To read the newsletter in your Web browser, go to https://www.csialliance.org/news.

IN THIS ISSUE:

• Executive Director’s Message
• VoIP Takes a Big Byte Out of Telecom Legacy Regulation
• Focus on Privacy Legislation
  • Overview of Privacy Legislation
  • ChoicePoint Data Theft Leads to Proposed Legislation
  • Privacy Legislation in the 109th Congress
• New CSIA Members
  • Member Spotlight– Citrix
  • Member Spotlight– iPass
• Legislative Update
• Congressional Spotlight – Representative Cliff Stearns
• CSIA in the News
• Upcoming Events
  • CSIA's Kurtz to Speak at Security Week Brazil
  • Symposia on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion
  • SOX Summit on May 3
• CSIA Has Moved

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

CSIA's March newsletter focuses on two important topics — privacy and VoIP — that have dominated the news over the past few weeks and will likely continue to be in the headlines in the coming weeks.

The increased press coverage of privacy issues is a result of the recent incidents at ChoicePoint and Bank of America. These high-profile cases have yielded at least five different bills in Congress to date, all focused on improving privacy protection. One feature this month notes that federal privacy law has thus far been sector-based, but Congress may soon enact more comprehensive privacy legislation providing privacy protection in areas not covered by medical or financial privacy laws.

Meanwhile, in the next few months, Congress will be considering updates to national telecommunications policy, inciting discussion of the cyber security implications of a popular trend called IP telephony. The landmark Telecommunications Act of 1996 passed when nascent technology called “voice-over-Internet protocol” or VoIP was a back room experiment. VoIP is still an emerging technology, but its use is swiftly being adopted by organizations and consumers. In our Congressional Spotlight, Congressman Cliff Stearns of Florida's 6th District provides us with some background on VoIP and a discussion on pending legislation and policy reform focused on VoIP.

In preparation for what will likely be a lively debate on revamped telecom policy, CSIA will facilitate constructive discussion on new policy for VoIP. The Cyber Security Industry Alliance is pleased to announce that we will be sponsoring a Workshop on Securing Voice Over IP in Washington, DC on June 1-2, 2005. We invite appropriate scientists, technologists, policy makers, and domain experts to the first conference ever to address VoIP technology, research, law, and policy at the same event.

In the next few weeks, CSIA will release a primer on VoIP, Cyber Security for IP Telephony, focusing on how vulnerabilities in VoIP may affect national security and emergency preparedness programs and the IT-Based economy. The primer surveys how cyber security affects IP telephony, national security and emergency preparedness programs, and information technology used for critical infrastructure and business. It concludes with new VoIP policy recommendations.

Finally, we are please to feature our two new Charter members — iPass and Citrix — in our member spotlight this month.

Back to top

VoIP Takes a Big Byte Out of Telecom Legacy Regulation

by Rosalind K. Allen, Partner, Holland + Knight, Washington, DC

The melding of digital technology with the IP platform has served as a powerful catalyst to developing innovative new broadband offerings for the enterprise and consumer markets. Shifting information from legacy networks to the IP platform has been a work in progress for quite some time, but during the past year, that trend reached its tipping point. Voice telephony, the most basic and popular telecom service, is now riding the Internet as VoIP, and it has hit the consumer market in a big way. Improved quality, attractive pricing and technology to ensure ease and flexibility of use is transforming VoIP into a potentially formidable competitor to traditional voice offerings.

VoIP is now recognized as a full-fledged “disruptive technology”: something that turns existing regulatory and legal structures on their ears. The rise of VoIP coincides with the realization that many aspects of telecom regulation under the 1996 Act, such as inter-carrier compensation, numbering, and universal service funding mechanisms, have been overtaken by technological innovation, particularly more intensive use of IP-based transport. For these reasons, VoIP has the full attention of the FCC, Congress, federal law enforcement, the states, and the courts.

The FCC and the States

Historically, the FCC has viewed services such as broadband provided over the IP platform as “information services” that are not subject to state entry or rate regulation and only minimal federal regulation. It is not unexpected that increased penetration of VoIP during 2003 rapidly captured the attention of several state public utility commissions to explore how VoIP fits into traditional state regulation of intrastate telephone service. Concerns that state regulation of IP-enabled services would impede effective deployment prompted a number of diverse interests to file requests with the FCC asking the agency to determine the appropriate regulatory treatment for VoIP.

In February of 2004, the FCC initiated a proceeding to examine appropriate regulatory treatment of IP-enabled services, including VoIP. A decision in that proceeding is expected in the next few months, but meanwhile, the FCC issued two decisions of particular relevance to VoIP. First, the FCC found that Pulver's Free World Dialup Service is an information service because it is a “peer-to-peer” VoIP offering rather than one reliant on elements of the public switched telephone network. More recently, the FCC held that Vonage's DigitalVoice VoIP service is exempt from Minnesota's telephone company regulations because the interstate and intrastate elements of Digital Voice are inseparable. The FCC specifically declined to address general tax or business practice regulation by states, and expressed the expectation that states would have a continuing role in consumer protection issues.

