Volume 1, No. 3
November 2004



Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

In this month’s newsletter features, we cover two separate topics: state cyber security developments and research presenting the “Laws of Vulnerabilities.” Although the topics are unrelated, the articles pose interesting problems requiring attention.

While we have been focused on the general election over the past year (make that two years), states have been taking action on cyber security. Chris DeLacy of Holland and Knight LLP has detailed the actions of state legislatures and law enforcement authorities relating to cyber security. Several states have been active on combating spyware, and California has passed a law mandating “reasonable security measures” among unregulated industries.

While we do not oppose action by state legislatures to improve cyber security, we are concerned about a patchwork quilt of state regulations posing significant problems for business in the future. For example, a firm with offices across the United States may need to comply with multiple potentially conflicting regulations. A recent ruling by the Federal Communications Commission (FCC) stated that Internet telephony is not subject to state rules. This is a step in the right direction to eliminate conflicting regulations; however, there are several pending cyber security issues that states are currently reviewing. To further complicate matters, action among states is not limited to the United States. States within the European Union are individually interpreting EU data protection and privacy directives. Given the borderless and stateless nature of the Internet, we must think globally about the impact of laws and regulations that directly or indirectly affect cyber security.

These developments strongly suggest we must work together toward a global strategy of regulatory compliance. Do not interpret this statement as advocating better cyber security through regulation. However, we should fully understand the impact of existing regulations and carefully examine any proposed new regulation to determine what the practical effect will be in a global Internet environment.

In our second article, Gerhard Eschelbeck, Chief Technology Officer and Vice President for Engineering of Qualys, presents his findings on the “Laws of Vulnerabilities.” His research indicates that attacks are increasing in number and sophistication, as some vulnerabilities linger, often without end. New attacks are capable of spreading faster than any possible human response effort, necessitating automated defense mechanisms. Gerhard also discusses the “half-life” of vulnerabilities, or the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days, and for internal systems it is 62 days. This number doubles with lowering degrees of severity. His research has some interesting implications:

  • It offers additional evidence that enterprise security strategies must address internal vulnerabilities as well as external vulnerabilities. The existence of internal vulnerabilities takes on increasing significance in the context of compliance with Sarbanes-Oxley, Section 404, which focuses on internal financial controls.
  • As we think about the speed of propagation of attacks and latent vulnerabilities, we must not only think of information systems supporting business operations of enterprises, but also Digital Control Systems (DCS) and Supervisory Control and Data Acquisition Devices (SCADA) that control critical infrastructure systems. CSIA will be focusing more on SCADA and DCS devices in the coming year.

Back to top

The States and Cyber Security

Although the federal government is taking more of an interest in cyber security issues, several states are moving ahead in this area while Washington deliberates. And while the jury is still out on these state efforts, they are a prime example of why technology businesses should be monitoring places like Salt Lake City, Sacramento and Albany in addition to Washington, D.C.

"Sleep with one eye open" is an old piece of advice for dealing with the federal government. Nowadays, it can just as easily be applied to state governments. This is particularly true in light of recent Supreme Court decisions that have enhanced the role states play in our federal system while significantly limiting the vast and almost unchecked power the federal government has enjoyed since the New Deal. This new environment has emboldened states to legislate or regulate more aggressively, particularly in areas where the federal government has been silent.

Why should businesses care? Just imagine a patchwork of 50 different laws and enforcement regimes. Or witness the impact regulations in just one large state, such as California, can have on interstate commerce. In order to avoid these costly scenarios, industries often ask Congress to supersede state laws. Sometimes federal regulation is a reasonable price to pay for regulatory and legal certainty.

Congress is moving on issues of cyber security, albeit cautiously. The House of Representatives has passed two spyware bills this year and the Senate seems poised to pass similar legislation soon. But while Congress debates spyware, Utah and California have already passed spyware legislation. If that doesn't get your attention, consider that Michigan, Iowa, Pennsylvania, New York and Virginia are considering similar legislation.

Utah's spyware law provides an example of how state laws can be problematic. Enforcement of the Utah Spyware Control Act is on hold after a state judge granted a temporary restraining order in response to a lawsuit filed by WhenU, a Utah adware company. And WhenU is not the only company concerned with the law -- it was formally opposed by American Online, Amazon.com, CNet, eBay, Google, Microsoft Corp., Yahoo! and others. Critics of the law argue it contains an overly broad definition of “spyware” that will unintentionally restrict legitimate business practices, including security functions. But if and when the injunction is lifted, businesses across the country and around the world may have to alter their practices if they want to conduct business in Utah. More disconcerting is the prospect that other states or the federal government could use the Utah law as a template for similar legislation.

