprisingly, the Homeland Committee's powers have been restricted in order to allow other committees to retain significant homeland security related jurisdiction. For example, the House Homeland Committee will only oversee cyber security at DHS, while the Energy and Commerce, Government Reform and Science Committee will oversee cyber security at other agencies. In a related development, the Senate renamed the Government Affairs Committee the Homeland Security and Government Affairs Committee and reaffirmed that committee's role in conducting oversight over DHS.

In the area of telecommunications, the Senate Commerce Committee is undergoing a major restructuring. New Chairman Ted Stevens (R-AK) plans to eliminate the Communications subcommittee and create a Technology subcommittee based on the concept of the Senate Republican High Tech Task Force. As the name implies, the task force focuses on technology issues and it is currently chaired by Commerce Committee member Senator John Ensign (R-NV). Telecommunications issues, including any opening of the 1996 Telecommunications Act, will be handled at the full committee level by Stevens and Ranking Member Daniel Inouye (D-HI).

Finally, the House Government Reform committee is moving its Information Technology subcommittee work, which includes cyber security, to the full committee level. Committee Chairman Tom Davis (R-VA) had previously chaired the IT subcommittee and the elevation of the subcommittee's work to the full committee indicates his desire to focus on IT issues. Former IT subcommittee Chair Adam Putnam (R-FL) has taken a leave of absence from the Committee to join the House Rules Committee.

The bottom line is that how the 109th Congress proceeds on cyber security issues will be driven in part by what the new budget environment will allow. In response to budget constraints, the President may seek to achieve cost savings in government by relying more on IT, which may trigger an increased focus on cyber security for the Federal government. On the other hand, a lean budget could mean less money for R&D; and other cyber security related programs. Of course, public outcry over privacy issues or a cyber attack could spur Congress to address cyber security issues without regard for fiscal discipline.

Back to top

Cyber Security Issues in the 109th Congress

Privacy

Privacy will continue to be an important issue for Congress. Congress has already picked up right where it left off on Spyware legislation. Congresswoman Mary Bono (R-CA) reintroduced her Spyware bill (HR 29) on January 4th and House Energy and Commerce Committee Chairman Joe Barton (R-TX) has promised swift action on the bill. He has already held a hearing and predicts the measure will be reported out of his committee in two or three weeks.

Last year, the House passed Bono's bill and a related Judiciary Committee bill sponsored by Congressman Bob Goodlatte (R-VA). Bono's bill imposed civil penalties for the transmission of personally identifiable information (PII) through spyware programs and Goodlatte's imposed criminal penalties for conduct but did not mention PII. Similar bills were reported out by the Senate Commerce Committee, but did not receive a vote on the floor. Look for Senator Conrad Burns (R-MT) and Senator Ron Wyden (D-OR), who sponsored the Senate bill last year (similar to Bono's), and George Allen (R-VA), who amended the bill with language similar to Goodlatte's bill, to play large roles in spyware on the Senate side.

Identity theft prevention is another area of continuing Congressional interest. Congressman Ron Paul (R-TX) has introduced legislation (H.R. 220) to outlaw the use of national identifiers, such as social security numbers, that may lead to identity theft. Congressman Rodney Frelinghuysen (R-NJ) has introduced a similar bill (H.R. 92) to allow Medicare beneficiaries to opt to use another identifier besides social security numbers. Senator Feinstein (D-CA) has introduced a bill (S 29), intended to limit "misuse" of social security numbers and establish criminal penalties for misuse.

1996 Telecom Act

Congress is expected to reopen the 1996 Telecommunications Act during the 109th Congress to deal with VoIP and other issues. VoIP is just one example of why the 1996 Act, largely written before the widespread use of the Internet, wireless phones and broadband, is outdated and why the current structure of the Federal Communication Commission does not reflect the current state of information services.

