To read the newsletter in your Web browser, go to https://www.csialliance.org/news.

IN THIS ISSUE:

• Executive Director’s Message
• CSIA Special Webinar – October 29th
• CSIA Member Spotlight – McAfee, Inc.
• Special Feature – Focus on NCSA Month
• Top Ten Cyber Security Tips
• CSIA Snapshot – Common Criteria Users’ Forum
• Legislative Update
• Congressional Spotlight – Senator Joseph Lieberman
• Cyber Security News Developments
• CSIA in the News
• Upcoming Events

Executive Director’s Message

by Paul Kurtz, CSIA Executive Director

Cyber Security Awareness – Taking Stock

“All users of cyberspace have some responsibility, not just for their own security, but also for the overall security and health of cyberspace.”
The President’s National Strategy to Secure Cyberspace, February 2003

This is a powerful sentence. It calls each of us to be “responsible,” suggesting an individual’s inaction could place at risk one’s own use of the Internet, and others' as well. How can this be? A metaphor may help make the point.

Joe gets in his car and disconnects the seatbelts, turn signals, headlights and brakes and drives onto the Washington Beltway during early morning rush hour. Joe has clearly put himself at serious risk, along with those around him. Joe makes it a half mile or so and causes a wreck, injuring himself, damaging his car and several cars around him. The “accident” causes gridlock, which prevents others from getting to work, thus inhibiting commerce. Trucks are unable to make deliveries, people miss flights, meetings and appointments.

Life is similar on the Internet. Joe’s actions are equivalent to disconnecting or not utilizing up-to-date firewall or antivirus software. His actions enable worms and viruses to spread, potentially causing denial-of-service attacks and disrupting legitimate transactions. The metaphor is not perfect; software in itself is imperfect, and many users are subject to Phishing and Spyware attacks while maintaining reasonable security. The market is working to address these issues through a variety of means. One of the most promising is bundling security solutions with other services to ease the burden on the end user. For example, several CSIA firms are working with ISPs or major operating system providers. Such measures are helping to increase security for consumers. Congress and states have also stepped in to address issues such as Spyware (see our Legislative Update in this issue for the latest on Spyware).

However, raising awareness is a strategic-level problem that requires continuous attention from government and the private sector. The President’s National Strategy to Secure Cyberspace specifies four components to build awareness. In this column, we will highlight progress on each.

I. Promote a comprehensive national awareness program to empower all Americans -- businesses, the general workforce and the general population -- to secure their own parts of cyberspace.

Progress: We do, in fact, have a national awareness campaign in place under the leadership of the National Cyber Security Alliance (NCSA). As our feature column this month details, NCSA is the sponsor of National Cyber Security Awareness Month. This is the first year an entire month has been designated to raise awareness; in previous years, it was limited to one or two days each year. The NCSA is a solid example of the partnership called for under the National Strategy to Secure Cyberspace. Private-sector firms and the Federal government jointly fund NCSA activities. Recently, the NCSA appointed an executive director to support the NCSA Board, which includes representatives from three CSIA member firms.

Challenges: While a large number of firms support the NCSA, further assistance is needed. Additional corporate sponsorship of NCSA -- particularly from traditional industries -- will help support and promote a growing number of programs focused on home users, small businesses, education and child safety online.

For more information about NCSA, please visit: www.staysafeonline.info.

II. Foster adequate training and education programs to support the Nation’s cyber security needs.

Progress: Over the past year, the number of Centers for Academic Excellence in Information Assurance Education (CAEIAE) has grown to include almost 60 academic institutions across the United States. The list of institutions includes longtime leaders in information security, such as Carnegie Mellon University, as well as newcomers to the field. The program, which was established in 1998, is now jointly sponsored by NSA and the Department of Homeland Security. The program’s goal is to reduce vulnerability in our national information infrastructure by promoting higher education in information assurance, and by producing a growing number of professionals with IA expertise in various disciplines. Universities designated as Centers are eligible to apply for scholarships and grants through both the Federal and Department of Defense Information Assurance Scholarship Programs.