Several states have now initiated proceedings to determine regulatory treatment of VoIP. The National Association of Regulatory Utility Commissioners takes the position that states do not want to discourage technological innovation, but should retain the authority to regulate key aspects of VoIP offerings.

The Courts

On December 22, 2004, the California Public Utility Commission filed a petition for review of the FCC's Vonage decision with the United States Court of Appeals for the Ninth Circuit. The CPUC challenges the FCC's decision to preempt state authority to impose entry and rate regulation on VoIP providers.

The FCC, VoIP and Federal Law Enforcement

The Department of Justice, the Federal Bureau of Investigation and the Drug Enforcement Agency (“Federal law enforcement”) petitioned the FCC for an “Expedited Rulemaking” and Declaratory Ruling stating that the Communications Assistance to Law Enforcement Act (“CALEA”) be applied to VoIP and other broadband services that are a “substantial replacement” for the public switched telephone network. The FCC has excluded IP-enabled services from CALEA mandates because of statutory language that plainly states CALEA itself is not applicable to “information services.” Federal law enforcement expressed concern that as IP-enabled services continue to expand, the lack of an express requirement to facilitate surveillance of IP-enabled services through network design severely compromises law enforcement and national security interests. In August 2004, the FCC adopted a Notice of Proposed Rulemaking that, consistent with the view of federal law enforcement, proposes to extend CALEA to all services that are a “substantial replacement” for the public switched telephone network.

While all commenters support the legal authority of law enforcement to intercept IP-based communications pursuant to court order, there is substantial disagreement regarding whether extending the reach of CALEA to IP-enabled services such as VoIP is a correct reading of the statute in its present form and is in the public interest. Federal law enforcement has been unable to produce any factual support for the need to impose a legal requirement on IP service providers to cooperate through specific network design requirements. In fact, Federal law enforcement has been unable to identify any situations where IP providers have not fully and voluntarily met the surveillance needs of Federal law enforcement.

Several commenters, such as the Center for Democracy and Technology, the Telecommunications Industry Association, and the Electronic Frontier Foundation also argue that imposing network design requirements that facilitate surveillance, and are consistent with Federal law enforcement requirements, would not be in the public interest. The resulting surveillance technology design mandates would stifle innovation and compromise network security. These concerns are echoed during a September 8, 2004 hearing held by the House Committee on Energy and Commerce, entitled Law Enforcement Access to Communications Systems in a Digital Age.

Congress

During 2004, the Senate actively considered amendments to the Communications Act that would define VoIP as an interstate service free of state entry and rate regulation. Representative Stearns has recently introduced legislation to revitalize the effort to bring our nation's telecommunications regulations into the 21st century.

Back to top

Focus on Privacy Legislation

Overview of Privacy Legislation

What do US Senator Patrick Leahy of Vermont and California socialite Paris Hilton have in common? Not much, one would imagine, but in fact, both have recently had their personal information compromised. Leahy was among 20 U.S. Senators whose credit card information was lost by Bank of America, while Hilton’s wireless T-Mobile Sidekick II was hacked into and photos and contact information of her famous friends were posted on the Internet. Unfortunately, these types of incidents are all too common — ChoicePoint recently announced that 145,000 people in all 50 states had their financial records exposed in 2004 when thieves posing as legitimate businessmen purchased access to their records.

All this publicity would make it likely that Congress would act in the area of privacy, but the fact that some of their own have been victimized all but guarantees legislative action. So far, Congress has introduced five separate pieces of legislation dealing with privacy (detailed below) and several more are sure to follow. Senator Richard Shelby (R-AL), Chairman of the Senate Banking Committee, held hearings on consumer privacy the weeks of March 7 and 14, 2005. The hearings are focused on the Government’s role in regulating data warehouses, such as ChoicePoint.

Currently, federal privacy law is sector-based — the Health Insurance Portability and Accountability Act (HIPPA) covers healthcare information, and the Gramm-Leach-Bliley Act deals with financial services. But Congress may soon enact more comprehensive privacy legislation along the lines of California Assembly Bill 1950 which recently went into effect. A.B. 1950 is a gap-filler — it provides privacy protection in areas not covered by financial or medical privacy laws.

Although California is a leader on privacy issues, several states, including Virginia, Georgia, New Hampshire, New York, and Texas, are considering measures to combat identity theft. Most state privacy legislation either requires firms to notify consumers whose data has been compromised or allows individuals to “freeze” their credit reports to prevent fraud.

