Cyber Security Industry Alliance Newsletter •  Volume 3, Number 10  • September 2007

President's Message

  Tim Bennett

Working in Washington, DC, on issues before Congress in September feels like the emotionally charged rush of returning for a new school year in younger years. Members of Congress come back revved up by issues brought to their attention during the August recess, or by events that occurred during their recess (like Katrina in 2005), or by a seized awareness of limited progress made on key issues prior to the recess.

This year is no different, with this fall's crowded congressional agenda laden with issues such as Iraq troop withdrawal debates, almost all federal agency appropriation bills, the energy bill, global warming recommendations, sub prime mortgage lending, bridge safety, mine safety, and sometimes controversial judicial appointments. All of these are important and deserving of immediate attention.

  

“I'm very aware that a lot of our systems are vulnerable to cyber-attack from a variety of places.”
President George W. Bush
Reported in the Financial Times

But so is the issue of data security and data breach notification. In early September at this year's Asia-Pacific Economic Cooperation (APEC) summit held in Sydney, Australia, President Bush was quoted by the Financial Times in response to recent hacking attacks on the Pentagon apparently by China's military as stating, “I'm very aware that a lot of our systems are vulnerable to cyber-attack from a variety of places.” So are most of this newsletter's readers.

The drumbeat of significant data breaches continues unabated. On August 22, Monster.com confirmed a Symantec report that data thieves had stolen the names, telephone numbers, and postal and email addresses of some 1.3 million individuals. Included in this were about 146,000 applicants for federal government jobs. Pfizer, Inc., announced in late August its third data breach of company information in 2007, this time affecting sensitive personal information for 34,000 individuals. On September 14, TD Ameritrade announced that the information on 6.3 million customers had been stolen. These are just some of the latest and more widely reported examples.

The increasing number of data breaches is a major threat to privacy, consumers' identities, confidential company information, and our nation's economic stability. Congress must act now.

  

The increasing number of data breaches is a major threat to privacy, consumers' identities, confidential company information, and our nation's economic stability. CSIA's concern applies equally to both economic and national security as both private and public sector information systems have proven vulnerable to cyber incidents.

Addressing the data security problem must be included with the list of important issues on which the Congress must act, and it must act now. Every week brings a list of news stories on new data breach incidents.

Massive data leakage will continue unless the public and private sectors are required by Congress to implement strong security measures to prevent breaches. Such legislation won't entirely stop data breaches, but it would be a big step forward in reducing their frequency. While very well intentioned, action at the state level has largely failed to address breach prevention and has resulted in a confusing compliance environment with at least 38 laws with varying requirements on data security and breach notification.

Even China, the main country of origin of hacking attempts, is vowing to take action. In early August, a Chinese official was quoted in China Daily as stating that the Chinese government will introduce that country's first data protection law in 2008 to address “the remarkable increase” in the abuse of private data.

  

The time has arrived for Congress to establish national standards for data protection and breach notice requirements. This will be an important step in what must be a comprehensive response to the growing pestilence of malicious intrusions into government and private data systems.

Most members of Congress are now aware of this problem, and many are quite knowledgeable on the topic. The problem is not constrained by party lines; the concern about data security in the public and private sector is shared on a bipartisan basis.

The time has arrived for Congress to take action to protect consumers by establishing national standards for data protection and breach notice requirements. Passing data security legislation would be an important step in what must be a comprehensive response to the growing pestilence of malicious intrusions into government and private data systems. CSIA will be on the front lines to help make this happen.

 

Tim Bennett
President