Last year, the FCC largely pre-empted state regulation of Internet voice services. Lawmakers will likely weigh in on this issue during the re-write of the 1996 Act. Senator Ted Stevens, new Chairman of the Commerce Committee, Congressman Joe Barton (R-TX), Chairman of the House Energy and Commerce Committee and Fred Upton (R-MI), Chairman of the Telecommunications Subcommittee, will play large roles in the re-opening of the 1996 Act. House Energy and Commerce Committee members Congressmen Chip Pickering (R-MS) and Rick Boucher (D-VA) will likely play a large role in VoIP proceedings, with Pickering being more free-market oriented and Boucher taking a more regulatory approach.

Assistant Secretary for Cyber Security

Congressman Mac Thornberry (R-TX) has reintroduced his bill, co-sponsored by Congresswoman Zoe Lofgren (D-CA), to elevate the Director of Cybersecurity position at the Department of Homeland Security to an Assistant Secretary position. This bill gained traction last year, but ultimately was not included in the final Intelligence Reform bill. On a related note, two key staffers left the Subcommittee on Cybersecurity, Science, Research and Development - Margie Gilbert and Julie Canepa. Both had played a role on the Assistant Secretary for cyber security legislation during the 108th Congress. Also, Amit Yoran, Director of Cybersecurity at DHS, resigned last year. There was widespread speculation that Yoran left because cyber security issues were not receiving high-level attention at DHS. Yoran would have likely assumed a new Assistant Secretary position if it had been approved by Congress last year.

Issues to Watch

• RFID is another privacy-related issue that Congress may take up this year.
• It is likely the Senate will ratify the Council of Europe's Convention on Cybercrime during this Congress.
• Congresswoman Judy Biggert (R-IL) has introduced the High-Performance Computing Revitalization Act of 2005 (H.R. 28). This Science Committee bill revises the way NASA, NIST, NSF and DOE and EPA perform high-performance computer research.

Conclusion

IT issues, including cyber security, have gained in importance for the past several Congresses and promise to do so again during the 109th Congress. A high profile cyber-related event could provide Congress with a powerful motivation to act, just as the 9/11 attacks, the Enron scandal and the 9/11 panel recommendations spurred quick action (in Congressional terms) on the creation of the DHS, Sarbanes-Oxley and the Intelligence Reform bill. However, Congress will always be several steps behind the private sector and will introduce well-intentioned, but possibly misguided, IT legislation. Accordingly, it is up to industry to keep Congress informed.

Back to top

Update on Cyber Security: Committees of the 108th and 109th Congress

For each committee that has some jurisdiction for cyber security, we have provided details about what happened during the 108th Congress and who will drive the top issues in the 109th.

House Committees

Back to top

Senate Committees

Back to top

Joint Committee

Back to top

Protecting Internet Business Infrastructures:
A Cooperative Approach

by Tom Noonan, Chairman, President and CEO of Internet Security Systems

The promise of the Internet has been a boon to American interests both domestic and international. The United States leads the world in online business transactions with almost $65 billion in projected retail sales for 2004 (see http://www.epaynews.com/statistics/purchases.html#51, Jan. 2005), and this number doesn't represent the value of non-sales activities that the Internet facilitates. Our reliance on the Internet as a means of helping us compete in the global marketplace continues to grow. To say that the backbone of our nation's economy rests on the future of the Internet is not too far-fetched.

At the same time, continued coverage of Internet attacks, and a surge in the number of vendors offering Internet security products and services, makes it clear that cyber criminals have focused their efforts on our economic infrastructure. Our business reliance on the Internet makes a too-tempting target for those seeking to take advantage of weak security defenses. Almost too late, many are beginning to understand the risks facing us from traditional attacks such as viruses and worms, and newer threats like phishing, spam and spyware.

The past year revealed several new trends in cyber attacks. Internet Security Systems' (ISS) X-Force® Research and Development team has documented a growing relationship between traditionally separate attack methodologies. Cyber criminals are using a combination of exploits to attack smaller or less well known vulnerabilities for greater penetration and damage. For example, spam could be used to install spyware that could then launch an application to exploit Voice over Internet Protocol (VoIP) call processing software. These trends represent an alarming interest by cyber criminals in disrupting world businesses and financial stability.

