CSIA in the News
Article of Interest
CNET, March 29, 2006
Suffering in silence with data leaks
Much to the chagrin of consumer advocates, the disclosure laws passed by 23 states during the past three years have had little impact when it comes to ensuring consumers are notified about data theft or loss. Most existing laws allow merchants plenty of wiggle room when deciding whether to tell customers about such breaches, legal and security analysts said. The majority of state laws, for example, allow a company to stay mum about a robbery, if disclosing it would interfere with a police investigation. That's a huge loophole that could be used in almost every incidence of stolen data, said Dan Clements, CEO of CardCops.com, a company that tracks the sale of stolen credit cards on the Web. Every law enforcement agency that receives a crime report is going to consider the case "under investigation," he said. "Only about 10 percent of the merchants do the right thing and notify customers when there is a compromise," Clements said. "Most want to sweep the hack under the rug. Their motivation is clear; they don't want to lose their customers' trust." The issue of disclosure has taken on greater urgency in the wake of what analyst Avivah Litan of research firm Gartner has called the "most significant data theft ever." A national retailer suffered a data breach late last year and thieves managed to steal debit card information, including personal identification numbers (PINs), from thousands of consumers across the country. After reports of fraud began to pile up, dozens of banks and credit unions across the country began replacing more than 200,000 debit cards.
CSIA News
Manufacturing Business Technology, March 2, 2006
Advocacy group faults federal government for lack of fraud prevention
A Cyber Security Industry Alliance (CSIA) report released last December roundly criticizes the federal government for not doing enough to curb cyber crime. The alliance—formed two years ago by system security vendors McAfee, Symantec, Check Point Software Technologies, Entrust, and others—gave the federal government failing grades in seven of 12 areas for which CSIA gave policy proposals in early 2005. Reflective of the dire problem cyber crime poses to the economy and to national security, the report gauged the public's confidence in cyber security in its first Digital Confidence Index at only 58 out of 100, a failing grade. "The failure of action is caused by a lack of understanding and a lack of will," says Paul Kurtz, CSIA executive director. "So often IT security issues are handled by technical people, and when they try to explain it to senior policy makers, they make their point in technical terms and lose their audience. The lack of understanding leads to a lack of will. We need to think globally about it," Kurtz says. "It used to be about worms and viruses, but it is much more than that." It requires policy initiatives at the highest levels of government, he adds.
Washington Technology, March 13, 2006
Vacancies raise questions, lower morale at DHS
Vacancies and personnel turnover have reached such high levels at the Homeland Security Department that they may be hampering the agency’s effectiveness, according to several industry and policy experts. Many people consider the department, created in 2003 by a merger of 22 agencies, to have been understaffed from its inception. The continuing vacancy in the cybersecurity slot, which the IT industry lobbied for, poses particular problems. "Without a doubt, the absence of an individual filling this slot almost a year later is not a good news story for the department and for our level of preparedness in the event of a large-scale cyberevent," said Paul Kurtz, director of the Cyber Security Industry Alliance, an industry group advocating for effective cybersecurity policies. "Since the president’s Strategy to Secure Cyberspace was issued in February 2003, we’ve been running in place, and that’s putting it nicely. We’ve actually lost ground," he said. Kurtz credited the department for its recent Cyber Storm exercise and for hard work on similar projects, but he said the top cyberpriorities, such as ensuring continuity and reconstitution of the Internet following a crisis and safeguarding crisis communications and situational awareness, are languishing for lack of high-level attention. "The entire cyberspace strategy has been on the back burner," Kurtz said.
