CSIA’s newsletter is issued 10 months a year, to keep you informed and up-to-date on activities, issues and breaking news that affect cyber security public policy. If you have comments or questions, please send a message to Laura Brown, CSIA Policy Analyst, [email protected]

IN THIS ISSUE:

• Executive Director’s Message
• CSIA Member Spotlight – John Thompson, Symantec
• Special Feature – Spyware: In Depth
• Legislative Update
• Congressional Spotlight – Congressman Putnam
• CSIA In the News
• Upcoming Events

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

Dear Readers,

Welcome to the first issue of the Cyber Security Industry Alliance’s (CSIA) monthly newsletter!

CSIA is the only Washington-based organization exclusively focused on cyber security policy issues. Our organization is governed by the leading CEOs in the information security industry. We have thirteen members and counting. Our monthly newsletter will provide readers inside and outside Washington with information, analysis and updates on current and future cyber security issues in a clear and concise format. Each issue will feature:

• In-depth analysis of a current cyber security “hot” topic. (This issue’s topic is “Spyware.”)
• News from Capitol Hill and State Governments, including the latest action on relevant bills
• Cyber Security Profile, featuring a key leader in government, the private sector, or academia making a significant contribution to cyber security policy
• Updates on CSIA activities and projects
• CSIA member company profiles (this issue features John Thompson, CEO of Symantec Corporation and Chairman of the Board of CSIA and Symantec)
• Highlights of upcoming events within the cyber security arena

We believe the cyber security industry has a unique role to play in securing cyberspace. We partner with suppliers of both hardware and software as well as end-users to defend information systems from attack or disruption. Our industry must remain agile, responding daily to new threats and vulnerabilities on ever-changing systems and devices. Security will enable the next round of innovation on the Internet, including Web services, e-health, e-finance, and e-government.

CSIA believes cyber security should primarily be seen in the context of business and economic risk. In the post-9/11 environment, there are frequent attempts to define an issue in terms of “homeland security” in order to drive action. Cyber security has been no exception. While we do not discount the idea that terrorists will likely launch attacks against our critical information infrastructure, they are not behind today’s attacks that are costing the U.S. and global economy billions of dollars from lost productivity, pirated intellectual property, and theft of personal identity information. We believe the private sector is in the best position to improve cyber security – as it owns and operates the vast majority of the critical information infrastructure.

We are engaging leaders on Capitol Hill, the Executive Branch, and standards organizations on key policy issues, and we partner with other organizations inside and outside Washington that are interested in cyber security.

We have released two products to date which may be of interest to our new readers:

• Ten Steps to Building a More Secure Electronic Health Care Infrastructure
• NIAP Certification – Proposals from CSIA from Strengthening the Certification Process

During the next several weeks we will release CSIA’s Agenda for the Next Administration and Perspectives on Sarbanes-Oxley Compliance.

Our hope is that CSIA will become your “go to” organization on cyber security policy issues. If you’re not already on our mailing list, you can remain current on key cyber security issues by signing up for this newsletter at [OPT IN EMAIL] and through our Web site: www.csialliance.org.

We hope you enjoy the newsletter and find it insightful and informative. We also welcome your comments on the content of this newsletter via email to Laura Brown.

Thanks for reading.

CSIA Member Spotlight

John Thompson, CEO of Symantec

Next month, another CSIA member firm will be featured in this space. We invite you back to learn more about our member firms and our projects and plans.

On behalf of the Board of Directors of the Cyber Security Industry Alliance (CSIA), it is my pleasure to release our first newsletter. We established CSIA with the goal of building an organization to serve as the thought leader and focal point for cyber security public policy issues in Washington and internationally. There is no other CEO-led organization dedicated exclusively to cyber security public policy.

Information systems continue to bring unprecedented opportunity for government, businesses and consumers. Information technology is driving change across all sectors of the economy, but with this change has come a dependency on those information systems. The security and reliability of information systems has a direct and profound impact on an individual company’s business operations as well as the nation’s critical infrastructure. Their security and reliability are directly linked to consumer and investor confidence. Our information infrastructure is largely owned and operated by the private sector, not the government. Therefore, securing cyberspace requires leadership by the private sector in cooperation with public agencies. In this context, CSIA’s growth -- both in membership and as the leading authority on cyber security policy -- is not only necessary, but critical.