With an eye on these evolving threats, the U.S. government has asked for help from the private sector to stop their spread. In 2001, President Bush signed Executive Order 13231, creating the National Infrastructure Advisory Council (NIAC), acknowledging that protecting cyberspace is a task best addressed through a combination of public and private ingenuity. The NIAC is a 30-member group of today's most influential heads of academia, government and private-sector companies like ISS.

Reporting to the White House, and working closely with the Department of Homeland Security, NIAC Working Groups have already responded to the increasing challenges of protecting our cyber economy. Incorporating input from international business leaders, the NIAC has provided direction and support for projects such as the Prioritization of Cyber Vulnerabilities, the Evaluation and Enhancement of Information Sharing and Analysis (EEIS), Risk Management, Intelligence Coordination, Internet Hardening, Best Practices for Government Security Enhancement and a Common Vulnerability Scoring System.

As the Chair of the EEIS Working Group, ISS was directly involved in the recommendations to secure funding from the government for building necessary communications infrastructures in the Information Security and Analysis Centers (ISAC). ISACs are sector-specific groups of businesses working together to form a threat identification and notification matrix to protect their sector's interests. ISS has also been instrumental in helping to develop policies for protecting critical business infrastructures here in the U.S.

Since the government first proposed building ISACs in 1996, every major business sector - chemical, financial, energy, food and agriculture, water, electricity, transportation, telecommunications and government emergency services - has created such a network of information sharing to disseminate threat information to its respective members and key government agencies. These clearinghouses for threat identification and notification have been a resounding success and provide clear direction for other security initiatives in the future.

If ISACs are a shining example of intra-sector partnership, the NIAC represents a milestone in public and private cooperation. Though the call for an active public-private partnership may seem idealistic, I have seen it work firsthand. ISS already practices effective information sharing among various private-sector, government and academic institutions. This voluntary process has been most effective, not because of any legislative mandates, but because of the self-regulated best practices we, the business community, have put into place and the commitment we share to overlook competitive differences for the sake of protecting cyberspace.

When it comes to protecting the Internet, government can't be the only entity looking for a solution. This conclusion has nothing to do with political philosophy. The nature of the Internet makes it a requirement. Instead, a new model of partnership that recognizes the unique nature of this relatively new medium has been found through the creation of the NIAC. Moving forward, I envision a growing coalition of organizations dedicated to the same goals.

ISS is honored to serve alongside other committed members like the Cyber Security Industry Alliance. With their help, the NIAC will be able to expand on its work within the government to influence policy, and work in the private community to encourage cyber security awareness and education. This year we'll see many changes in the cyber security landscape. Together with the NIAC and CSIA, ISS will continue to effect change towards a more secure business Internet infrastructure.

Back to top

Legislative Update

H.R. 29 – The SPY ACT – Congresswoman Mary Bono (R-CA)

Latest Update: Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” On January 6, Congresswoman Bono re-introduced her bill from the 108th Congress that aims to protect computer users against internet privacy invasion. A subcommittee markup is scheduled for Wednesday, February 16 at 10:00 am in room 2123 of the Rayburn House Office Building. In October 2004, the original bill passed overwhelmingly in the House of Representatives, but did not pass the Senate before the 108th Congress came to a close.

Summary: This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs be easily identifiable and removable, and allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.

Bill Number Not Yet Assigned – The I-SPY Prevention Act of 2005 – Congressman Bob Goodlatte(R-VA)

Latest Update: Also known as the “Internet Spyware (I-SPY) Prevention Act of 2005.” On February 10, Representatives Bob Goodlatte, Zoe Lofgren (D-CA-16) and Lamar Smith (R-TX-21) reintroduced the Internet Spyware (I-SPY) Prevention Act of 2005. This legislation was originally introduced during the 108th Congress and passed the House of Representatives by a vote of 415-0. Currently, there are no plans for hearings or mark-up, however, this bill is expected to move quickly.