Another potentially troubling example is California’s Assembly Bill 1950, which was signed into law on September 29, 2004. This bill requires a business that owns or licenses information about a California resident to implement and maintain “reasonable” security procedures and practices appropriate to the nature of the information. In addition, a business that discloses personal information about a California resident to a third party must require by contract that the third party implement and maintain reasonable security procedures and practices. No guidance is provided as to what qualifies as "reasonable security procedures," and this will likely lead to compliance uncertainty. Further complicating matters is the fact that this law has national and international implications -- it applies to information about California residents regardless of where the company is located or where the information resides.

A final example is New York Attorney General Elliot Spitzer’s agreement with Barnes & Noble. It requires the online bookseller to establish an information security program to protect personal information collected during e-commerce transactions. This action was taken in response to a design flaw on Barnes & Noble's Web site that led to the exposure of sensitive customer information. And while Spitzer is known as an especially active and aggressive Attorney General, the potential is out there for 49 other AGs to engage in similar activities.

Whether in Washington or the state capitals, lawmakers and regulators always lag behind industry when it comes to technology issues. And all legislation and regulation inevitably has unintended consequences. In certain cases, the states may be better equipped than the federal government to adapt quickly, but more often state legislators and regulators lack the time or the staff to truly understand complex technology issues. In any case, perhaps technology companies should sleep with both eyes open – one focused on Washington, the other on the states.

Selected State Cyber Security Actions

State Bill
Utah H.B. 323
  • This bill regulates software that creates advertisements on a computer as a result of visiting certain Internet websites, and that collects information regarding the computer's Internet use.
  • First spyware bill in the nation
  • Defines “spyware” very broadly:
    • Bars software that:
      • reports its users' online actions
      • sends any personal data to other companies
      • pops up advertisements without permission
      • triggers "context based" unrelated advertisements based on visiting Web sites on a certain topic
  • Requires notice and a method to remove or disable.
  • Exceptions:
    • Cookies, software designed to resolve technical difficulties
  • Penalties:
    • Private right of action:
      • $10,000 per incident
      • treble damages for “knowing” violations

3/23/2004 - Signed into law

6/22/04 - Utah judge granted a preliminary injunction in response to a petition filed by WhenU

7/14/04 - State of Utah filed a motion for reconsideration.

9/28/04 - Motion for Reconsideration denied

California SB 1436
  • Prohibits an unauthorized person or entity from installing software on a consumer's computer that would take over control of the computer, modify its security settings, collect the user's personally identifiable information, interfere with its own removal, or otherwise deceive the authorized user, as specified. This bill will prohibit a number of different types of spyware activities: collecting personally identifiable information through keystroke logging; collecting web browsing histories; taking control of a user's computer to send unauthorized emails or viruses; creating bogus financial charges; orchestrating group attacks on other computers; opening aggressive pop-up ads; modifying security settings; and generally interfering with a user's ability to identify or remove the spyware.
  • Penalties:
    • Private right of action
    • $1000 per transmission
9/28/04 - Signed into law
  AB 2787
  • This bill would prohibit a person or entity conducting business in the state from causing a computer program to be copied onto a consumer's computer and using that computer to engage in intentionally deceptive acts, including taking control of the computer, modifying the computer's settings, and collecting personal information. This bill would provide that the exclusive remedy for its violations is an enforcement action by the Attorney General.