CSIA will work independently on projects, as witnessed by the development of the Ten Steps to Build a More Secure Electronic Health Care Infrastructure, which was released this summer. At the same time, we will also work closely with other associations and organizations that are focused on cyber security issues, such as the National Cyber Security Alliance and the National Cyber Security Partnership.

As a Board we believe it is important to lead by example and have adopted the following seven principles to guide CSIA’s work over the years ahead.

• We are committed to working with government leaders here and abroad to advance cyber security public policy, standards, education, and awareness.
• We are committed to working with home users, small businesses and large enterprises to provide seamless, efficient security products that seek to ease the burden on end users.
• We believe market-based solutions and voluntary measures are the best means to improve cyber security.
• We are committed to producing the highest quality of secure hardware, software, and services.
• We are committed to pursuing information security corporate governance within our corporations.
• We are committed to advancing cyber security public policy through active participation in CSIA activities.
• We will conduct our activities with the highest ethical standards.

With these principles guiding us, I am confident that CSIA will play a critical role in defining the future of cyber security.  I hope you share my enthusiasm for this new organization as we undertake this important task.

Special Feature
Spyware: In Depth

“Spyware” is a serious problem for home users, small business, and large enterprises. From annoying “pop-ups” to more sinister programs extracting information about you or your firm without your knowledge or permission, the threat from spyware is nearly equal to that of traditional viruses and worms.

In this article we explore spyware in depth, including its characteristics, how it compromises your computer, the costs, technical measures to detect and defeat spyware, and a discussion of current legislative initiatives.

Spyware: What is it?

There is confusion about what constitutes spyware. Spyware in its more benign form is designed to collect demographic and usage information off your computer, usually for advertising purposes, without your knowledge. Over time spyware can consume computer resources and slow operations. Spyware in its more malevolent form can scan your computer and track your key strokes to gain passwords, enabling even greater access to your computer and those connected to you, without your knowledge or consent.

Spyware is frequently bundled anonymously with freeware or shareware products that you knowingly download from the Internet. Although there are many reputable companies that offer free services, there are also many that lure unsuspected users with a free offer for the sole purpose of implanting software on the user’s computer. Many freeware products will not work if the spyware is subsequently removed. To make matters worse, removing spyware is often made – intentionally – very difficult. Due diligence and doing your homework are key before downloading any software from the Internet.

Detecting and Defeating Spyware

• The first line of defense against spyware is to keep it off your computer to begin with. Adopt a strong and clear policy in your organization about the use of freeware or shareware downloaded from the Internet. Most organizations ban and technologically prohibit any software not specifically installed by their information technology staff from being downloaded.
• Avoid peer-to-peer software sharing programs or other tools that allow foreign applications to arrive within your organization’s perimeter. Many file sharing programs expose your computer to multiple hazards including the downloading of programs that contain spyware.
• Most antivirus software suites detect spyware in addition to traditional viruses and worms. Ensure that your antivirus software is current and remains updated.
• Similar precautions should be taken for your home computer as well.

Legitimate Interactions

Legitimate computer functions can sometimes be confused with spyware. Many applications exchange information between computers for perfectly legitimate activities – security, for one! For example, most of the leading software and hardware manufacturers provide automated security updates. Automatic updates have been necessitated by the quickly changing security environment. Daily, new worms and viruses are introduced on the Internet. Your firewall and antivirus protection must be able to adapt quickly to these threats, closing the door before the worm or virus enters your computer. To effectively do this, automatic updates are essential with the growth of the “always on” broadband environment.

Several vendors, including CSIA Member firms, offer products that detect previously downloaded spyware, quarantine offending code, remove it entirely, and protect your computer from future attacks. Having up-to-date antivirus protection, a firewall, and conducting regular scans of your system are critical to staying secure from spyware.

Legislative Initiatives

The Congress is concerned about spyware and rightly so. Two legislative approaches are under active consideration: one focused on technology, the other targeting behavior.

Technological Approach

H.R. 2929, Spy Act, was approved by the Committee on Energy and Commerce in June. This bill, authored by Reps. Mary Bono (R-Calif.), and Ed Towns, (D-N.Y.), would require companies that distribute spyware to obtain permission from users through an easily understood licensing agreement before installing the programs on their machines. The programs, once downloaded, would have to provide a means to easily disable the software. The bill also imposes increased fines against abusers.

