Cyber Security Industry Alliance Newsletter • Volume 2, Number 3 • November 2005

CSIA in the News

Article of Interest

Government Health IT, October 18, 2005
Report: Build antifraud measures into health IT

A national network for exchanging digital health information can reduce the incidence of health care fraud, a panel of experts said yesterday, but antifraud measures must be built into the network from the start. Using built-in analytical tools, insurance companies and government agencies could detect fraud schemes before they issue reimbursement payments to patients or health care providers, the panel said. The American Health Information Management Association's Foundation of Research and Education, with support from the Office of the National Coordinator for Health Information Technology, convened the panel. "The Nationwide Health Information Network policies, procedures and standards must proactively prevent, detect and support prosecution of health care fraud rather than be neutral to it," the health IT report states. The 22-member panel recommended that public-key encryption and other security tools be used to ensure that information is transmitted via the network securely, with strong privacy protections. Panelists listed biometric authentication as one option for ensuring such security. They said that all transactions should be traceable to their originators, systems should be redundant in case of failure and records should be stored for at least 10 years.

CSIA Coverage

CNET, September 29, 2005
Expert: Cyberterror response shared responsibility
A misconception about cyberterrorism is that only the government should prepare for it, Paul Kurtz, the security software industry's chief lobbyist said Thursday. "Calling for stronger security in the context of terrorism is a mistake," Kurtz said in a keynote speech at the IT Security World Conference in San Francisco. "I think it is a mistake because the implication is that it is the government's responsibility to solve the problem. The government can't defend all these networks. Significant attacks occur daily without any involvement from terrorists," Kurtz said. Every organization should therefore pay attention to computer security. "Protecting networks against everyday attacks will help defend against inevitable attacks by terrorists or enemy states," he said. Kurtz, who is executive director of the Cyber Security Industry Alliance, is lobbying Washington to help give guidelines on security, not regulate security. "We're not trying to regulate folks into security. If we do, it is going to inhibit growth, it is going to inhibit innovation and it is going to tie people's hands," he said.

CNET, October 10, 2005
U.S. cybersecurity due for FEMA-like calamity?
Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. "When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month." Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials.

Technology News Daily, October 7, 2005
Oregon Safe Cyberspace Initiative
The Oregon Safe Cyberspace Initiative, a public service project designed to educate Oregon users of the Internet about the critical need for personal computer security and empower them to increase their online security. The project arose from a desire to prevent economic harm to Oregon consumers from computer fraud, and to reduce the damage caused by breaches in computer systems. This past year millions of consumers have been victimized and billions of dollars have been lost due to breaches in computer system security. The Oregon Safe Cyberspace Initiative aims to cure those breaches through consumer education and new technology. The project involves the creation of a network of technology and Internet access providers, consumer protection organizations, industry associations, and law enforcement leaders. This network will create public service announcements about computer security, provide speakers for public service presentations about computer security, and disseminate information to assist consumers in keeping information on their personal computers secure. Partners in the initiative include the AARP, Anitian Enterprise Security, Comcast, the Cyber Security Industry Alliance, the Federal Trade Commission, Feeney Wireless, the Information Systems Audit and Control Association, the Information Systems Security Association, Internet Security Systems, McAfee, Microsoft, the National Cyber Security Alliance, the Oregon Department of Administrative Services, the Oregon Department of Justice, Qwest, the Regional Computer Forensics Laboratory, the Small Business Administration, Symantec, the United States Department of Justice.