5/20/04 - Passed Assembly

6/30/04 - Senate Judiciary Committee

Michigan SB 1315
  • An act to prohibit access to computers, computer systems, and computer networks for certain fraudulent purposes; to prohibit intentional and unauthorized access, alteration, damage, and destruction of computers, computer systems, computer networks, computer software programs, and data; and to prescribe penalties.
6/22/04 - Introduced and referred to Committee on Technology and Energy
Iowa Senate File 2200
  • An Act establishing the criminal offense of and a civil cause of action for the unauthorized collection and disclosure of personal information by computer, and providing a penalty
3/2/94 - referred to Judiciary Committee
Pennsylvania House Bill 2788
  • An Act amending Title 18 (Crimes and Offenses) of the Pennsylvania Consolidated Statutes, further providing for unlawful transmission of electronic mail; and providing for misuse of adware or spyware.
7/1/04 - Referred to Consumer Affairs Committee
New York S. 7141
  • Creates the crime of unlawful dissemination of spyware and establishes such crime as a class A misdemeanor and as a class E felony for a person who has been convicted of such crime previously within the last five years.
6/17/04 Passed Senate, referred to Assembly
Virginia HB 1304
  • Requires public bodies to conduct a privacy impact analysis when authorizing or prohibiting the use of invasive technologies (e.g., radio frequency identification, tracking systems, facial recognition systems, hidden cameras, spyware, photo monitoring systems and Internet wiretaps) beginning July 1, 2006. The bill requires the Joint Commission on Technology and Science (JCOTS) to propose to the Governor and the 2006 General Assembly, by the first day of the 2006 Regular Session of the General Assembly, policies and guidelines for public bodies to follow in conducting the privacy impact analysis. In developing the policies and guidelines, the bill requires JCOTS to review the invasive technologies available for use, the current legal requirements of their use and the reasons for their use, their impact on civil liberties, and any safeguards that are or should be used to mitigate negative impacts.
1/26/04 - Continued to 2005 General Assembly Session
State Bill
Privacy & Security
California AB 1950
  • This bill requires a business that owns or licenses information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, use, modification, or disclosure.

    It also requires a business that discloses personal information about a California resident pursuant to a contract with a non-affiliated third party to require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification or disclosure.

    This bill defines personal information as "an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the date elements are not encrypted or redacted:
    1. Social Security number;
    2. Driver's license number or California identification card
    3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
    4. Medical information.
9/28/04 - Signed into law
New York Agreement between the NY Attorney General’s office and Barnes & Noble
  • Barnes & Noble.com will establish an information security program to protect personal information; establish management oversight and employee training programs; hire an external auditor to monitor compliance with the security program; and pay $60,000 in costs and penalties.
4/29/04 - Case settled

Back to top

FCC Ruling Exempts Internet Telephony from State Regulation

Recently, the Federal Communications Commission (FCC) announced that Internet telephony is not subject to state rules. This announcement came as a result of a September 2003 petition filed with the FCC by a leading Internet telephone company, Vonage. The company was faced with state utility regulations in Minnesota and New York and it turned to the FCC for federal intervention.

The FCC ruled that Internet telephony companies are subject only to federal rules because voice-over-Internet-protocol (VoIP) services are interstate in nature. This decision provides such pre-emption of state laws to all VoIP, cable and telephone companies when they offer comparable VoIP services.

Vonage filed the petition after they were asked by the Minnesota Public Utilities Commission to file a rate schedule and comply with a state requirement that phone providers include emergency-response service when individuals dial 911. Vonage claimed it was not subject to such requirements since it offered an information service like e-mail or instant messaging. With pending court appeals by Minnesota, it was necessary for the FCC to issue a decision quickly.

FCC Chairman Michael Powell’s comments about this “landmark order” reflect the sentiments of other VoIP providers: "To subject a global network to disparate, local regulatory treatment by 51 different jurisdictions would be to destroy the very qualities that embody the technological marvel that is the Internet….the founding fathers understood the danger of crushing interstate commerce and enshrined the principles of federal jurisdiction over interstate services in the Commerce Clause of the U.S. Constitution." Powell stated that this ruling affirms VoIP’s interstate nature.

FCC Commissioners Michael Copps and Jonathan Adelstein criticized issuing the decision, stating that the FCC failed to rule on some of the broader, more controversial issues about Internet telephony, leaving “so many important questions about the future of communications service" unanswered.

Other Commissioners disagreed, saying the decision, which also applies to cable operators and incumbent telephone companies, appropriately made clear that all VoIP services that integrate voice-communications capabilities and enhanced features will not be subject to state utility regulation.

CSIA Member Spotlight

Name: Qualys, Inc.

Chairman and CEO: Philippe Courtot

Founded: 1999

Headquarters: Redwood Shores, CA

Worldwide Offices: Qualys also has offices in the UK, Germany, and France.

Number of Employees: 120

About Qualys: Qualys, Inc. offers on-demand vulnerability management solutions to organizations of all sizes to secure their business platforms and mitigate risk. QualysGuard®, the company's flagship solution, is designed to secure networks, conduct automated security audits, and ensure compliance. QualysGuard proactively and automatically identifies security vulnerabilities, correlates those threats to specific assets, and provides an end-to-end process for vulnerability remediation.