Challenges: While the CAEIAE program has grown significantly over the past couple of years, additional Federal assistance is needed to support the program, particularly to support those recently accredited schools seeking to build up their programs. In addition to Federal support of CAEIAE, additional private-sector support of academic institutions with information assurance programs would be of great value. CSIA firms have established relationships with institutions such as Purdue’s Center for Education and Research in Information Security.

For more information on CAEIAE, please visit: http://www.nsa.gov/ia/academia/caeiae.cfm

III. Increase the efficiency of existing federal cyber security training programs.

Progress: In April, the Department of Homeland Security and the National Science Foundation announced an agreement to co-sponsor and expand the existing NSF Federal Cyber Service: Scholarship for Service (SFS) program. The partnership will help strengthen cyber security posture by promoting higher education courses that increase the number of information security professionals trained to protect public and private sector IT systems. The SFS program was established in 2000 to support both student and higher education institutions' information assurance training initiatives. The SFS program seeks to increase the number of skilled students entering the fields of information assurance and computer security. Additionally, the SFS program supports the expansion of information assurance course offerings at U.S. higher education institutions.

The SFS Scholarship Track funds colleges and universities to award two-year scholarships in the information assurance and computer security fields. Upon graduation, the scholarship recipients are required to work for a federal agency for two years to fulfill their Federal Cyber Service commitments. The SFS Capacity Building Track supports faculty professional development and academic program creation to increase both the number and proficiency of information assurance and computer security professionals in the workforce. The SFS Capacity Building Track emphasizes partnerships that increase participation by underrepresented groups.

For more information about the Federal Cyber Service: Scholarship for Service (SFS) program, please visit: http://www.ehr.nsf.gov/ehr/DUE/programs/sfs/.

Challenges: While there has been progress in strengthening Federal training programs, more attention is needed on placing SFS graduates in government agencies. Federal agencies should establish clear career tracks for information security professionals.

IV. Promote private sector support for well coordinated, widely recognized professional cyber security certification.

Progress: As the President’s National Strategy states, certification of individuals provides consumers and employers greater information about the capabilities of potential employees or consultants. Significant progress was made this summer in establishing a more widely recognized certification. The International Organization for Standards (ISO) U.S. representative organization recognized the Information Systems Security Certification Consortium (ISC)2 certification credentials. ISC2 is a leading certification organization for information security professionals. The ISC credential is awarded to individuals who successfully pass a comprehensive exam on global information security best practices.

Challenges: More widely recognized security credentials will certainly help improve security. However, the impact will be limited unless government and corporate enterprises more systematically build certification requirements into hiring and promotion for information professionals.

Back to top

CSIA Special Webinar

Join the leadership of the Cyber Security Industry Alliance (CSIA) and your colleagues from the cyber security industry on Friday, October 29 at 12:00 pm (Eastern time) to learn why leading cyber security companies around the world have come together to form the Alliance. Founded in February 2004, the CSIA has quickly become one of the most influential groups in Washington on cyber security issues. As the only CEO-led organization focused exclusively on cyber security, we offer our members unparalleled information and perspective on the changing world of cyber security policy.

Find out how CSIA membership can benefit your organization, and how we can help make sure your voice is heard on Capitol Hill.

Agenda for this interactive Webinar will include:

Overview of the Cyber Security Industry Alliance
Paul Kurtz, Executive Director, CSIA

Benefits of Membership
John Thompson, CEO & Chairman, Symantec Corporation and Chairman, CSIA
Eric Pulaski, President & CEO, BindView Corporation

About Industry Associations
Andy Freed, Vice President, Virtual, Inc.

Q & A
Audience members pose their questions to the speakers

Look for details on signing up for the Webinar in your mailbox soon, or go to https://www.csialliance.org.