Summary: This bill addresses the most egregious activities that are conducted via spyware. It would make the following activities criminal offenses:

• Intentionally accessing a computer without authorization, or intentionally exceeding authorized access, by causing a computer program or code to be copied onto the computer and using that program or code to:



• Further another federal criminal offense (punishable by fine or imprisonment for up to 5 years)
• Intentionally obtain or transmit “personal information” with the intent of injuring or defrauding a person or damaging a computer (punishable by fine or imprisonment for up to 2 years)
• Intentionally impair the security protections of a computer (punishable by fine or imprisonment for up to 2 years)

The legislation includes language to preempt States from creating civil remedies based on violations of this act.

H.R. 91 – Smarter Funding for All of America's Homeland Security Act of 2005 – Congressman Rodney P. Frelinghuysen (R-NJ)

Latest Update: Rep Rodney Frelinghuysen introduced H.R. 91 on January 4. It was referred to the Committee on Homeland Security (Select), and also referred to the Committees on Transportation and Infrastructure, the Judiciary, and Energy and Commerce for consideration of provisions as they fall within the jurisdiction of the committee concerned.

Summary: H.R. 91 modifies the DHS grant program, authorizing the Secretary of Homeland Security to make grants to first responders. One new criteria will be "Threats to major communications nodes, including cyber and telephonic nodes."

S.140 – Domestic Defense Fund Act of 2005 – Senator Hillary Clinton (D-NY)

Latest Update: Sen. Hillary Clinton introduced S. 140 on January 24. It was referred to the Senate Committee on Homeland Security and Governmental Affairs.

Summary: S. 140 provides for a domestic defense fund to improve the Nation's homeland defense. It modifies the DHS grant program to include new criteria such as:

• Improving cyber and infrastructure security by improving:



• Security for water treatment plants, distribution systems, other water infrastructure, nuclear power plants, electrical grids, and other energy infrastructure
• Security for tunnels, bridges, locks, canals, railway systems, airports, land and water ports, and other transportation infrastructure
• Security for oil and gas pipelines and storage facilities; security for chemical plants and transportation of hazardous substances
• Security for agriculture infrastructure
• Security for national icons and Federal facilities that may be terrorist targets

H.R. 285 – Department of Homeland Security Cybersecurity Enhancement Act of 2005 – Congressman Mac Thornberry (R-TX) and Congresswoman Zoe Lofgren (D-CA)

Latest Update: Also known as the Department of Homeland Security Cybersecurity Enhancement Act of 2005. On January 6, Congressman Mac Thornberry and Congresswoman Zoe Lofgren reintroduced bipartisan legislation to create an Assistant Secretary for Cybersecurity position within the Department of Homeland Security's Information Analysis and Infrastructures Protection Directorate. The Assistant Secretary position was originally introduced on the 108th Congress in H.R. 10, the 911 Recommendations Implementation Act, where it was approved by the House of Representatives, but ultimately was not included in the final version of the bill.

Summary: The legislation would allow for the Assistant Secretary to have primary authority within the Department for all cyber security-related critical infrastructure protection programs of the Department, including policy formulation and program management. The legislation touts strong support from the technology, education, and financial sectors. 

Back to top

Congressional Spotlight

Representative Tom Davis (VA-11)

Born: Minot, North Dakota, January 5, 1949

Elected: 1994 (began sixth term in January 2005)

Committee Assignments: House Committee on Government Reform (Chair); House Homeland Security Committee

Education: Amherst College, B.A. (Political Science); University of Virginia, J.D.

Career: Lawyer

Notable: Spent four years as a U.S. Senate Page; Vice President and General Counsel of PRC, Inc., a high technology and professional services firm headquartered in McLean, Virginia; founded the Information Technology Working Group, which focused on promoting a better understanding of issues important to the computer and technology industries; sponsored the Y2K Act; recipient of the Electronic Industry Alliance’s 1999 Congressional Technology Policy Award; inducted into the American Electronics Association’s High Tech Hall of Fame in Spring 2000; received awards from Americans for Tax Reform, the National Federation of Independent Businesses, the Information Technology Association of America, the Information Technology Industry Council, US Chamber of Commerce, the National Association of Chief Information Officers, the IT Industry Council, and the Coalition for Government Procurement.