Areas of Specialization:

QualysGuard enables organizations to assess business risk and improve their security posture through automated vulnerability management. It provides on-demand network discovery and vulnerability assessment, reporting, remediation tracking and enforcement of security policies.

QualysGuard automates the critical elements needed to solve the biggest challenges in managing business risk: immediate and up-to-date knowledge of vulnerabilities; high scalability of assessments in a distributed fashion; and accuracy and reliability of network audits. With the increasing sophistication and shortened lifecycle of attacks, automating vulnerability management is critical in fighting the threats that define today's security climate.

Qualys Vulnerability R&D Labs, located in the United States, Asia and Europe, work around the clock to identify vulnerabilities, develop and test signatures, and validate remedies. By delivering its software as a service, Qualys has the unique ability to collect and analyze aggregate vulnerability data from thousands of real-world networks, providing its customers with unique information unavailable from anywhere else. As new vulnerability signatures are developed, they are automatically provided to all QualysGuard users to ensure customers are always a step ahead of the latest vulnerabilities.

Back to top

Automating Defenses to Protect Networks from Threats of the Future

By Gerhard Eschelbeck, CTO and VP of Engineering at Qualys

Every day, state government agencies are flooded with news about recently released computer viruses and worms without a clear understanding of how their networks will be directly affected.

Security officers at these agencies have learned from this new breed of automated, Internet-born viruses and worms that relying on human action alone for security does not work. In each case of recent damaging strikes, we’ve had advance warning – weeks, even months – to prepare for known vulnerabilities. Yet attackers still were able to hit hundreds of thousands of PCs and servers, crippling vital services and causing additional havoc.

Successful defenses against network vulnerabilities require understanding the nature of the risks they pose. The uncertainty of conventional, human-led security efforts frustrates security officers trying to guarantee protection for their agencies.

New research analyzing nearly four million network vulnerabilities shows that their frustration is warranted. Specifically, the research concludes that companies currently take 62 days to patch their internal systems, as opposed to 21 days for systems connected directly to the Internet. This window leaves internal systems and applications, such as Internet browsers and mail servers, vulnerable to attack.

The data reveals four “Laws of Vulnerabilities”:

  1. Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days, and for internal systems it is 62 days. This number doubles with lowering degrees of severity.
  2. Prevalence: Fifty percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.
  3. Persistence: The lifespans of some vulnerabilities and worms are unlimited. In fact, the research shows significant spikes in the reoccurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.
  4. Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. Eighty percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

These “Laws of Vulnerabilities” document the effects of human-based security efforts, and the persistent ability of attackers to gain full control of systems -- including access to highly sensitive information. Resolving issues revealed by this research requires understanding the causes and means for prevention.

Furthermore, exploitation is becoming faster with the aid of new automated attack tools that require no special skills for operation. Recent attacks such as Witty and Sasser happened faster than any possible human response. The most effective way to thwart these challenges is supplementing manual security efforts with automated defenses. Threats of the future require security officers to make an equal-force response to automation tools used by attackers.

Automating defense strategies includes:

  • Regular Audits of Security Systems: New automated audit solutions delivered over the Web identify everything susceptible to attack, identify and prioritize vulnerabilities, and match them with appropriate remedies, such as patches and new security-device configuration settings.
  • Keep Antivirus Software Up-to-Date: Server-based solutions allow automatic scans to ensure systems are protected against older, persistent threats.
  • Timely Patch Management: This is a critical process requiring manual implementation, but automated audit scanners can keep security managers posted on which systems need urgent care and facilitate remediation.
  • Ongoing Evaluation of Security Policy: Trend analysis with automated scanning solutions provides data for ensuring that security systems help meet the ever-changing nature of attack threats.

In summary, network security attacks are increasing in number and sophistication and new research shows that some vulnerabilities linger on, often without end. New attacks are capable of spreading faster than any possible human response effort, necessitating automated defense mechanisms. The timely and complete detection of security vulnerabilities with automated techniques and rapid application of remedies is the most effective preventive measure security managers can use to thwart automated attacks and preserve network security.