Behaviorial Approach

H.R. 4661, the Internet Spyware (I-Spy) Prevention Act of 2004, was introduced by Mr. Goodlatte (R-Va.). This bill focuses on punishing bad behavior. For example, it would criminalize the act of intentionally accessing a computer without authorization, or intentionally obtaining or transmitting personal information with the intent of injuring or defrauding a person or damaging a computer. This bill would also criminalize activity to intentionally impair the security protections of a computer. Senator Burns has proposed a similar approach in S 2145, which is currently being revised.

CSIA is not supportive of the technological approach as outlined in H.R. 2929 as currently written. While there are exemptions in this bill for service providers such as ISPs, it does not include exemptions for legitimate computer security operations. As explained previously, uninterrupted security updates are at the core of protecting home and small business computers and the health of the Internet as a whole. We believe it is difficult to legislate technical solutions in a dynamic IT environment. A solution today may not necessarily work in tomorrow's environment and could further impede the adoption of legitimate technologies not yet in the marketplace.

CSIA would prefer legislation that punishes bad actors who seek to capture information from your computer without authorization. We support strengthening enforcement measures as proposed by Mr. Goodlatte. Strengthening enforcement mechanisms is preferable in an environment where hackers and criminals are constantly changing their means of attack.

Editor's Note: As this issue went to press, the Committee on Energy and Commerce released an Amendment that is said to exempt legitimate computer security functions from H.R. 2929. CSIA has not had sufficient time to thoroughly review the new amendment. CSIA will provide an update in our next issue.

Next Steps

CSIA intends to lead an industry-wide group to devise a set of best practices that would set standards for notice, authorization and removal of software products.

Next Issue In Depth: Sarbanes Oxley and information security.

Legislative update

H.R. 2929 – The Spy Act – Ms. Bono (R-Calif.)

Summary: This bill would require companies that distribute spyware to obtain permission from users through an easily understood licensing agreement before installing the programs on their machines. The programs, once downloaded, would have to provide a means to easily disable the software. The bill also imposes increased fines against abusers.

Status: Passed by the Energy and Commerce Committee and awaiting action on the House floor. There may be changes to the legislation prior to it being taken to the floor.

CSIA Comment: We prefer an approach that penalizes behavior rather than seeking a technical solution. This bill would insert Congress in the software design process and, as written, this bill would disrupt legitimate security operations, such as automatic updates and anti-virus protection. If Congress proceeds with a technical approach, we believe it is critical to exempt legitimate security operations. (See Editor’s note at end of Spyware In Depth article.)

H.R. 4661 – Internet Spyware (I-SPY) Prevention Act of 2004 – Mr. Goodlatte (R-Va.)

Summary: This bill would establish prison sentences and fines for using software to gain unauthorized access to such sensitive information as credit card or Social Security numbers or to damage a computer.

Status: Passed by the Judiciary Committee on Sept 8.

CSIA comment : CSIA supports this legislation and views it as more appropriate to pursue enforcement of those who seek unauthorized access to personal information or to damage a computer.

S. 2145 – Software Principles Yielding Better Levels of Consumer Knowledge Act or SPY BLOCK Act – Mr. Burns (R-Mont.)

Summary: This bill would make it unlawful for any person who is not the user of a protected computer to install, or allow the installation of, software on that computer, unless the user of the computer has received notice and granted consent that satisfies the requirements of this Act; and the computer software's uninstall procedures satisfy the requirements of this Act.

CSIA Comment: We understand that thisbill is being redrafted and will comment when it becomes available.

H.R. 107 – Digital Media Consumers' Rights Act of 2003 – Mr. Boucher (D-Va.)

Summary: This bill would let consumers copy DVDs and CDs using technologies that override content locks installed by production companies. The bill would overturn a provision in the 1998 Digital Millennium Copyright Act (PL 105-304) that updated copyright laws to protect content creators in the digital age.

In particular, it would declare it is not a violation of copyright law, but “fair use,” to: circumvent a technological measure in connection with access to, or the use of, a work if such circumvention does not result in an infringement of the copyright in the work; or manufacture, distribute, or make noninfringing use of a hardware or software product capable of enabling significant noninfringing use of a copyrighted work.