Nothing motivates legislators like intense press coverage. Stories like ChoicePoint and Bank of America are likely to keep privacy on the front burner in Washington, D.C. and around the country.

Back to top

ChoicePoint Data Theft Leads to Proposed Legislation

After the recent security breach at ChoicePoint, a leading data broker, legislation has been introduced to regulate brokers.

Rep. Edward Markey (D-MA) introduced a bill (H.R. 1080) to require data brokers like ChoicePoint to comply with a new set of fair-information rules. The FTC would be required to issue these rules within six months of the bill's enactment. The bill would force data brokers to protect their consumer information databases against a range of security breaches. In addition, consumers would have access to all their personal data stored in a broker’s database, and they would be allowed to correct errors. The proposed legislation also allows the FTC, state attorneys general and consumers to sue data brokers who violate the rules.

Markey said that House Energy and Commerce Committee Chairman Joe Barton (R-TX) has promised hearings on information brokers and their impact on consumer privacy.

Sen. Bill Nelson (D-FL) has introduced companion legislation in the Senate (S. 500). The wording on the Senate legislation would define the term "information broker" narrowly and would allow the FTC to exempt entities from the classification at its discretion. "We're going to give great discretion to the Federal Trade Commission so that they can then make sure that commerce is not being impeded but at the same time protect the privacy of Americans, which is fast eroding," Nelson said.

Nelson sits on the Senate Commerce Committee and said he will ask Chairman Ted Stevens (R-AK) and committee ranking Democrat Daniel Inouye (D-HI) to hold hearings. Nelson also said he is planning to meet with FTC Chairwoman Deborah Majoras to discuss the bill.

Due to the security breaches at ChoicePoint and Bank of America, the Judiciary Committee is expected to hold hearings on consumer privacy and identity theft similar to those previously held by the Senate Banking Committee.

Back to top

Privacy Legislation in the 109th Congress

H.R. 84 – Online Privacy Protection Act of 2005 – Rep. Rodney Frelinghuysen (R-NJ)

Latest Update: Rep. Frelinghuysen introduced H.R. 84 on Jan. 4 and it was referred to the Subcommittee on Commerce, Trade and Consumer Protection.

Summary: H.R. 84 requires the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected from and about individuals who are not covered by the Children's Online Privacy Protection Act of 1998 (age 13 and above) on the Internet. It makes it unlawful for an operator of a Web site or online service to collect, use, or disclose personal information concerning an individual in a manner that is in violation of prescribed regulations, requiring such operators to protect the confidentiality, security, and integrity of personal information it collects from such individuals. H.R. 84 also provides greater individual control over the collection and use of that information by creating a process for such individuals to consent to or limit the disclosure of such information. Additionally, H.R. 84 directs the FTC to provide incentives for efforts of self-regulation by operators to implement appropriate protections for such information. Finally, it authorizes the States to enforce such regulations by bringing actions on behalf of residents, requiring the State attorney general to first notify the FTC of such action.

H.R. 82 – Social Security On-line Privacy Protection Act – Rodney Frelinghuysen (R-NJ)

Latest Update: Rep. Frelinghuysen introduced H.R. 82 on Jan. 4 and it was referred to the Subcommittee on Commerce, Trade and Consumer Protection of Feb. 4.

Summary: H.R. 82 prohibits an interactive computer service from disclosing to a third party an individual's Social Security number or related personally identifiable information without the individual's prior informed written consent. The bill also requires such service to permit an individual to revoke any consent at any time.

H.R. 220 – Identity Theft Prevention Act of 2005 – Rep. Ron Paul (R-TX)

Latest Update: H.R. 220 was introduced on Jan. 4 by Rep. Paul. It was then referred to the Committee on Ways and Means and the Committee on Government Reform.

Summary: H.R. 220 Amends title II (Old Age, Survivors and Disability Insurance) of the Social Security Act and the Internal Revenue Code to prohibit using a Social Security account number except for specified Social Security and tax purposes. The bill also prohibits the Social Security Administration from divulging the Social Security account number of an individual to any Federal, State, or local government agency or instrumentality, or to any other individual. Conversely, no Federal, State, or local government agency or instrumentality may request an individual to disclose his Social Security account number on either a mandatory or a voluntary basis, among other prohibitions.

S. 116 – Privacy Act of 2005 – Sen. Dianne Feinstein (D-CA

Latest Update: S. 116 was introduced on Jan. 24 by Sen. Feinstein and was referred to the Committee on the Judiciary.