Financial Express, March 19, 2006
The 'worst hack ever' puts FIs on red alert
Dubbed the "worst hack ever," hundreds of thousands of debit card personal identification numbers from people across US and Europe have been stolen and accounts looted in recent months. "Over the last 14 months, we are starting to see a cumulative effect, what I would call a crisis in confidence," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, a trade group. "People are becoming more uncertain." The debit card thefts were attributed to a security breach by an unidentified "third party" retailer. At least 14 people have been arrested in the US, though purchases with pilfered card numbers have been reported internationally. Kurtz of the Cyber Security Industry Alliance says the United States needs to ratify the International Convention on Cybercrime, which he says would make it easier for law enforcement agencies around the world to investigate cases. He also says the issue goes beyond just e-commerce. A lot of businesses and governments are making significant investments in the infrastructure, and more personal records are migrating to electronic storage, including medical information. "If we can't get digital commerce right, if we can't protect personal information," Kurtz said, "we're going to have a slew of problems down the road."
Government Technology, March 19, 2006
CSIA Calls on Congress to Refocus on Data Security Legislation
The Cyber Security Industry Alliance (CSIA) last week urged Congress to redouble efforts to pass data breach legislation as well as an international cybercrime convention, in the wake of a widespread and growing international rash of compromised debit card and PIN numbers that one analyst has called "the worst hack ever." "An incident of this magnitude should provide the jolt Congress needs to set aside committee jurisdictional disputes and make it a real priority to pass legislation that not only standardizes consumer notification but also provides incentives to help improve security," said CSIA Executive Director Paul Kurtz in a CSIA release. "America's consumers, already buffeted by the threat of identity theft, are now confronted with the reality that even personal identification numbers won't protect them or their bank accounts," Kurtz said. "If we are to avoid losing ground in the digital revolution because people don't feel they can trust the Internet, we must establish national standards for reporting data breaches and protecting sensitive personal information, as well as create strong incentives for corporate best practices to help prevent breaches in the first place."
SearchSecurity, March 20, 2006
Poor government security makes industry wary
The latest disquieting congressional scorecard -- once again flunking key national security agencies on their cybersecurity efforts -- doesn't bode well for companies willing to share security data with the Department of Homeland Security or other government agencies. To the extent that the report issued last week by the House Government Reform Committee heightens congressional and perhaps White House concern about a gaping hole in the defense against the war on terror, there may be some pressure on the Departments of Defense (DOD), Homeland Security (DHS), State and Justice to pay more attention to computer and IT security. At the same time, those dismal grades may encourage many in the private sector to think twice about sharing information with DHS. John Sabo, director of security and privacy initiatives for Islandia, N.Y.-based CA Inc., said IT companies met as recently as three weeks ago with DHS officials about specific data security measures it must implement before the industry would be willing to share proprietary corporate IT infrastructure information. "It is less likely that any significant volume of sensitive IT information sharing will go on if we believe that information cannot be protected," Sabo said. Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) and a former DHS official, said the failing grades for national security agencies "doesn’t bode well for the future." He said the White House Office of Management and Budget (OMB), which is responsible for ensuring FISMA compliance, lacks the necessary resources to do the job.
St. Petersburg Times, March 20, 2006
The onus is on financial industry to prove online is safe
Dubbed the "worst hack ever," hundreds of thousands of
debit card personal identification numbers from people across the
country have been stolen and accounts looted in recent months. The
situation has left a creeping feeling that the bad guys‚ relentless
pursuit of consumers' personal information knows no bounds. It follows
the outbreak of schemes called spam, phishing scams and identity theft.
And it appears to be eroding confidence in online commerce. The number
of people doing online banking has plateaued after years of growth. "Over
the last 14 months, we are starting to see a cumulative effect, what
I would call a crisis in confidence," said Paul Kurtz, executive
director of the Cyber Security Industry Alliance, a trade group. "People
are becoming more uncertain." Kurtz of the Cyber Security Industry
Alliance says the United States needs to ratify the International
Convention on Cybercrime, which he says would make it easier for law
enforcement agencies around the world to investigate cases. He also
says the issue goes beyond just e-commerce. A lot of businesses and
governments are making significant investments in the infrastructure,
and more personal records are migrating to electronic storage, including
medical information. "If we can't get digital commerce
right, if we can't protect personal information," Kurtz said, "we're
going to have a slew of problems down the road."