Status: Subcommittee hearing held in May by the House Energy and Commerce Committee, Subcommittee on Commerce, Trade and Consumer Protection. This bill has also been referred to the Judiciary Committee.

CSIA Comment: We are very concerned that a key provision of H.R. 107 would legalize hacking under the guise of “fair use.” The provision, as crafted, would legalize the creation, distribution, and use of hacking tools ostensibly for “fair use.” A tool created to hack access controls for fair use could easily be used against other information systems as well – which would then be a detriment to the overall security of our information infrastructure.

H.R. 4880 – Josie King Act of 2004 or
Quality, Efficiency, Standards, and Technology for Health Care Transformation Act of 2004 – Mr. Kennedy (D-R.I.)

Summary: The Josie King Act would create a series of interconnected regional health information networks to enable patients and providers to share information in a secure manner that safeguards privacy. This mechanism would create a fully electronic health information system in a decade.

Status: The bill was referred to Committee on Energy and Commerce and the Committee on Ways and Means. No further action has been taken at this time.

CSIA Comment: This bill could have serious implications for the health care information infrastructure.

S 2636 – Anti-Phishing Act of 2004 – Mr. Leahy (D-Vt.)

Summary: The Anti-Phishing Act of 2004 would enter two new crimes into the U.S. Code.  The first prohibits the creation or procurement of a Web site that represents itself to be that of a legitimate business and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.  The second prohibits the creation or procurement of an email message that represents itself to be that of a legitimate business and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. 

Status: Referred to the Committee on the Judiciary.

CSIA Comment: CSIA is supportive of this bill.

State Issues Watch
Ca 1950 – An act to add Section 1798.81.5 to the Civil Code, relating to privacy – Assembly Member Patricia Wiggins

Summary: This bill would require a business, other than specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure.  The bill would also require a business that discloses personal information to a nonaffiliated third party, to require by contract that those entities maintain reasonable security procedures, as specified.  The bill would provide that a business that is subject to other laws providing greater protection to personal information in regard to subjects regulated by the bill shall be deemed in compliance with the bill's requirements, as specified.

Status: This bill was sent to the governor for signature on Sept 7.

CSIA Comment: This bill would have far-reaching implications for industry in and outside California. Any company that does business with California residents could be subject to compliance with this law regardless of the company's location. The bill also provides no guidance on the term "reasonable security procedures" therefore leaving the courts to define that term through common law application.

Cyber Security Policy Maker Spotlight

[picture to come]

The Honorable Adam H. Putnam, Chairman, Subcommittee on Technology Information Policy Intergovernmental Relations and the Census.

• Republican, 12th District of Florida
• First Elected to Congress in 2000
• Committee Assignments: Agriculture, Budget, Government Reform, Joint Economic Committee, Republican Policy Committee, Republican Steering Committe.
• Graduate of the University of Florida (BS, Food and Resource Economics)
• Prior to being elected to Congress: Florida House of Representatives 1996-2000, Chairman Florida House's Agricultural Committee 1998-2000
• Notable: On January 3, 2001 was sworn in, at age 26, as the youngest Member of the 107th Congress. Now in his second term, he remains the youngest Member of Congress and is one of the youngest Members to ever serve as a subcommittee chairman.
• Awards in security: National Journal's Homeland Security 100; Named by Washington Technology as Congress' leader in cyber security; The 2004 Federal 100 award from Federal Computer Week as one of the most influential leaders on federal technology policy.

Taking a leading role in the House of Representatives on cyber security issues, Chairman Putnam has been a bipartisan advocate for cyber security in three important areas: hearings, facilitating a private sector group to recommend means to improve cyber security, and issuing cyber security report cards for Federal agencies.