Summary: S. 116 prohibits the sale and disclosure of personally identifiable information by a commercial entity to a non-affiliated third party unless prescribed procedures for notice and opportunity to restrict such disclosure have been followed. The bill grants the Federal Trade Commission (FTC) enforcement authority. S. 166 also amends Federal criminal law to prohibit the display, sale, or purchase of social security numbers (SSNs) without the affirmatively expressed consent of the individual. This legislation prohibits the use of SSNs on checks issued for payment by governmental agencies and driver's licenses or motor vehicle registrations. It prohibits a commercial entity from requiring disclosure of an individual's SSN in order to obtain goods or services, and it establishes criminal and civil monetary penalties for misuse of an SSN.

S. 29 – Social Security Number Misuse Prevention Act – Sen. Dianne Feinstein (D-CA)

Latest Update: S. 29 was introduced on Jan. 24 by Sen. Feinstein and was referred to the Committee on the Judiciary.

Summary: This bill amends the Federal criminal code to prohibit the display, sale, or purchase of social security numbers without the affirmatively expressed consent of the individual, except in specified circumstances. It directs the Attorney General to study and report to Congress on all the uses of social security numbers permitted, required, authorized, or excepted under any Federal law, including the impact of such uses on privacy and data security. S. 29 establishes a public records exception to the prohibition and directs the Comptroller General to study and report to Congress on social security numbers in public records. The Attorney General is granted rulemaking authority to enforce this Act's prohibition and to implement and clarify the permitted uses occurring as a result of an interaction between businesses, governments, or business and government.

Back to top

New CSIA Members

Worldwide Offices: Citrix has numerous offices around the world, from the United States to Australia and from France to Japan. Citrix Americas is home to our Global Headquarters based in Fort Lauderdale, Florida. The Europe, Middle East and Africa headquarters is located in Schaffhausen, Switzerland with regional Pan-European offices in Cambridge, Munich, Paris and Dublin. The Citrix Pacific headquarters is based in Hong Kong with regional offices in Sydney, Tokyo, Singapore, Shanghai, and Bangalore. Overall, Citrix has offices in 22 countries, and approximately 7,000 channel and alliance partners.

Number of Employees: Approximately 2700

About Citrix: Citrix Systems, Inc. is the global leader in access infrastructure solutions and the most trusted name in secure access for enterprises and individuals. More than 160,000 organizations around the world use Citrix every day. Our software gives people secure and well-managed access to business information wherever it lives-on demand. Citrix customers include 100% of the Fortune 100 companies, 99% of the Fortune 500, and 92% of the Fortune Global 500.

Areas of Specialization: Extending the world's most widely deployed presentation server, the Citrix® MetaFrame® Access Suite centralizes access to applications and information, and enables IT staffs to deliver, manage, monitor and measure enterprise resources on demand. Citrix customers are able to run IT as a corporate computing utility, provisioning software as a service. This simplifies the complexity and reduces the costs of deploying and administering hundreds of heterogeneous applications and delivering them to workers anywhere, using any device or connection. Overall benefits to the enterprise include increased flexibility and productivity, dynamic adaptability to change, and resilience in the event of business and technology disruptions.

Back to top

Worldwide Offices: London, UK (EMEA Headquarters); Munich, Germany; Amsterdam, The Netherlands; Paris, France; Stockholm, Sweden; Copenhagen, Denmark; Herzilia, Israel; Tokyo, Japan (Japan Headquarters); Hong Kong (APAC Headquarters); Singapore; Sydney, Australia; Seoul, Korea; Westlake Village, California

Number of Employees: 400

About iPass: iPass Inc. (NASDAQ: IPAS) delivers simple, secure and manageable enterprise mobility services, maximizing the productivity of workers as they move between office, home and remote locations. iPass security services — based on unique Policy Orchestration capabilities — close the gaps in protecting computers, network assets, user identities and data whenever users connect over the Internet. iPass connectivity services utilize the iPass global virtual network, a unified network of hundreds of dial-up, wireless and broadband providers in over 150 countries. iPass services are the choice of hundreds of Global 2000 corporations including General Motors, Ford Motor Company, John Deere, Mellon Financial and Hershey Foods.

Areas of Specialization: Secure global remote connectivity, security services, and systems management services. iPass has developed a unique connectivity platform that unifies hundreds of disparate access providers into a single Enterprise Ready network that spans more than 150 countries offering customers dial-up, ISDN, wireless and wired broadband connectivity.

iPass Policy Orchestration is a layer of software intelligence built into the iPass connectivity platform that permits iPass services to control and enforce the use of enterprise policy-based security systems. Policy Orchestration enables easy-to-manage, comprehensive and coordinated protection of critical business assets over all remote and mobile Internet and corporate connections

Back to top

Legislative Update

Several bills are discussed earlier in the newsletter in the article Privacy Legislation in the 109th Congress.

S. 500 – Information Protection and Security Act – Senator Bill Nelson
(D-FL)

Latest Update: Sen. Nelson introduced the Information Protection and Security Act on March 3 and it was then referred to the Committee on Commerce, Science, and Transportation. H.R. 500 is identical to H.R. 1080, sponsored by Rep. Ed Markey (D-MA).