Tom Davis’s list of legislative accomplishments began almost as soon as he took office in 1994, when he was given control of the Government Reform Committee's Subcommittee on the District of Columbia. During his first year in Congress, Tom authored and co-sponsored several important bills that were enacted into law, including the D.C. Financial Control Board Act; the Unfunded Mandates Reform Act of 1995; the Federal Acquisition Reform Act; and the Securities Litigation Reform Act of 1995.

Congressman Davis serves as one of four co-chairs of the Information Technology Working Group, a group he founded to promote a better understanding of issues important to the computer and technology industries. In May 1999 he sponsored the Y2K Act, legislation which ensured that businesses spent their money on Y2K compliance rather than saving it for costly lawsuits that might have otherwise arisen. Congressman Davis was the recipient of the Electronic Industry Alliance's 1999 Congressional Technology Policy Award and was inducted into the American Electronics Association’s High Tech Hall of Fame in Spring 2000.

In January 2001, Congressman Davis was named chairman of the newly formed Government Reform Subcommittee on Technology and Procurement Policy. He also reclaimed his seat on the Energy and Commerce Committee, with a spot on the Subcommittee on Telecommunications and the Internet. In just two years, Congressman Davis successfully passed several important bills through Congress, including the Digital Tech Corps Act, the E-Gov Act of 2002, the Federal Information Security Act, and the Critical Infrastructure Information Act. And, in keeping with his belief that the top source of waste in government can be found in spending on goods and services, Congressman Davis’s vigilant oversight of large dollar federal contracts resulted in hundreds of millions of dollars saved for the taxpayers.

Congressman Davis’s legislative accomplishments were recognized in January 2003, when he was elected to chair the House Government Reform Committee for the 108th Congress. In 2004, Congressman Davis authored significant portions of 9-11 Implementations Act, including streamlining the security clearance process and strengthening the FBI’s personnel procedures. Under Congressman Davis’s leadership, the Committee conducted oversight on and investigated matters related to the effective administration of government programs of great public interest, including the role of the National Guard in national security and homeland defense, and management of the Department of Homeland Security.

In addition, Congressman Davis held hearings on emergency preparedness in the Capital Region and threats to Government information networks presented by peer-to-peer file sharing programs; approval of a report on the Committee’s years-long investigation of the FBI’s use of informants; review of consumer safeguards on Internet pharmacy websites; hearings on contract mismanagement at the Department of Energy and other departments and agencies; and inquiries into the training and testing of airline passenger screeners and implementation of the historic US-VISIT program.

In January 2005, Tom was reappointed to serve as chair of the House Government Reform Committee. The committee will focus on legislation including driver’s license security; reauthorization of Executive Reorganization Authority; Presidential appointments process streamlining; reorganization of the General Services Administration; and further acquisition reform. On the oversight side, the Committee will focus on the GAO’s high-risk list; management of the Department of Homeland Security; the evolving role of the National Guard; and the misuse of federal grant money in the District of Columbia, among other issues.

Congressman Davis’s list of accomplishments, awards and recognition for his work only demonstrates that, as a leader in Congress, he is effective, knowledgeable and well-respected. He is a friend to the industry and we look forward to working with him in the 109th Congress.

1. What is the biggest vulnerability we face in cyber security today?

Our biggest vulnerability is the lack of education on cyber security and the scope of threats we face. Given the interconnectivity of systems across cyberspace, all it takes is one weak link to break the chain. The vulnerabilities of our systems are significant, and the potential damage that can be done is a lot more than any plane flying into a building; that’s the reality. Therefore, everyone must protect his or her piece of cyberspace. All users – whether they are at home, school, or work – need to understand the impact of weak security and the measures that should be taken to prevent or respond to cyber attacks. The most powerful tool we can use to combat this weakness is better information sharing between the public and private sectors and between different levels of government. So far, this issue hasn’t been given enough attention.