Back to top

Special Feature – Focus on NCSA Month

During the Cold War, we relied on the Federal government to provide for national defense and to warn the general public of a potential attack. The United States government deployed radars, satellites and planes to provide early warning. In the post-Cold War era we still rely on the government to defend physical attacks, but defending and securing our information systems and the Internet requires coordination and cooperation among all entities that use information systems.

We cannot rely solely on the U.S. government (or any government) to defend information systems from attack. The government has a role in developing contingency plans in case of a large-scale Internet attack, to maintain emergency communications networks, to promulgate common standards, and to lead by example in securing government-operated information networks. However, as the President’s National Strategy to Secure Cyberspace states, the private sector shares in the responsibility of securing the Internet, as it owns and operates the vast majority of information systems.

Home users also share some of the responsibility, as home computers linked to the Internet can be used as bases to launch or propagate attacks. CSIA member firms are working to ease the burden by partnering with ISPs and operating systems providers to bring solutions to home users.

The National Cyber Security Alliance (NCSA) represents our national-level program. NCSA is a public-private partnership that includes government organizations, educational institutions, private sector corporations, and organizations such as CSIA. Key government sponsors include the Department of Homeland Security (DHS), the Federal Trade Commission (FTC) and the Department of Commerce (DOC). Private-sector firms include CSIA members McAfee, RSA Security and Symantec Corporation. NCSA’s mission is to drive awareness and response to pressing cyber security issues. The Alliance provides tools and resources to empower home users, small businesses, and schools, colleges and universities to stay safe online.

To promote awareness among users, NCSA has designated October as National Cyber Security Awareness Month (NCSA Month). The chief objective of NCSA Month is to improve the state of computer security for our nation as a whole, through public awareness events, workshops and security tips and checklists. Each week of NCSA Month features a series of events focused on home users, small businesses, colleges and universities, and K-12 children.

Dozens of government, academic, industry, non-profit and other organizations have signed on in support of NCSA Month and to volunteer time and resources. For example, CSIA took on the task of overseeing the introduction of a “Sense of Congress,” a formal recognition from Congress in support of this initiative. With the help of Chairman Sherwood Boehlert and his staff, the Sense of Congress was introduced in the House of Representatives on September 30 as H. Con. Res. 502.

NCSA Month kicked off on September 30 with a press conference in Washington, D.C. The month includes an array of organizational endorsements; research and findings, including a perception poll and comprehensive study; focused national and regional events; the launch of a cyber security awareness public service announcement program; and national media outreach initiatives. Events this month include:

• a workshop sponsored by the FTC, “Working Together to Create a Culture of Security”
• a home user security study sponsored by AOL
• Small Business Training Workshops
• Elementary school level workshops

NCSA events are backed up by guides and security tips, such as a list of cyber security tips for teens and parents.

As members of NCSA, CSIA members have contributed directly and indirectly to the efforts of preparing the month-long awareness campaign. McAfee, RSA and Symantec serve on the NCSA Board. Ken Watson of Cisco serves as NCSA President, and Martha Lockwood serves as the executive director. The Board also includes representatives of America Online, Microsoft Corporation, and BellSouth.

To learn more about NCSA Month activities, view the initiative’s main Web site (www.staysafeonline.info) for supplemental online resources, tips and toolkits for protection from such threats as viruses, worms, hacker attacks, phishing, identity theft and spyware. Users can find “Top 10 Computer Security Tips,” free security scans, beginner’s guides, and National Cyber Alert System Guidelines. To get more involved in the numerous activities during October, please contact:

National Cyber Security Alliance
1150 18th Street, NW
Suite 1010
Washington, DC 20036

Phone: (202) 331-5350
Fax: (202) 872-4318

Back to top

Top Ten Cyber Security Tips for Teens, Educators and Families

1. Be a secure and responsible cyber citizen: obey cyber laws and rules; do not give out personal information without permission.
2. Use “anti-virus software” and keep it up to date.
3. Don’t open e-mails or attachments from unknown sources. Be suspicious of any unexpected e-mail attachment even if it appears to be from someone you know.
4. Protect your computer from Internet intruders – use “firewalls.”
5. Regularly download security updates and “patches” for operating systems and other software.
6. Use hard-to-guess passwords. Mix uppercase, lowercase, numbers, or other characters not easy to find in a dictionary, and make sure each password is at least eight characters long.
7. Back up your computer data.
8. Don’t share access to your computers with strangers. Learn about file sharing risks.
9. Disconnect from the Internet when it is not actively in use.
10. Check your security on a regular basis. When you change your clocks for daylight-savings time, reevaluate your computer security.