Summary: S. 500 regulates information brokers and protects individual rights with respect to personally identifiable information. Specifically, it authorizes the Federal Trade Commission (FTC) to promulgate regulations requiring information brokers to update the information they store and allow individuals to access their information; upon request by the individual, the information brokers must disclose what information they distribute and to whom it was given; the information brokers must also authenticate users before allowing usage; finally, H.R. 1080 authorizes enforcement by FTC and allows individuals the right to private action against the brokers.

H.R. 1080 – Information Protection and Security Act – Rep. Ed Markey
(D-MA)

Latest Update: H.R. 1080 was introduced on March 3 by Rep. Markey and was referred to the House Committee on Energy and Commerce. H.R. 1080 is identical to S. 500, sponsored by Sen. Bill Nelson (D-FL).

Summary: H.R. 1080 regulates information brokers and protects individual rights with respect to personally identifiable information. Specifically, it authorizes the Federal Trade Commission (FTC) to promulgate regulations requiring information brokers to update the information they store and allow individuals to access their information; upon request by the individual, the information brokers must disclose what information they distribute and to whom it was given; the information brokers must also authenticate users before allowing usage; finally, H.R. 1080 authorizes enforcement by FTC and allows individuals the right to private action against the brokers.

H.R. 214 – Advanced Internet Communications Services Act of 2005 – Senator Rep. Cliff Stearns (R-FL)

Latest Update: Rep. Stearns introduced this bill on January 14 and on Feb. 4, it was referred to House Subcommittee on Telecommunications and the Internet.

Summary: The bill aims to promote deployment of and investment in advanced Internet communications services. It gives the Federal Communications Commission (FCC) exclusive authority regarding advanced Internet communications services, allowing the FCC to impose specific requirements or obligations on providers of advanced Internet communications voice service.

S. 472 – Anti-Phishing Act of 2005 – Senator Patrick Leahy (D-VT)

Latest Update: On February 28, Sen. Leahy introduced his anti-phishing legislation, which is similar to legislation he introduced during the 108th Congress (S. 2636). S. 472 was referred to the Senate Judiciary Committee, where it is awaiting further action.

Summary: The Anti-Phishing Act of 2005 criminalizes phishing, making it illegal to knowingly send out spoofed email that links to websites with the intention of committing a crime. The legislation is also intended to penalize those who falsely represent themselves as being a legitimate online business and solicits an e-mail recipient to provide identification to the phisher.

H.R. 1099– Anti-Phishing Act of 2005– Rep. Darlene Hooley (D-OR)

Latest Update: Rep. Dooley introduced H.R. 1099 on March 3, when it was then referred to the House Committee on the Judiciary.

Summary: H.R. 1099 criminalizes phishing, making it illegal to knowingly carry on any activity that links to websites with the intention of committing a crime. The legislation is also intended to penalize those who falsely represent themselves as being a legitimate online business and solicits an e-mail recipient to provide identification to the phisher. This legislation is similar to S. 472.

H.R. 29 – The SPY ACT – Congresswoman Mary Bono (R-CA)

Latest Update: Also known as the “Securely Protect Yourself Against Cyber Trespass Act.” On January 6, Congresswoman Bono re-introduced her bill from the 108th Congress that aims to protect computer users against internet privacy invasion. On February 4, the bill was marked up, passed the House Energy and Commerce Committee's Subcommittee on Commerce, Trade and Consumer Protection, then forwarded on to the full committee for mark-up. On March 9, the full committee ordered the bill to be reported by a vote of 43-0. In October 2004, the original bill passed overwhelmingly in the House of Representatives, but did not pass the Senate before the 108th Congress came to a close.

Summary: This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs be easily identifiable and removable, and allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.

H.R. 744 – The I-SPY Prevention Act of 2005 – Congressman Bob Goodlatte (R-VA)

Latest Update: Also known as the “Internet Spyware (I-SPY) Prevention Act of 2005.” On February 10, Representatives Bob Goodlatte, Zoe Lofgren (D-CA-16) and Lamar Smith (R-TX-21) reintroduced the Internet Spyware (I-SPY) Prevention Act of 2005. It was then referred to the House Committee on the Judiciary. This legislation was originally introduced during the 108th Congress and passed the House of Representatives by a vote of 415-0. Currently, there are no plans for hearings or mark-up, however, this bill is expected to move quickly.

Summary: This bill addresses the most egregious activities that are conducted via spyware. It would make the following activities criminal offenses:

• Intentionally accessing a computer without authorization, or intentionally exceeding authorized access, by causing a computer program or code to be copied onto the computer and using that program or code to:
• Further another federal criminal offense (punishable by fine or imprisonment for up to 5 years)
• Intentionally obtain or transmit “personal information” with the intent of injuring or defrauding a person or damaging a computer (punishable by fine or imprisonment for up to 2 years)
• Intentionally impair the security protections of a computer (punishable by fine or imprisonment for up to 2 years)

The legislation includes language to preempt States from creating civil remedies based on violations of this act.