About the Author:

Gerhard Eschelbeck is chief technology officer and vice president of engineering for Qualys, Inc. He published the industry's first research derived from a statistical analysis of millions of critical vulnerabilities over a multi-year period. Eschelbeck has presented his findings before Congress, and he is a significant contributor to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. He holds several patents in the field of managed network security, and he earned Master's and Ph.D. degrees in computer science from the University of Linz, Austria.

Back to top

Nominate the Next CSIA/RSA Public Policy Award Winner!

Each year, the RSA Conference presents awards for excellence in a variety of categories. For 2005, the award for public policy is co-sponsored by the Cyber Security Industry Alliance. Nominations will be judged by CSIA members, and Executive Director Paul Kurtz will present the award to the recipient(s).

The Cyber Security Industry Alliance/RSA Conference Award for Public Policy is designed to recognize significant contribution and leadership in the field of cyber security public policy. The judging committee seeks to reward nominees who hold elected or appointed office, are associated with public interest organizations, or are associated with an organization that has significantly contributed to the development or application of current information security and/or privacy policy.

CSIA newsletter readers are welcome and encouraged to submit nominations for the Award.

To submit your nominee(s), go to: http://2005.rsaconference.com/us/general/awards_form.aspx

Past recipients include:

  • Robert Bennett
    U.S. Senator, Utah
  • Sherwood Boehlert
    U.S. Representative, New York
  • Tom Davis
    U.S. Representative, Virginia
  • NIST Advanced Encryption Standard Committee
  • Ed Gillespie and Jack Quinn
    Executive Director and Co-Chairman of Americans for Computer Privacy

For more information on the RSA Conference Award for Public Policy, visit: http://2005.rsaconference.com/us/general/awards_previous.aspx.

Back to top

Legislative Update

H.R. 10 -- 911 Recommendations Implementation Act

Summary: This bill affects cyber security it two important ways: 1) it creates an Assistant Secretary for Cyber Security in the Information Analysis and Infrastructure Protection Division at the Department of Homeland Security; and 2) it amends the Clinger-Cohen Act to include cyber security as a requirement for systems planning and acquisition by agencies.

CSIA Comment: Cyber security's status has fallen from a Special Advisor to the President at the White House to an office director at the Department of Homeland Security. We believe creating an Assistant Secretary of Cyber Security to work alongside an Assistant Secretary for physical infrastructure is important, given our dependence on the information infrastructure. CSIA was very active in supporting the provision in HR 10 creating an Assistant Secretary for Cyber Security. The Senate version does not include a similar provision, although key Senators have been contacting their colleagues, requesting their support of the measure (read the letter from Senators Bennett and Schumer). CSIA supports the amendment to the Clinger-Cohen Act and the provision is expected to encounter little opposition. Over the next several weeks, we will work with Conferees to ensure both provisions are included in the final Conference Report.

Latest Update: Passed the House on 10/8. Similar legislation (S. 2845) passed the Senate on 10/6, but did not include the provision creating an Assistant Secretary for Cyber Security. House and Senate Conferees have been appointed, and the Conference Committee is trying to reconcile the differences between the two bills.

Back to top

Cyber Security Policy Maker Spotlight

Representative William M. “Mac” Thornberry

Born: Clarendon, Texas, July 15, 1958
Hometown: Clarendon, Texas
Elected: 1994 (will begin sixth term in January 2005)
Committee Assignments:

Permanent Select Committee on Intelligence; Select Committee on Homeland Security; Subcommittee on Cyber Security, Science, and Research & Development (Chairman) Committee on Armed Services; Committee on the Budget

Education: Texas Tech U., B.A. 1980 (History); University of Texas, J.D. 1983
Career: Lawyer; Cattleman; State Department Official; congressional aide

Notable: Introduced legislation to create a National Homeland Security Agency; introduced legislation to create the National Nuclear Security Agency. Guardian of Small Business Award from the National Federation of Independent Business; Guardian Award from the 60 Plus Association.

William “Mac” Thornberry, a Republican from Clarendon, Texas, spent most of his pre-Congress life as a cattleman and a lawyer. But when he came to Washington, first as a Hill staffer and later as an elected Representative, he knew that he wanted to make contributions to national security. And he has done just that. He has been in the forefront of transforming the military to prepare the services to better fight and win the wars of the future.