*Subscription only
Forbes, March 21, 2006
Fighting Hackers, Viruses, Bureaucracy
Who's more interested in getting the word out now? Lobbyists. "This
is a pretty important survey," explains Paul Kurtz, executive
director of the Cyber Security Industry Alliance. Kurtz' organization
represents the likes of Symantec, McAfee and Juniper Networks. But
he doesn't see his group's mission as just petitioning polls and regulators
in Washington; it's also wants to bring the entire private sector
up to speed on matters of computer security. "Cyber security
largely ends up in the backseat," says Kurtz, who prior to lobbying
did stints in the State Department, the National Security Council
and as an adviser to President George W. Bush on matters relating
to computer security. "Our job is to shine a bright light on
it, to help people understand it." Part of promoting that understanding
means rattling off depressing statistics to anyone who'll listen.
According to Javelin Strategy & Research, Kurtz notes, 3.4 million
Americans had fraudulent accounts opened in their names last year,
with the average victim spending 77 hours on the phone to clear things
up. It also means overcoming Uncle Sam's so-so track record on computer
security. On one hand, the Federal Trade Commission has shown signs
of getting tough. In January, it announced that information aggregator
ChoicePoint, which the prior year acknowledged that 163,000 personal
financial records in its databases had been compromised, would pay
$10 million in civil penalties and $5 million to compensate consumers.
The $10 million fine was the largest civil penalty in FTC history.
For its part, Congress has been reasonably active on computer security
matters. Despite a crowded and shrinking congressional calendar, Kurtz
plans to keep pushing his top three legislative priorities: setting
national standards for data breach notification, a law on spyware
and ratification of the Council of Europe's Convention on Cybercrime.
The latter item was signed by the U.S. in November 2001 and approved
by the Senate Foreign Relations Committee. Two senators, however,
have anonymously blocked the treaty from going to the Senate floor
for ratification. The situation galls Kurtz. "They're not even
being public about what their problems are," he scoffs.
*Also appeared in IT Observer.
www.physorg.com, March 21, 2006
Homeland Security network gets an F
For the second consecutive year the department has received a failing
grade from the House Government Reform Committee for network security.
The government as a whole received a D-plus, the same grade as last
year. Paul Kurtz, executive director of the Cyber Security Industry
Alliance, said in a news release that the grades draw attention to
something that's been a problem for a while. "This report makes
clear that major government agencies continue to run in place and
make no appreciable progress," he said. Kurtz said that the lack
of progress for Homeland Security is especially bad as they are supposed
to be a security leader among federal agencies. "This begs the
question: What can be done about the state of DHS cyber-security?" he
said. "Hopefully they can make significant improvements before
a major catastrophe." Scot Montrey, communications director for
the Cyber Security Industry Alliance, said that the committee's attempt
to grade federal agencies on network security is useful in publicizing
problems that arise. "It's good that this is out there," Montrey
said. "It's forcing the agencies to look at the issues, and creating
accountability." Montrey said that Homeland Security's grade
should be especially noteworthy. "A lot of time has gone by now" since
the department's creation, he said. "It's time to start seeing
some results." Montrey said that it would be beneficial for the
Council of Europe's Convention on Cybercrime to finally move forward
and get enacted by the U.S. Government. The convention is merely awaiting
a vote on the Senate floor. Two senators have anonymously placed holds
on the convention to keep it from coming to a vote. Montrey said that
there's no obvious reason why a senator would want to keep the Convention
on Cybercrime from coming to a vote. Montrey said the convention does
not change any current U.S. law on cybercrime but codifies work between
U.S. law-enforcement agencies and those overseas in order to better
fight cybercrime internationally.
*Also appeared in United Press International and Monsters and
Critics.
New Straits Times, March 23, 2006
Educating consumers about online risks
According to a recent survey conducted by Cyber Security Industry Alliance,
more computer users are becoming increasingly insecure about using the
Internet. Forty-eight per cent of those surveyed avoid making purchases
on the Internet because they are afraid their financial information may
be stolen. Consumers have clearly taken notice of Internet threats and
scams, but there have been few resources they can use to understand what
the immediate risks are, and what they can do to more safely participate
in their favourite online activities. Symantec Internet Threat Meter helps
keep consumers informed of the risk levels associated with common online
activities and the precautions they can take to protect themselves. "Consumers
should feel confident about their security when they are online, whether
they are communicating via e-mail, conducting financial transactions on
the Internet, chatting over instant messaging, or sharing files," said
Arthur Wong, vice president of Symantec Security Response and Managed Security
Services.