• Hearings: Mr. Putnam has chaired a series of hearings over the past year on a range of important issues associated with cyber security: the security of Supervisory Control and Data Acquisition (SCADA) devices, computer virus trends, patch management, smart card and biometric authentication technologies, Common Criteria certification, education, home users and small business security, and Federal research and development.
• Corporate Information Security Working Group (CISWG): Following a discussion draft to require information security disclosures in SEC filings put forth by Mr. Putnam, many industry groups expressed displeasure over more government regulations in the wake of Sarbanes Oxley. Mr. Putnam, listening to industry's concerns, formed the CISWG. The objective of the CISWG was to bring together industry representatives to recommend means to maximize cyber security with minimum government intervention. The CISWG issued recommendations in several areas, ranging from best practices, incentives, Federal procurement practices, education, awareness, training, and performance metrics and information sharing. In June Chairman Putnam convened CISWG "II" to translate the original recommendations into actionable steps.
• Report Cards: Continuing a practice initiated by Chairman Horn four years ago, Mr. Putnam has issued report cards on Federal agency compliance with the Federal Information Security Management Act (FISMA). The report card process was one of the few metrics available to measure Federal agency progress in improving cyber security. In 2003 the overall Federal government grade was a D, which is an improvement over an F issued in 2002.

This June Chairman Putnam and Chairman Davis introduced H.R. 4570, an amendment to Clinger Cohen. The amendment would require Federal agencies to include cyber security as a requirement in systems planning and acquisition.

The combination of these three interrelated activities has had a positive impact. The FISMA held Federal agencies publicly to account, the hearings have allowed both Federal agencies and the private sector to testify about lessons learned and the steps they are each taking to improve cyber security, and the CISWG has offered a forum for private industry to develop recommendations for further action. CISWG II will allow for implementation and further action in a collaborative environment.

CSIA In the News

Article of interest on Spyware

• Spyware vs. spyware
  Lawmakers are preparing to attack spyware, but efforts could criminalize common tools and techniques currently in use
  By Paul Roberts, IDG News Service, August 30, 2004
  http://www.infoworld.com/article/04/08/30/HNspyware_1.html
  New state and federal legislation address another online blight: spyware. From California to Washington, D.C., lawmakers are lining up for the chance to smack down this bothersome byproduct of online commerce.

CSIA Coverage

• ELECTRONIC MEDICAL RECORDS:
  CSIA prescribes 10 steps for a secure national electronic healthcare system
  Health Insurance Week, August 22, 2004 (Not available without a subscription)
  Cyber Security Industry Alliance (CSIA) has released its recommendations for the development of a secure electronic healthcare system. These recommendations are designed to support the nation's first strategic framework report on a 10-year initiative to develop electronic health records and other uses of health-information technology.
• CSIA's Tough Balancing Act
  BY: LAWRENCE M. WALSH, Information Security, August, 2004
  http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art934,00.html
  The Cyber Security Industry Alliance this month is expected to release a package of case studies that shows how large corporations are coping with Sarbanes-Oxley compliance – particularly the vague security prescriptions in Section 404.
  The CSIA has a multipronged agenda, which includes releasing additional guidance reports, partnering with other security groups to advocate for policies and standards and advancing education and awareness.
  Add link to IBD Q/A from 9/9/04 (Subscribers Only) [COMING SOON, I HOPE]

CSIA Press Releases

• Cyber Security Industry Alliance Releases Recommendations to Strengthen Process for Security Certification
  Washington, D.C. – August 5, 2004 – Cyber Security Industry Alliance (CSIA) today released recommendations to improve the National Information Assurance Partnership (NIAP) security testing and certification program. NIAP, which is a collaboration of the National Institute of Standards and Technology and the National Security Agency, oversees U.S. implementation of the international information technology security standards called the Common Criteria.
  To view the full CSIA report, please visit:
  www.csialliance.org/resources/pdfs/CSIA_NIAP_Recommendations.pdf
• Cyber Security Alliance Releases Ten Steps to Build a Secure Electronic Health Information Infrastructure
  Washington, D.C.– July 21, 2004 – Cyber Security Industry Alliance (CSIA), the only CEO public policy and advocacy group comprised exclusively of security software, hardware and service vendors to address key cyber security issues, today released its recommendations for the development of a secure electronic health care system. These recommendations are designed to support the nation’s first strategic framework report on a 10-year initiative to develop electronic health records and other uses of health information technology, which was announced today by Department of Health and Human Services (HHS) Secretary Tommy G. Thompson and David J. Brailer, M.D., Ph. D., the National Health Information Technology Coordinator.
  View the full CSIA report here.

Upcoming Events

CSIA MEMBERS

Charter Members

Principal members