2. What is your most significant contribution in advancing cyber security?

I developed and sponsored the Federal Information Security Management Act (FISMA). It requires all federal agencies establish and implement a comprehensive risk-based framework for agency-wide information security management, which includes risk assessments, risk management policies, security awareness training, and periodic reviews.

I also wrote the Critical Infrastructure Information Act, which regulates the use and disclosure of information voluntarily submitted to DHS by the private sector about vulnerabilities and threats to critical infrastructure. This act is intended to encourage information sharing between the federal government and the private sector owners and operators of critical infrastructures.

3. What do you believe is the role of government (Executive Branch/Congress) in cyber security?

We must ensure that federal agencies have strong management frameworks in place that protect federal systems. That's why federal agencies' compliance with the FISMA is critical. The Government Reform Committee will continue its aggressive oversight of FISMA. Specifically, the Committee will release Federal Agency FISMA compliance scorecards and review FISMA implementation to determine whether there is a need to amend or clarify provisions.

Government must also focus on facilitating better communication between the public and private sector to protect critical infrastructure, including our cyber infrastructure. It’s important for government to ensure that information sharing is a two-way street. For instance, it is not enough for the private sector to share information about its vulnerabilities with federal agencies. The government needs to do a better job of sharing information with the private sector about potential cyber threats and response plans so it can better protect its critical infrastructure assets.

4. What are the responsibilities of the private sector in supplying good software? What are the responsibilities of the end user?

IT training programs offered in the workplace should have an increased focus on security. In fact, this Congress I will examine the information security training program available to federal employees to determine whether it is adequate.

Education is another critical factor. From Chief Information Officers to students to small business owners, everyone must know how to respond to cyber attacks. When a new flaw is identified in ubiquitous software, users must take preemptive action to minimize damage from the inevitable hacker attacks. For example, security patches released by software manufacturers can be installed in systems to correct these flaws. When patches are announced, one has to act quickly to install them. So, does the average computer user know what software he is running? Does he know if the alert applies to him? If so, does he know where to find the patch and how to apply it? End users must understand why and how they need to secure their systems. They need to understand the fundamentals of computer protection and be able to differentiate between safe online behavior and actions that will expose vulnerabilities.

The bottom line is that basic facts about cyber security need to be second nature to all computer users. The aggressive push to implement e-government initiatives means that federal computer systems are communicating with computers in homes and businesses (e.g., IRS e-filing). If non-federal computers are not adequately secured, there is added risk to our federal systems. We are all in this together and we must rely on one another to do each other's part.

5. How can policy organizations, such as CSIA, be of the greatest help to the efforts of Congress?

It’s very important for CSIA and similar organizations to educate Congress about not only the issues that are important to the private sector, but cyber security in general, as well. Few members – maybe 10 out of 535 – know what FISMA is. I think a lot of members understand the concepts. But if you don't have constituent interest in this area, there are few incentives for members to get involved until there is some downside – either a cyber Pearl Harbor, companies lose money, or people get hurt. We need to educate our members before something awful happens and that’s where policy organizations can help.

Back to top

CSIA in the News

Article of Interest

Federal Computer Week, January 24, 2005
The Davis Plan
Rep. Tom Davis (R-VA) is a man with a plan. That has become increasingly evident as Davis has become one of the most influential people in the information technology community. Davis sat down with Federal Computer Week staff on Jan. 13 to discuss his agenda for the 109th Congress and offer his views on a variety of subjects including cyber security. Some cybersecurity experts say that other changes may be needed, too. “Federal cybersecurity could be undermined if executive staffing levels are not corrected”, said Paul Kurtz, executive director of the Cyber Security Industry Alliance. Kurtz said alliance members favor increasing the number of staff members who work on cybersecurity policy and standards at the Office of Management and Budget and the National Institute of Standards and Technology.