H.R. 91 – Smarter Funding for All of America's Homeland Security Act of 2005 – Congressman Rodney P. Frelinghuysen (R-NJ)

Latest Update: Rep Rodney Frelinghuysen introduced H.R. 91 on January 4. It was referred to the Committee on Homeland Security (Select), and also referred to the Committees on Transportation and Infrastructure, the Judiciary, and Energy and Commerce for consideration of provisions as they fall within the jurisdiction of the committee concerned. On February 25, it was referred to the Subcommittee on Health, where it currently is waiting for action by the Chairman.

Summary: H.R. 91 modifies the DHS grant program, authorizing the Secretary of Homeland Security to make grants to first responders. One new criteria will be "Threats to major communications nodes, including cyber and telephonic nodes."

S.140 – Domestic Defense Fund Act of 2005 – Senator Hillary Clinton (D-NY)

Latest Update: Sen. Hillary Clinton introduced S. 140 on January 24. It was referred to the Senate Committee on Homeland Security and Governmental Affairs.

Summary: S. 140 provides for a domestic defense fund to improve the Nation's homeland defense by authorizing the Secretary of Homeland Security to award grants to States, units of local government, and Indian tribes for homeland security development. The grant awardees are required to develop a homeland security plan identifying both short- and long-term homeland security needs, among other items. 70 percent of grant funds are required to be allocated among metropolitan cities and urban counties based on the Secretary's calculations of various infrastructure vulnerabilities and threats such as proximity to international borders, nuclear or other energy facilities, air, rail or water transportation, and national icons and Federal buildings.

H.R. 285 – Department of Homeland Security Cybersecurity Enhancement Act of 2005 – Congressman Mac Thornberry (R-TX) and Congresswoman Zoe Lofgren (D-CA)

Latest Update: Also known as the Department of Homeland Security Cybersecurity Enhancement Act of 2005. On January 6, Congressman Mac Thornberry and Congresswoman Zoe Lofgren reintroduced bipartisan legislation to create an Assistant Secretary for Cybersecurity position within the Department of Homeland Security's Information Analysis and Infrastructures Protection Directorate. The Assistant Secretary position was originally introduced on the 108th Congress in H.R. 10, the 911 Recommendations Implementation Act, where it was approved by the House of Representatives, but ultimately was not included in the final version of the bill.

Summary: The legislation would allow for the Assistant Secretary to have primary authority within the Department for all cyber security-related critical infrastructure protection programs of the Department, including policy formulation and program management. The legislation touts strong support from the technology, education, and financial sectors. 

Back to top

Congressional Spotlight

Representative Cliff Stearns (FL-06)

Born: Washington, D.C., April 16, 1941

Elected: 1988 (began ninth term in January 2005)

Committee Assignments: Energy & Commerce Committee – Chairman, Commerce, Trade & Consumer Protection Subcommittee, Vice Chairman, Subcommittee on Telecommunications & the Internet, Oversight & Investigations Subcommittees; Veteran's Affairs Committee – Vice Chairman, Health Subcommittee (Former Chairman); House Policy Committee

Education: George Washington University, B.S. (Electrical Engineering); Air Force ROTC Distinguished Military Graduate

Career: Businessman

Notable: Captain in the U.S. Air Force; Aerospace Engineer/Satellite Reconnaissance; Meritorious Service Commendation Medal; Peace Through Strength Victory Leadership Award from the Coalition for International Security; National Security Leadership Award, 101st-103rd Congress, from the American Security Council.

As Chairman of the Energy and Commerce Committee's Commerce, Trade & Consumer Protection Subcommittee, Congressman Stearns is a leader in developing information privacy legislation, overseeing the overhaul of accounting standards in light of corporate corruption, and enhancing consumer protection. Stearns has led efforts to curb email spam and supported creation of the “Do-Not-Call” list.

As Chairman of the Trade & Consumer Protection Subcommittee, Congressman Stearns works on legislation to stop the abuse of spyware, and has signed on as a co-sponsor of H.R. 29, The SPY ACT, which aims to protect computer users against spyware. In the 107th Congress, he held a series of hearings that was the most extensive inquiry in Congress on information privacy. In addition, Congressman Stearns chaired a number of hearings dealing with corporate scandals and is deeply involved in overseeing the tightening of accounting standards used by corporations.

On the Telecommunications Subcommittee, where Congressman Stearns is Vice-Chairman, he is pushing for a comprehensive spectrum management plan as well as other initiatives to promote growth and innovation in the telecommunications industry. He recently introduced H.R. 214, the Advanced Internet Communications Services Act of 2005, which aims to promote deployment of and investment in advanced Internet communications services.

