Executive Director’s Message
by Paul Kurtz, CSIA Executive Director
Cyber Security: Seeing the Forest for the Trees
The recent wave of data security breaches at banks, retailers, hospitals, and universities across the country has dramatically elevated the issues of personal information protection and privacy before Congress and the nation as a whole. Undoubtedly, the protection of information must be one of our nation's top priorities. This is an issue of both national security and economic stability. The way we address issues of security and privacy today will have ramifications for years to come. A holistic approach to ensuring the security, integrity and availability of global information systems is fundamental to economic and national security.
As we all know, information technology has become the very heart of our economy. Hospitals, universities, corporations, and even governments are running their operations almost entirely on information. Over the years, the benefits have been abundant – more access to information, better customer service, more efficient operations. Unfortunately, these benefits have also led to risks. The reality is that underlying our information economy is data, often personally identifiable data, which is gathered, transferred and stored in large databases.
In the past few weeks, a number of laws and regulations have been introduced and passed at various levels to address information security and privacy. We expect many more to surface. These attempts to address security issues on a piecemeal basis are simply not effective. In many cases, new legislation conflicts with already existing law, leads to inefficiencies and confusion in the business community, and distracts us from solving the real problem of protecting our nation's personal information.
At this critical time of technology development and innovation, the United States, as an economic force and a global technology leader, must carefully determine a public policy approach to information security that continues to encourage development while also providing protections.
In this context, CSIA recommends that Congress consider the following:
- Take a holistic approach to addressing cyber security.
Currently, Congress is considering cyber security problems
such as spyware, phishing, and data warehouse security
on an individual basis. In fact, each of these problems
has at least one issue in common: the attacker is seeking
and individual’s personal information in order to commit
financial fraud. We can anticipate similar exploits
in the future.
- Harmonize any new legislation with existing legislation
at the federal level, filling gaps rather than duplicating
requirements already contained in existing law, such
as the Gramm Leach Bliley Act (GLBA), the Health Insurance
Portability and Accounting Act (HIPAA), and the Fair
Credit Reporting Act (FCRA). Use existing security standards
wherever possible, rather than creating new ones. This
approach would provide a framework for identifying areas
of risk, as well as encouraging industry best practices.
- Avoid a piecemeal approach that, in conjunction with
the numerous laws states are passing, will present consumers
and businesses with a “patchwork quilt” of
confusing laws and complicated compliance issues. States
are already stepping into the void and creating a confusing
patchwork of legislation on the issue. Legislation regulating
Spyware has been introduced in 24 state legislatures
this year, with approaches ranging from studies to changes
in criminal code. Anti-phishing legislation is sitting
on the Governor’s desk in Hawaii, and pending in states
including Texas and Florida. More than 300
bills on identity theft are pending in our nation’s state
legislatures. A federal preemption of the many laws recently
passed or currently contemplated at the state level related
to spyware, phishing, and data broker security would
alleviate much of the concern and consternation within
the private sector as a whole. However, any preemptive
federal law should maintain, at the minimum, the security
standards already put in place by corresponding state
legislation.
- Encourage broader use of security technologies without mandating
specific technology solutions. Urge adoption of the approach
utilized in CA 1386 which calls for disclosure of a breach
involving unencrypted data.
- To encourage stronger cyber security, investigate
incentives, including “safe harbors,” tax
benefits, 3 rd party or self certification, insurance
and the adoption of best practices , without mandating
specific technology solutions. Dictating a specific technology
is counter-productive as it stifles innovation and discourages
creativity.
- Increase penalties for identity theft
and other cyber crimes as well as ensure appropriate
resources are available to law enforcement authorities.
The Senate should swiftly ratify the Council of Europe’s
Convention on Cybercrime which would create a global
framework for investigating and prosecuting cyber criminals.
- Take a long-term view of information security. There
is no coherent cyber security R&D agenda. Significant
Federal funding is closeted in classified programs. While
our national security needs must be met, we must anticipate
that privately owned and operated networks will be attacked
as well. We need to develop resilient, fault tolerant
networks which degrade gracefully under attack.
Leadership in information technology is a constantly
moving target. As the technology changes and improves,
so must its security. Likewise, as the need for public
protection evolves, so must our public policy. We call
on Congress and the Administration to work with the private
sector to develop a holistic approach to the protection
of our nation's personal information.