Click here for more detailed information on these tips.

Back to top

CSIA Snapshot: The Common Criteria Users’ Forum

The Common Criteria Users’ Forum (CCUF), organized by CSIA and TechNet and held October 6-7 in Washington, D.C., welcomed more than 100 representatives from government and industry to discuss ways to improve the National Information Assurance Partnership (NIAP). NIAP is a national program for evaluating information technology products for conformity to the Common Criteria, a set of international information technology security standards. (See NIAP Certification: Proposals by CSIA for Strengthening Security Certification for additional information)

During the CCUF, industry and government exchanged views on the strengths and weaknesses of NIAP. Discussions focused on improving and adapting the Common Criteria to better meet the needs of all users -- both government and commercial -- rather than abandoning them. The CCUF featured a series of presentations and panels, including one panel devoted to sharing tips and best practices for a successful evaluation. Four workshops focused on developing solutions and specific actions to address some key problems, such as reducing cost and time of evaluations.

There was consensus among attendees on developing a set of best practices to assist with the evaluation process, as well as on bringing commercial end users to the table to gauge their interest in learning more about using NIAP-certified products. Much work remains to be done, but the Forum was a good step forward. A report with next steps will be issued in November.

The Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), the National Cyber Security Partnership (NCSP), Symantec, Inc., Internet Security Systems (ISS), Sun Microsystems, Inc., and Corsec sponsored the conference.

Back to top

Legislative update

H.R. 10 -- 911 Recommendations Implementation Act

Latest Update: Passed the House on 10/8/04

Summary: This bill affects cyber security in two important ways: 1) it creates an Assistant Secretary for Cyber Security in the Information Analysis and Infrastructure Protection Division at the Department of Homeland Security; and 2) it amends the Clinger-Cohen Act to include cyber security as a requirement for systems planning and acquisition by agencies.

CSIA Comment: Cyber security has fallen in stature from a Special Advisor to the President at the White House to an office director at the Department of Homeland Security. We believe that creating an Assistant Secretary of Cyber Security to work alongside an Assistant Secretary for physical infrastructure is critical, given our dependence on the information infrastructure. CSIA was very active in supporting the provision in HR 10 that creates an Assistant Secretary for Cyber Security (see this document). The Senate version does not include a similar provision. CSIA supports the amendment to the Clinger-Cohen Act, and the provision is expected to encounter little opposition. Over the next several weeks, we will work with Conferees to ensure both provisions are included in the final Conference Report.

Spyware

Latest Update: Since last month’s newsletter, there has been a great deal of activity in the House and Senate regarding Spyware. During the week of October 5, the House passed two different Spyware bills, both of which are summarized below. Generally, it is uncommon for a body of Congress to pass two versions of the same bill; therefore, the two bills must be reconciled into one. At present, the ultimate outcome is unclear. On the Senate side, the Committee on Commerce, Science and Transportation passed Mr. Burns’ Spyblock Act on September 22. Senate floor action may take place when Congress returns after the elections.

H.R. 2929 – The Spy Act – Ms. Bono (R-Calif.)

Summary: This bill would prevent spyware purveyors from hijacking a home page or tracking users’ keystrokes. It requires that spyware programs must be easily identifiable and removable, and it allows for collection of personal information only after express consent from the user. Additionally, fines are exponentially increased against abusers. As passed, this bill contains an exemption for legitimate security operations.