Congressman Stearns's activities in consumer protection, privacy and telecom have made him knowledgeable in areas that are very important to our industry. He is effective and knowledgeable and CSIA will turn to him for support in the 109th Congress.

VoIP and Telecom Regulation

by Representative Cliff Stearns

Nine years after the 1996 Telecommunications Act, Congress is poised to enact significant reform of our nation's telecommunications laws. Among the many different aspects of telecom that we will be looking at is the treatment of Internet Protocol-enabled services. These new Internet applications, including Voice-over Internet Protocol, or VoIP, offer a competitive alternative to wireline and wireless telephone services, and promise to provide American consumers with more competition and more choices.

However, these IP-enabled services do not fit into the regulatory framework that the federal government designed for the telecommunications marketplace nearly a decade ago. For example, these nascent technologies are not a “telecommunications service” in the traditional regulatory scheme. They are also more than an “information service.” In addition, states are approaching VoIP with mixed results. The result is regulatory uncertainty, which could stifle adequate development and stymie investment in the telecom industry.

That's why Rep. Rick Boucher and I have introduced H.R. 214, the “Advanced Internet Communications Services Act of 2005.” Our bill creates a new definition of Advanced Internet Communications Services to incorporate the advances in IP-enabled services, and ensures that these new services, including VoIP, are left with as little regulation as possible. H.R. 214 is also drafted with future developments in mind, and will treat IP developments in video, high speed, data and other services — not just VoIP — with the same light regulatory touch, regardless of the provider. Our bill also allows the FCC to look at certain aspects of IP-enabled services to determine if certain obligations are in the public interest and if so, to make sure that any obligations must be reasonably achievable and economically reasonable. We will be working with leaders on the Energy and Commerce Committee and in Congress to ensure that the principles embodied in H.R. 214 are included in the final rewrite of our nation's telecommunications laws.

Back to top

CSIA in the News

Article of Interest

TechRepublic, February 17, 2005
Can you trust VoIP?
As broadband Internet connections become more common, voice-over-IP (VoIP) services are rapidly increasing in popularity. In general, most organizations consider VoIP to be a cost-saving way to bypass the telephone companies. However, VoIP is certainly no panacea. From the standpoint of Internet security, it's important to keep in mind that VoIP is still an Internet service, so the technology is subject to the same type of problems as any other Internet service. Worms, viruses, and DoS attacks can affect the usability of VoIP services, and the majority of these attacks will be outside the control of the VoIP provider. In addition, VoIP presents some legal issues, not the least of which is whether we consider VoIP a “pure“ Internet service. While most governments don't typically regulate Internet services, VoIP could change that.

CSIA Coverage

SC Magazine, February 2005 Issue
We must learn to love compliance
Fear of legal action is driving companies to comply with new legislation, but there are positive benefits, too. The truth is that new legislation and regulations covering corporate governance and privacy have shifted ultimate responsibility for information security up to senior management. If companies fail to comply, then the board can face legal action. Throughout 2005, compliance will affect the whole IT security sector. The primary driver of this increased financial burden is SOX.
But Paul Kurtz, executive director of the Cyber Security Industry Alliance, says this expense is more than worthwhile. “Bringing data retention, auditing and record-keeping to the highest level can only be good for business, and for economies in general,” he says. “This doesn't mean the cost won't be painful. But there is definitely light at the end of the tunnel.”

Associated Press, February 14, 2005
NSA May Be ‘Traffic Cop’ for U.S. Networks
In this article, Ted Bridis from the Associated Press discusses the Bush administration's plans to consider making the National Security Agency — famous for eavesdropping and code breaking — its “traffic cop” for ambitious plans to share homeland security information across government computer networks. Such a decision would expand NSA's responsibility to help defend the complex network of data pipelines carrying warnings and other sensitive information. The NSA's information security programs are highly regarded among experts. “Bring it on. This clearly ought to be done,” said Paul Kurtz, a former White House cybersecurity adviser and head of the Washington-based Cyber Security Industry Alliance, a trade group. “This will raise the bar across the federal government to a far more secure infrastructure.”

Government Computer News, February 15, 2005
Cybersecurity group celebrates its first birthday by looking ahead
William Jackson from Government Computer News discusses CSIA's busy first year of weighing in on federal anti-spyware legislation, evaluating the Common Criteria evaluation scheme and presenting the president with a cybersecurity to-do list. “I think we've made tremendous progress in the first year,” CSIA executive director Paul Kurtz said. “We have established a beachhead in Washington.” CSIA members John McNulty from Secure Computing and Tom Noonan from ISS also comment on the need for more cyber security awareness.