In response to a report from the President’s Foreign Intelligence Advisory Board that called the Department of Energy a “dysfunctional bureaucracy incapable of reforming itself,” he pushed for legislation to create a semi-autonomous agency to ensure the viability and strong management of the nuclear weapons complex. In March 2001, concerned about national security and defense preparation, Thornberry introduced legislation to create a National Homeland Security Agency. This was just six months before the September 11th terrorist attacks. His initial bill served as the foundation for the legislation that established a Homeland Security Department, which was ultimately passed by Congress and signed into law by the President.

Thornberry, a recognized leader in national security matters, was recently selected by the Speaker of the U.S. House of Representatives to serve onthe Permanent Select Committee on Intelligence. He is also a member of the Armed Services Committee and the Select Committee on Homeland Security, where he is the Chairman of the Subcommittee on Cyber Security, Science, and Research & Development.

Of particular note, as Chairman of the Subcommittee on Cyber Security, Thornberry and Ranking Member Zoe Lofgren (Calif.-16) have held 15 bipartisan hearings and briefings on cyber security and science and technology matters during the 108th Congress. The Subcommittee reached out to diverse groups and individuals on ways to improve cyber security for the nation. The Subcommittee heard from private sector experts who own and operate critical information infrastructure. Federal, state, and local government officials and academic experts testified on the need to fortify the nation's cyber security. Various oversight sessions were also held on the Department of Homeland Security's role and responsibilities in helping to improve cyber security.

1. What is the biggest vulnerability we face in cyber security today?

The biggest vulnerability we face is the rapid pace of change. Threats can appear in seconds, and potential solutions can become outdated just as fast. Change occurs at many points because cyber security is a multi-faceted discipline that includes people, process, and technology. Much of the media today is focused on technology as the vulnerability, but vulnerabilities come in many forms. We all have a responsibility to secure our portion of cyberspace. That includes educating and training people both at work and at home. It includes establishing sound cyber security practices that are adopted by government, business and individuals. And security must be incorporated in the development phases of products and services -- not as an afterthought.

2. What do you believe is the role of government (Executive Branch/Congress) in cyber security?

Government should establish a "national framework" in which industry, government, the academic community and home users can understand how they affect the nation's cyber infrastructure and what their responsibilities are. The White House, Congress and state and local governments should work toward setting policy and guidelines that can accommodate rapid change. Additionally, government has a responsibility to provide for cyber security research, education, and emergency response. Government can also help improve cyber security through its purchasing power by requiring better cyber security products and services. At this time, we cannot afford to establish rigid policies or legislation that impede the technological innovation that helps make our country strong. But we can no longer afford to jeopardize our national and homeland security by ignoring the need for stronger cyber security as we become more dependent on the cyber infrastructure in virtually every aspect of our lives.

3. What are the responsibilities of the private sector in supplying good software? What are the responsibilities of the end user?

The responsibility of the software provider and user is a much debated issue. I have heard the software industry compared to the car manufacturing industry, where vendors have a responsibility to deliver a reliable and safe product (vehicle) that conforms to industry standards. Users have a responsibility to use (drive) the product as intended and follow best practices (use the seat belt and change the oil every 3,000 miles, etc.). The problem with this analogy in the cyber area is that there are no agreed upon standards or best practices at the national or international levels for the software industry. Until there is uniform agreement in these areas, it will be difficult to pinpoint where the line should be drawn between private sector and end user responsibilities. Some experts are beginning to advocate that government and industry come together to develop such voluntary consensus standards.

4. What is your most significant contribution in advancing cyber security?

As Chairman of the Subcommittee on Cyber Security, Science, and Research & Development of the Select Committee on Homeland Security, I have been fortunate to work with a very knowledgeable and dedicated ranking member, Zoe Lofgren from California. In a bipartisan manner, we have conducted over a dozen public hearings and briefings with experts in the private sector who own and operate the critical information infrastructure. We also heard from government and academic professionals to gain their perspectives on working with the Department of Homeland Security. As a result, we hope that Members of Congress and the public are more aware of homeland security accomplishments and the challenges that lie ahead. We have hopefully raised awareness and improved understanding about the increasing threats to and vulnerabilities within the cyber infrastructure and the importance of improving cyber security for the country. One recommendation we are working on is to create an Assistant Secretary for Cyber Security within the Department of Homeland Security. It is important to have an official with enough clout in government to work with industry and with other parts of government.