CSIA Comment: Given the changes to HR 2929, allowing legitimate security activities to continue uninterrupted, CSIA no longer objects to the bill. It is our preference, however, to pursue HR 4661, as it is more appropriate to pursue enforcement of those who seek unauthorized access to personal information or to damage a computer.

H.R. 4661 – Internet Spyware (I-SPY) Prevention Act of 2004 – Mr. Goodlatte (R-Va.)

Summary: This bill would establish prison sentences and fines for using software to gain unauthorized access to such sensitive information as credit card or Social Security numbers or to damage a computer.

CSIA comment: CSIA supports this legislation and views it as more appropriate to pursue enforcement of those who seek unauthorized access to personal information or to damage a computer.

S. 2145 – Software Principles Yielding Better Levels of Consumer Knowledge Act or SPY BLOCK Act – Mr. Burns (R-Mont.)

Summary: This bill prohibits surreptitious installation, misleading inducements to install, and preventing reasonable efforts to uninstall or disable software with one exception: an authorized user (i.e. parent or system administrator) may prevent other authorized users from uninstalling or disabling software.  It outlaws software that collects and transmits information about a computer user that is not reasonably related to, or in support of, software the authorized user has chosen to install or execute without notice.  This does not apply to software used to authenticate a user, or access to information a user has previously authorized.  It bans ads unrelated to the Web site the user is viewing, in addition to ads that do not have proper disclosure.  The bill prohibits software that: sends unsolicited material to other computers; diverts the user away from the intended Web site; delivers ads that cannot be closed without closing all sessions of the browser or turning off the computer; or covertly modifies the start-up page, bookmarks, Internet provider and/or security settings.  S.2145 exempts passive transmission, hosting services and search engines in all cases, and network security providers in certain cases.  It also allows for FTC civil enforcement of an unfair or deceptive act or practice, and criminal enforcement that includes prison time (up to 5 years) and/or fines.  No private right of action is included, and it preempts state law.

CSIA Comment: As with H.R. 2929, we want to ensure that legitimate security functions are exempted from this legislation. We continue to work with the committee on the bill's language.

State Developments

California

AB 1950 – An act to add Section 1798.81.5 to the Civil Code, relating to privacy

Latest Update: Signed into law on September 29, 2004

Summary: This law will require a business, other than specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure.  The law also requires a business that discloses personal information to a nonaffiliated third party to require by contract that those entities maintain reasonable security procedures, as specified.  A business subject to other laws providing greater protection to personal information in regard to subjects regulated by the law shall be deemed in compliance with the law's requirements, as specified.

SB 1436: A bill to ban spyware

Latest Update: Signed into law – September 28, 2004

Summary: This law prohibits an unauthorized person or entity from installing software on a consumer's computer that would take over control of the computer, modify its security settings, collect the user's personally identifiable information, interfere with its own removal, or otherwise deceive the authorized user, as specified. This law prohibits a number of different types of spyware activities: collecting personally identifiable information through keystroke logging; collecting Web browsing histories; taking control of a user's computer to send unauthorized emails or viruses; creating false financial charges; orchestrating group attacks on other computers; opening aggressive pop-up ads; modifying security settings; and generally interfering with a user's ability to identify or remove the spyware. The law also includes substantial penalties.

Back to top

Cyber Security Policy Maker Spotlight

Senator Joseph Lieberman
Born: Stamford, Conn., February 24, 1942
HomeTown: New Haven, Conn.
Elected: 1988 (now in third term)
Committee Assignments:

• Armed Services (Airland – ranking member; Emerging Threats & Capabilities; Seapower)
• Environment & Public Works (Clean Air, Climate Change & Nuclear Safety; Transportation & Infrastructure)
• Governmental Affairs -- ranking member
• Small Business & Entrepreneurship

Even before 9-11, Senator Lieberman was at the forefront of government information technology, critical infrastructure protection, and its important relationship to cyber security. In April 2000, Senator Lieberman, then Ranking Member of the Senate Governmental Affairs Committee, co-authored a letter to 24 Federal agencies to determine whether they were complying with information technology law. The letter explained that agencies were suffering due to information technology failures and urged effective use of government Chief Information Officers.