*Subscription only.
Washington Internet Daily, March 24, 2006
Security
Fortinet, a leading network security systems supplier, joined the
Cyber Security Industry Alliance on Thurs. Fortinet will help promote
CSIA efforts in Asia and global cyber security through public policy,
education, awareness and technology, company officials said. Fortinet
has been accused of helping the Burmese govt. censor the Internet
through open-source software, a Burmese newspaper reported in October.
*Subscription only.
ZDNet, March 27, 2006
Money lures Net hackers, not glory
The Internet has gone beyond a communications and information medium
and become a way for consumers to trade, buy things, and even do
their banking. With vendors providing many of their services online,
e-commerce is at an all time high. It is critical to use the best
security technology, and keep personal information confidential.
Fraud is perhaps the most pervasive danger in online transactions.
Con artists engage in what is known as phishing expeditions and
try to take advantage of the trust built with online institutions.
Increasing internet security threats have resulted in the erosion
of consumer trust in online processes. In a study conducted by Gartner
and Cyber Security Industry Alliance, 53% of internet users have
stopped giving out personal information to websites due to fear
of online fraud and identity theft which has been the top consumer
complaint to the Federal Trade Commission for the last six years.
These statistics reveal several areas of concern that have had a
direct impact on e-commerce industry. 30% of consumers have reduced
overall usage of the Internet and 42% are reluctant to shop online.
Additionally, 14% have stopped paying bills online with 4% putting
an end to their online banking transactions.
*Also appeared in Financial Express.
Smart Money, April 13, 2006
It's All Geek to Me
Is a massive digital meltdown a serious threat, or is it in reality just hype? John Viega, vice president and chief security architect at McAfee (MFE1), the Santa Clara, Calif., computer-security company, downplays the likelihood of a so-called digital Pearl Harbor — the dread-inspiring term used by computer experts to describe a worst-case-scenario cyberattack. As co-author of the book "Building Secure Software" and the man quite possibly behind the antivirus defenses that are guarding your PC right now, his opinion is worth noting. Rather, Viega says clever virus and worm writers out for financial gain instead of world-wide ruin pose more of a danger. Collectively known as malware, short for malicious software, these nasty programs have become increasingly common and are among the biggest troublemakers on the Internet. One of the reasons behind the problem, says Viega, is a shift in motivation. Evil software has been around for a long time, but whereas yesterday's spammers and virus writers were mostly teenage vandals out for kicks, many of today's hackers are sophisticated businessmen motivated by dollar signs. They launch global attacks to trick Internet users into revealing sensitive passwords, credit-card numbers and other financial data.
FT.com, April 13, 2006
THE AMERICAS: Federal data security law reaches turning point in Congress
Many Americans were horrified to learn last week, as they finalised
their tax returns, that the Internal Revenue Service wants to allow
their sensitive tax information to be sold by their tax preparers
- for marketing purposes. Protecting personal data has become a vote-getter,
and state legislatures across the country have rushed to implement
new data security bills to protect home-state consumers. However,
the US business community - which is pushing hard to have just one
federal law to replace the patchwork of state laws - has begun to
worry that time will run out to reach a compromise, in a congressional
year truncated by mid-term elections in November. "If it's not done
in the next few weeks, it's dead," says Art Coviello, chief executive
of RSA Security, a big data security firm and member of the Cyber
Security Industry Alliance, one of the groups pushing for federal
legislation. "There may not be enough time in an election year to
work out a four-way compromise" between the four bills that have already
passed out of committee, says Peter Swire, a law professor at Ohio
State University and former chief privacy officer in the Clinton administration.
He points out that each of the bills contains different controversial
provisions.
* Subscription only