5. How can policy organizations, such as CSIA, be of the greatest help to the efforts of Congress?
Cyber security is clearly a "team sport." As I mentioned earlier, cyber security must include people, process, and technology. CSIA and other policy organizations are vital in bringing industry together in a forum to discuss and come to agreement on such issues as corporate governance, education and awareness, standards, and the multi-faceted aspects of information technology.

Back to top

CSIA in the News

Article of interest

CSO Magazine, November 2004
Judgment Calls
Regulations such as Sarbanes-Oxley are sending auditors to the pencil sharpener. CSOs must learn to cooperate and share expertise, without getting too close to these empowered examiners.

CSIA Coverage

Government Computer News, October 25, 2004
IT security is the industry’s burden
Paul Kurtz talks with Government Computer News senior editor William Jackson about his career in government, the importance of establishing CSIA and the industry’s involvement with cyber security issues.

Government Computer News, October 15, 2004
Industry asks Congress for help on DHS cybersecurity role
The Cyber Security Industry Alliance, the Business Software Alliance, TechNet, the IT Association of America, and the Financial Services Roundtable signed an Oct. 14 letter to the House and Senate conferees working to reconcile the two versions of H.R. 10, the 9/11 Recommendations Implementation Act. The groups were seeking to boost the status of the federal cyber security chief within the DHS.

GovExec.com, October 13, 2004
Ridge statement sows confusion on cybersecurity chief
Ridge told the National Infrastructure Advisory Council that the department is preparing to make the director of the national cyber security division an assistant secretary. That would put cyber security on par with the assistant secretary for infrastructure protection, who currently oversees the issue. Department officials since have told reporters that Ridge misspoke.

Washington Post, October 13, 2004
Cyber-Security to Get Higher-Profile Leader
Homeland Security Secretary Tom Ridge said yesterday that the role of overseeing computer security and the Internet should have a higher profile at the agency, in the face of increasing concern from technology executives and experts that cyber-security is getting inadequate attention.

Back to top


Upcoming Events

December 2004

Dec 3

IEEE Workshop on VoIP Security: Challenges and Solutions

Dallas, TX

A day-long VoIP Security Workshop held in conjunction with IEEE's Globecom 2004 conference in Dallas. Speakers for the event will include Paul Kurtz and Jeffery Hunker, former senior director of critical infrastructure for the White House. The program's committee is still considering technical and research papers that will be published at the workshop.

Dec 7

CSIA Press Roundtable: Priorities for the Next Administration

National Press Club, Washington, D.C.

The Cyber Security Industry Alliance will present the Agenda for the Next Administration at the National Press Club in Washington. CSIA Board Members will participate in the event, along with Amit Yoran, former director of the National Cyber Security Division at the Department of Homeland Security. Paul Kurtz will moderate.

Dec 8-9

Infosecurity Conference 2004

Jacob K. Javits Convention Center, New York City, NY

Paul Kurtz will moderate a panel on SCADA Systems: The Underbelly of Our Critical Infrastructure. IT security insiders are coming to realize that the relatively unprotected SCADA systems that essentially operate, regulate and monitor critical elements of the nation’s infrastructure, such as nuclear power plants, oil refineries, electricity transmission stations and telecommunications switches, are vulnerable to Internet-based attacks that could cripple individual plants, entire industries, geographic regions of the United States, or, in a nightmare scenario of cascading outages, the entire country. This panel will explore this emerging threat from a variety of perspectives.

February 2005

Feb 14-18

The RSA Conference 2005

Moscone Center, San Francisco, CA

The RSA® Conference is the most prestigious information security event of the year. It is also the most authoritative source for uncovering new ways to thwart cyber-criminals trying to smuggle themselves into today's businesses. It is an event for organizations that deploy, develop or investigate data security or cryptography products.

Back to top


Charter Members

Principal members


CSIA’s newsletter is issued monthly, to keep you informed and up-to-date on activities, issues and breaking news that affect cyber security public policy. If you have comments or questions, please send a message to Laura Brown, CSIA Policy Analyst, [email protected].

To view past editions of the CSIA newsletter, please visit: https://www.csialliance.org/news

To share your comments about this newsletter or to submit information, send a message to [email protected].

Stay in touch with CSIA:
Membership questions: [email protected]
Phone: 781-876-6205

CSIA (Cyber Security Industry Alliance)
1201 Pennsylvania Avenue, NW
Suite 300
Washington, DC 20004


To leave this list, please send a message with your request to [email protected].
© 2004 Cyber Security Industry Alliance. All rights reserved.