AME Info, October 13, 2005
Can spyware be stopped?
A survey published in June by the Cyber Security Industry Alliance polled 1,003 likely voters from both Republican and Democratic parties and found a consensus that the federal government needs to do more to protect consumers on the Internet. The survey revealed that the public's awareness of spyware is not as high as spam, but the more voters learn about spyware, the more it scares them. Without the benefit of a statement describing spyware, two-thirds of voters rated it a serious problem. When fully informed of the nature of spyware, nearly all voters (93%) considered it a serious problem. Overall, 71 percent of voters believe new laws are needed to protect consumer privacy on the Internet. Voters are much more likely to believe that privacy protection should be left to the U.S. Congress (60%) than to state legislatures (35%). There have been a number of legislative approaches taken recently to address spyware and adware. As of June 1, 2005, there were two federal bills introduced in the U.S. House of Representatives, and two bills in the Senate. The Federal Trade Commission has also taken notice of the spyware problem. In March 2005 it released a report entitled 'Monitoring Software on Your PC: Spyware, Adware, and Other Software.' The report outlines the problems associated with defining spyware, the risks spyware presents to consumers, and how the government and industry leaders can respond to the spyware problem., October 17, 2005
How avian flu could threaten IT security
Not all the viruses that threaten computer networks come from cyberspace. Health and information security experts say if avian flu ever becomes a human pandemic, it could have a disastrous impact on IT infrastructures. In a worst-case scenario, computer networks would grind to a halt as countless IT personnel succumb to illness. As a result, the human intervention needed to keep computer hardware and software running smoothly may be unavailable, causing systems to fall offline, or even fall prey to malicious attackers. "It would be wise for companies to convene councils and discuss what they would do in a pandemic," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "Teleworking [working remotely] is certainly an option they should be discussing." While the Avian flu presents a particularly ominous threat, Kurtz said government and the private sector should use the same guidelines to plan for any potential disasters. "A lot of the same lessons and solutions apply whether we're talking about a pandemic, major storms or terrorist attacks," he said. "The common issue is how you get people to work when they can't get to the physical office space." Despite his faith in teleworking, Kurtz said he has no illusions that it would be the silver bullet in a pandemic. "There's no cookie-cutter approach to this," he said. "Restaurants and movie theaters couldn't make it work. They'd probably have to close. But if your business is based online, if you're in the banking and finance or services sector, there may be more options for teleworking."

Washington Internet Daily, October 12, 2005
Industry News
Data loss prevention company Vontu joined the Cyber Security Industry Alliance (CSIA), the group said Tues. As a principal member, Vontu will have a strategic level of participation in CSIA.
*By subscription only.

National Journal's Technology Daily, October 21, 2005
Homeland Security Mulls Cyber Czar Nomination
The Homeland Security Department on Oct. 1 created a new post for a cyber-security czar -- a post that the technology industry and Congress repeatedly have urged for two years -- but has yet to nominate a candidate for the job. House Homeland Security Economic Security, Infrastructure Protection and Cybersecurity Subcommittee Chairman Dan Lungren, R-Calif., said in a hearing Tuesday that the vote the day before indicated the government's efforts on cyber security. He said officials voting mid-month on the resolution showed how the government is trying to play catch-up on protecting the country from a cyber attack. "I hope a name is forthcoming soon," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. "It's high time the person is named."
*Also appeared in Government Executive.

National Journal's Technology Daily, October 27, 2005
CYBER SECURITY: EXPERTS: More Public, Private Coordination Needed
Cyber security should be a White House priority and the military ought to better coordinate with the private sector to protect the nation's infrastructure, experts Thursday told a House Armed Services subcommittee. "We need a national policy to secure cyber space," said Paul Kurtz, executive director of the Cyber Security Industry Alliance. A presidential directive would address command and control issues by establishing roles and responsibilities related to a catastrophic event, he told the two committee members who were present, Reps. Todd Akin, R-Mo., and Jim Cooper, D-Tenn. The role of the Defense Department in a national incident when it does not involve its own assets is unclear, and the department pays little attention to the private sector, he said. Among the deficiencies outlined by the witnesses include: inadequate funding for cyber security research, a shortage of cyber security experts, the military's reliance on commercial software and hardware that are prone to attacks, and insufficient coordination of research with the private sector. It is a great concern that the Defense Department is dependent upon the privately owned infrastructure and the use off-the-shelf software to defend security operations, said Kurtz. A threat to a military network and a threat in the private sector are not mutually exclusive. "Simply locking down Department of Defense's systems is not enough" to protect it, he said. It "must expand its warning systems against key actions against the private sector."
*By subscription only.

CNET, October 28, 2005
In cybercrises, call in the troops?
The Pentagon should be prepared to aid Homeland Security officials--much in the way it did during Hurricane Katrina's aftermath--if a massive cyber attack strikes, a cybersecurity industry representative has suggested to Capitol Hill politicians. "Currently, the Department of Homeland Security is responsible for coordinating a response to such an event; however, in the wake of Hurricane Katrina, it is advisable to question whether this is practical," Paul Kurtz, executive director of the Cyber Security Industry Alliance, told a small contingent of the U.S. House of Representatives Armed Services Committee at a sparsely attended hearing about asymmetrical threats on Thursday. Kurtz called for a joint readiness exercise involving not just the Homeland Security Department and the private sector, but the Defense Department as well. Later, he told CNET through a spokesperson that he hadn't yet schemed up precisely which tasks the Pentagon would take on. His point, he said, was to urge higher-ups to think carefully about the military's role in a cybercrisis. He did, however, suggest to Congress that National Guard members with day jobs in the information technology realm could be trained to support Pentagon networks during sinister incidents.