CSIA Coverage

SecurityStockWatch.com, January 31, 2005
Security Initiatives: Mr. Paul Kurtz, Executive Director of the Cyber Security Industry Alliance
In this profile article, Paul Kurtz discusses the mission of the Cyber Security Industry Alliance and the near-term priorities of the organization. He discusses the role of phishing and what customers and businesses can do to minimize their exposures to these types of scams. Paul also mentions the need for bringing clarity to the IT security implications of Sarbanes-Oxley. He comments that, “Publicly-traded corporations are spending millions this year to comply with the law, but in the case of IT security, it is unclear what compliance means.”

InformationWeek, January 24, 2005
Federal Role In Ensuring Cybersecurity Isn't Clear
Larry Greenemeier from InformationWeek comments on the vast amount of work that needs to be done to shore up cybersecurity for the nation's energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial-services firms. So far, the Bush administration has done a good job of laying out a cybersecurity strategy, notes Paul Kurtz, CSIA's executive director and former senior director of critical infrastructure protection for the White House's Homeland Security Council. “Having said that, I think the level of institutional leadership — applying resources and senior thinking against the issue — has been less than is necessary in order to ensure that we continue to show leadership in this space,” Kurtz says.

CNET News.com, January 12, 2005
Yet Another Cybersecurity Chief Steps Down
In an interview with Rob Lemos of CNETnews.com, Paul Kurtz is quoted regarding the resignation of Robert Liscouski, the Department of Homeland Security's top bureaucrat in charge of cybersecurity and physical-infrastructure protection. “The problems of the past have been largely because of the fallout of 9/11 and the focus of the federal government on physical security,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance. “Cybersecurity has been put in the backseat.”

CSIA Press Releases

iPass Member Release, February 1, 2005
Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group exclusively focused on cyber security policy issues, today announced that iPass Inc. (NASDAQ: IPAS), a leader in enabling remote and mobile workers to connect simply and securely to their enterprise networks, has joined the organization at the highest level as a Charter member, with a seat on CSIA’s Board of Directors for its Chairman and CEO, Ken Denman.

Back to top

CSIA Town Hall Meeting at RSA Conference

Featuring 9/11 Commissioner Jamie S. Gorelick and Former Special Advisor to the President for Cyberspace Security Richard Clarke

The Cyber Security Industry Alliance is pleased to host a Town Hall Meeting to discuss homeland security, critical infrastructure protection, and cyber security in the post-9/11 era, and the steps that are being taken to enhance security measures.

WHAT: CSIA Town Hall Meeting

WHEN: Wednesday, February 16, 12:45-1:45 pm

WHERE: Moscone Convention Center, Gateway 104, San Francisco, CA

The Town Hall Meeting, which will take place during the RSA Conference 2005, will feature Jamie S. Gorelick of the 9/11 Commission, and Richard Clarke, Former Special Advisor to the President for Cyberspace Security.

Gorelick is a partner at Wilmer, Cutler & Pickering in Washington, DC and is a member of the Council on Foreign Relations and the American Law Institute. She co-chaired, with Senator Sam Nunn, the Advisory Committee of the President's Commission on Critical Infrastructure Protection, and currently serves on the Central Intelligence Agency's National Security Advisory Panel, as well as the President's Review of Intelligence. She will offer her insights on homeland security, critical infrastructure protection, and cyber security issues.

Clarke most recently served on the US National Security Council as Special Advisor to the President for Cyberspace Security; National Coordinator for Security, Infrastructure Protection, and Counterterrorism; and chaired the Counterterrorism Security Group. Prior to his time with the National Security Council, Clarke worked in the US Department of State as Deputy Assistant Secretary of State for Intelligence, and then as Assistant Secretary of State for Politico-Military Affairs. Just after leaving the government in 1993, Clarke testified before the National Commission on Terrorist Attacks Upon the United States on March 24, 2004. Clarke has been an on-air consultant for ABC News and is Chairman of Good Harbor Consulting, LLC.