In May 2000, Senator Lieberman launched an online, interactive Web project to develop ways to improve the access of American citizens to their government. This effort eventually led to a legislative initiative, and in March 2001, Senator Lieberman, then Chairman of the Governmental Affairs Committee, introduced the E-Government Act (S. 803). The Act was designed to maximize organization, efficiency, accessibility and quantity of the Federal government’s online resources while reducing cost.

Moreover, as finally enacted in 2002, the Act helped ensure the security of information systems by revising and making permanent the Thompson-Lieberman Government Information Security Reform Act (GISRA), now known as the Federal Information Security Management Act (FISMA).

In July 2002, at the request of Chairman Lieberman and Senator Robert Bennett (R-Utah), the Government Accountability Office (GAO) released a report on the government’s critical infrastructure vulnerabilities that disclosed a lack of information sharing among agencies. The report found that none of the agencies studied had appropriated funds specifically for cyber protection programs, which made it impossible to track any efforts put forth to remedy these vulnerabilities. And just this past May, the GAO released yet another important report at the request of Senators Lieberman, Collins, and Hollings and Chairman Putnam: Technology Assessment: Cyber Security for Critical Infrastructure Protection detailed how vital cyber security is to our Nation’s critical infrastructure and what technologies are being deployed to protect it.

Senator Lieberman has not only supported efforts to improve cyber security and reduce vulnerabilities; he has also been very critical of the slow pace at which the President’s National Strategy to Secure Cyber Space is being enacted in the Department of Homeland Security. The Senator has written several letters to Secretary Ridge outlining his ongoing concerns and requesting detailed information on specific actions, timetables and protective measures regarding the Nation’s cyber security protections.

Through numerous hearings, engagement of the Executive Branch, effective use of the GAO, and a keen understanding of the interconnectivity of the Nation’s critical infrastructure and information networks, Senator Lieberman has been, and remains, a strong advocate for the vitality of our Nation’s cyber security protections.

Back to top

Cyber Security News Developments

Spyware: The FTC has filed a lawsuit in the U.S. District Court in New Hampshire against Sanford Wallace and two companies. The suit alleges that Wallace placed spyware on individuals’ computers without their knowledge. The spyware would cause an action on the user’s computer such as opening the CD-ROM tray. At that point, a popup ad for anti spyware software would appear, stating that if the CD-ROM tray was open, the computer was infected with spyware and the user must buy a particular anti-spyware product to remove it. CSIA will continue to follow the case.

Back to top

CSIA in the News

Article of interest

CSIA Coverage

CSIA Press Releases

Cyber Security Industry Alliance Forms Coalition to Ratify the European Convention on Cybercrime

Washington, D.C. – September 16, 2004 - Cyber Security Industry Alliance (CSIA), the only CEO-led public policy and advocacy group exclusively focused on cyber security policy, today announced the formation of a coalition of technology companies and industry organizations to promote the ratification of the Council of Europe’s Convention on Cybercrime. Read more.

CSIA Supports October National Initiative Focused on Strengthening National Cyber Security

Washington, D.C. – September 30, 2004 – The Cyber Security Industry Alliance (CSIA)…today announced its full support for the National Cyber Security Awareness Month initiative organized by the National Cyber Security Alliance (NCSA), of which CSIA is an active member. Read more.

House Passage of 9/11 Legislation Enhances Cyber Security

Washington, D.C. – October 8, 2004 – Today, the U.S. House of Representative passed the 9/11 Recommendations Implementation Act, H.R. 10. Included in this legislation is the creation of an Assistant Secretary for Cybersecurity within the Department of Homeland Security. In addition, the Act amends the Clinger-Cohen Act to place a greater emphasis on computer security within the federal government. Read more.

Back to top

Upcoming Events

Back to top

CSIA MEMBERS

Charter Members

Principal members