IDG News Service, October 28, 2005
Industry Group Tackles Spyware
A new coalition of technology companies and public interest organizations has hit some early milestones in its effort to combat spyware. On Thursday, the Anti-Spyware Coalition published two documents that the group hopes will take the computer security industry a step closer toward setting best practices for stopping this type of annoying and invasive software. Coalition members have published a definition of the term spyware and are now seeking public comment on a so-called risk modeling document that goes into technical detail about what separates spyware from any other kind of software. Though it has taken only three months to hit these milestones, getting consensus in this area has not always been easy. A similar organization, called the Consortium of Anti-Spyware Technology Vendors, fell apart in February after 16 months of effort. The Anti-Spyware Coalition's work ultimately will help software vendors build better products that defend against spyware in a more consistent fashion, said Vincent Weafer, senior director with Symantec's Security Response team. Other Anti-Spyware Coalition members include Microsoft, which just announced its first corporate antispyware product; Computer Associates International; McAfee; the National Center for Victims of Crime; and the Cyber Security Industry Alliance.
*Also appeared in PC World, InfoWorld and InfoWorld., October 28, 2005
Anti-Spyware Coalition calls for debate
The Anti-Spyware Coalition (ASC) has released a public document that offers guidelines for detecting, rating and protecting against unwelcome programs. It also called for a public debate to help build awareness of the problems caused. The group, whose members include AOL and Microsoft, also provided a definition of spyware and other potentially unwanted technologies as 'programs deployed without sufficient user consent or that impair user control over any of the following: privacy, system security and user experience; use of their system resources; or collection, use and distribution of personal information.' But the coalition is having trouble gaining a high profile, partly as a result of reaching a hiatus last March when its members disagreed over the whether firms that create spyware should be allowed to join. Critics have also suggested that defining their technology more clearly will only make it easier for such companies to evade their blocking techniques. ASC members include America Online, Computer Associates International, Hewlett Packard, Microsoft, and Yahoo, along with McAfee, Symantec, and Trend Micro, and anti-spyware specialist vendors Aluria Software and Webroot Software. The organisation also numbers the Canadian Internet Policy and Public Interest Clinic, the Cyber Security Industry Alliance, and The University of California Berkeley's Samuelson Law, Technology, & Public Policy Clinic among its members.

Washington Internet Daily, October 28, 2005
Defense Dept. Vulnerable to Cyber Attacks, Lawmakers Hear
Cyberspace is a "tough neighborhood" full of accidents, glitches, and attacks, a former member of the White House's National Security Council told lawmakers Thurs. The Defense Dept. faces several serious challenges concerning information assurance and data superiority, House Armed Services Committee members heard. Paul Kurtz, who now heads the Cyber Security Industry Alliance (CSIA), said critical issues requiring attention include: (1) Securing war fighting and defense capabilities and operations that depend on privately owned and operated information infrastructure, and hardware and software produced around the globe. (2) The need to build and support an information infrastructure that's resilient and can operate under duress or attack. (3) DoD's role of protecting, defending and responding to a cyber incident of "national significance" that doesn't involve assets critical to its operations or under its immediate control. (4) The absence of a national policy to assure the security of critical U.S. information technology and telecommunications infrastructures. Since DoD shares its information infrastructure backbone with the private sector, the same attacks that disrupt corporate networks can affect DoD systems, Kurtz said. Besides, the vast majority of IT products the agency uses are manufactured by vendors with facilities and personnel from around the world. It's not feasible to build an "air gapped 'parallel universe'" and given the global economy, it's not advisable to block the sale of particular assets to foreign parties, he said. Procurement process rigor and a solid information assurance program will help safeguard critical systems, Kurtz said. But this can only happen by escalating the criticality of information assurance within DoD and partnering with the private sector. "Such a program must involve the triad of people, process and technology," he said.
*By subscription only.