Paul Kurtz, CSIA Executive Director, and former Special Assistant to the President for Critical Infrastructure Protection on the White House’s Homeland Security Council, will host the town hall meeting.

Please RSVP for the Town Hall Meeting at [email protected]. Snacks and beverages will be provided. We hope to see you there!

To register for RSA Conference 2005, please visit http://2005.rsaconference.com/us/.

Back to top

CSIA’s First Birthday Celebration

Join us for CSIA’s First Birthday Party and celebrate our first year of extraordinary accomplishments! The celebration will be held during the RSA conference. We hope to see you there!

WHAT: CSIA’s First Birthday Celebration

WHEN: Tuesday, February 15, 8:30-11:00 pm

WHERE: Thirsty Bear Restaurant • Mezzanine Level, 2nd Floor, 661 Howard Street

Register for CSIA’s First Birthday Celebration at https://www.csialliance.org/news/events/register.

Back to top

Orson Swindle Wins 2005 RSA Award for Public Policy

CSIA is pleased to present Orson Swindle, a Commissioner on the Federal Trade Commission (FTC), with the 2005 RSA Conference Award for Public Policy for his significant contributions and leadership in the field of cyber security public policy.

Through his work with the FTC, Commissioner Swindle has been a key contributor in protecting consumers against cyber fraud and attacks. He has actively worked to shape public policy in the areas of anti-spam regulations, online privacy and consumer protection. He has testified before Congress and addressed industry groups on issues of privacy, identity theft and online security practices.

“Mr. Swindle’s diligent and focused work in the area of cyber security public policy is unmatched and certainly deserving of this award,” said Paul Kurtz, executive director of CSIA. “Not only has he provided critical leadership to raise consumer, business and general public awareness of why we must all use safe computing and Internet practices, but he has called for stronger direction by industry, academia and government to work together on the important task of greater cyber security.”

Commissioner Swindle’s long list of accomplishments include his leadership role in revising the Guidelines for the Security of Information Systems and Networks issued by the Organization for Economic Cooperation and Development (OECD), an international organization of industrialized, market-economy countries. He also launched the FTC’s Internet security initiative aimed at educating consumers and businesses about safe computing practices. In 2004, he was recognized by the International Association of Privacy Professionals (IAPP) for shaping public policy in the areas of anti-spam regulations, online privacy, information security, consumer protection, international privacy and electronic data protection.

The RSA Conference Award for Public Policy is designed to recognize significant contributions and leadership in the field of cyber security public policy. The judging committee seeks to reward nominees who hold elected or appointed office, are associated with public interest organizations, or are associated with an organization that has significantly contributed to the development or application of current information security and/or privacy policy.

Back to top

Schedule of CSIA Events at RSA Conference

CSIA First Birthday Celebration
Tuesday, February 15
8:30 pm – 11:00 pm
Thirsty Bear Restaurant, Mezzanine Level, 2nd Floor
661 Howard Street
Register at https://www.csialliance.org/news/events/register

Town Hall Meeting / Roundtable
Moderator: Paul Kurtz
Panelists: 9/11 Commissioner Jamie S. Gorelick and Former
Counterterrorism Coordinator Richard Clarke
Wednesday, February 16
12:45 pm – 1:45 pm
Moscone Convention Center, Gateway 104
RSVP to [email protected]

Sarbanes-Oxley Part I: Security Governance & Policy
Moderator: Steve Wu
Panelists: Paul Kurtz, John Tritak and Lee Zeichner
Wednesday, February 16
3:25 pm – 4:25 pm
Moscone Convention Center, South Hall
http://2005.rsaconference.com/us/general/presentation_info.aspx?id=9590

International Current Events
Panelists: Paul Kurtz, Behnam Dayanim, Francisco Mingorance and Roland Mueller
Friday, February 18
11:10 am – 12 pm
Moscone Convention Center, South Hall
http://2005.rsaconference.com/us/general/presentation_info.aspx?id=9595

Back to top

Upcoming Events

Back to top

CSIA Members

Charter Members

Principal Members

Emerging Security Partner