ComputerWeekly.com, February 15, 2005
CIOs Turn Spotlight on Sarbanes Security Issue
Bill Goodwin from ComputerWeekly.com discusses the security implications of Sarbanes Oxley in this article which quotes Paul Kurtz. Paul discusses what is needed to tackle “grey areas” in the effect of compliance regulations on IT systems. One of the Cyber Security Industry Alliance's concerns is that businesses, auditors and lawyers may have different views of what the regulations mean for IT, potentially placing them at loggerheads when it comes to assessing compliance. The issue is critical because Sarbanes-Oxley imposes criminal, rather than civil, sanctions on firms that fail to have adequate financial controls in place.

Federal Computer Week, February 17, 2005
Clarke: Who leads cybersecurity?
Florence Olsen from Federal Computer Week comments on Richard Clarke's advice for Michael Chertoff, the new secretary of the Homeland Security Department: Find out who's in charge of cybersecurity. Speaking at the RSA Conference, Clarke said the Intelligence Reform and Terrorism Prevention Act of 2004 is unclear about who is responsible for cybersecurity in the federal government. Jamie Gorelick, a member of the 9-11 Commission, said Chertoff's first priority should be to start creating an information-sharing infrastructure, which the intelligence reform act requires. But first someone has to set policies, she said, because those policies will determine the technology architecture for sharing information.

USA Today, February 20, 2005
Terrorists' Use of Internet Spreads
Cyberfraud, ranging from credit card theft to money laundering, is the latest wrinkle in terrorists' use of the Internet. In dozens of incidents the past few months, groups linked to terrorism have stolen credit card numbers over the Internet, laundered money and hijacked Web sites, security experts say. Internet use by terrorists mirrors that of criminals. While some security experts fear a cyberstrike could disrupt power supplies to millions of homes, disrupt air traffic control systems and shut down water supplies, most agree terror groups are more likely to exploit the Internet for financial gain and to spread propaganda. “After 9/11, the emphasis has clearly been on physical infrastructure rather than cybersecurity,” says Paul Kurtz, executive director of the Cyber Security Industry Alliance, a non-profit trade group of software and hardware companies. “That's understandable. But cyberspace is where the bad guys are going.”

CSIA Press Releases

CSIA Presents Orson Swindle with 2005 RSA Conference Award for Public Policy, February 15, 2005
Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group exclusively focused on cyber security policy issues, today announced that Orson Swindle, a Commissioner on the Federal Trade Commission (FTC), has received the 2005 RSA Conference Award for Public Policy for his significant contributions and leadership in the field of cyber security public policy. Through his work with the FTC, Commissioner Swindle has been a key contributor in protecting consumers against cyber fraud and attacks. He has actively worked to shape public policy in the areas of anti-spam regulations, online privacy and consumer protection. He has testified before Congress and addressed industry groups on issues of privacy, identity theft and online security practices.

Back to top

Upcoming Events

CSIA's Kurtz to Speak at Security Week Brazil

CSIA Executive Director Paul Kurtz will present a keynote address on A Global Sarbanes-Oxley Compliance Strategy at Security Week Brazil, held March 28-31. Security Week, now in its’ 4th edition, is one of the Latin American premier events, conferences and exposition for the information security sector. The event is a traditional launching platform for new technologies and discussion of trends and critical issues.

Back to top

Symposia on Cyber Security and the Law: Addressing Compliance, Complexity, and Confusion

The Cyber Security Industry Alliance and The Critical Infrastructure Protection Program at George Mason University School of Law present a three-part symposium on the emerging landscape of cyber security legislation and compliance. The frequency and complexity of legislation surrounding cyber security has exploded in the past two years. As our lives and commerce become increasingly dependent on IT systems, the interaction of existing laws and proposed legislation becomes more and more complex. This symposium series explores the complex emerging framework of multi-level legal and technology compliance requirements.

Symposium Dates: March 22 (State Level), April 26 (Federal Level), May 26 (International Level)

For details, see https://www.csialliance.org/news/events/CSIA_GMU_Symposium.html.

Back to top

SOX Summit on May 3

On May 3, 2005, CSIA is hosting a conference on IT Security and Sarbanes Oxley Compliance: A Roundtable Dialogue of Lessons Learned. This conference of senior managers, auditors, corporate counsel, and IT professionals will discuss experiences in undertaking Section 404 compliance in light of collective experiences. The supporting organizations for this event are George Mason University School of Law and ISSA (Information Systems Security Association).

To register, go to http://pfidc.com/sox.

Back to top

Back to top

CSIA Has Moved

Please note our new address and phone number:

Cyber Security Industry Alliance, Headquarters
2020 North 14th Street
Suite 750
Arlington, VA 22201
Phone: +1 202-204-0838

CSIA Members

Charter Members

Principal Members

Emerging Security Partner