In This Issue

• Executive Director’s Message
• CSIA Calls for Strategic National Information Assurance Policy
• The Council of Europe’s Convention on Cybercrime Ratified
• California Passes Wi-Fi Consumer Notification Law
• CSIA Consumer Data Protection Advocacy Goes Mainstream
• CSIA Newsletter Wins Gold Circle Communications Award
• Congressional Spotlight
• Senator Conrad Burns (R-MT)
  
• Fighting a Global Threat on Individual Internet Use
• CSIA Member Spotlight
• SurfControl plc
  
• Burglar in the Basement
  
• Legislative Update
• Global Perspectives
• CSIA in the News
• Upcoming Events
• Member List
• Contact Us
• Archives
• CSIA Home Page

CSIA in the News

CSIA Members in the News:

Thomas Noonan, President & CEO of Internet Security Systems, a charter member of CSIA, rings the opening bell of the NASDAQ exchange on Tuesday, September 12. Noonan addressed business leaders on the key role that the security industry plays in protecting the United States and other countries from potential attacks on critical infrastructures.

 

Article of Interest:
Forbes.com, September 7, 2006
Laptop Hall Of Shame

When the history of personal privacy is written--and there are persons who monitor this sort of thing--they will call this "The Year of the Stolen Laptop." The number of incidents has been astounding, topped by the theft of a laptop computer last May from the residence of a U.S. Department of Veterans Affairs staff person; the computer contained millions of names, birth dates and Social Security numbers. Law enforcement officers actually recovered the stolen laptop and arrested two suspects, and they have found no evidence that the data inside was used to compromise anybody's privacy. But institutions that are storing sensitive personal information on laptop computers apparently still are not motivated to take even the most basic precautions. ING's U.S. Financial Services office in Washington, D.C., lost the Social Security numbers of 13,000 public employees. Royal Ahold subsidiary Ahold USA experienced the loss of data on employee stock options entrusted to Deloitte Accountants, one month after Ahold had information on its grocery-store retirees lost in a laptop taken from Electronic Data Systems. And at Equifax, the regulated credit-bureau company, up to 2,500 employees' Social Security numbers went missing when one of its people wandering in London had a laptop stolen. The monthly newsletter I publish, Privacy Journal, reported 24 serious instances of Social Security numbers and other sensitive data compromised through stolen or lost laptops in 2006. The newsletter called it the "Lost or Stolen Laptops Hall of Shame." And we still have four months left in 2006.

CSIA News:

InformationWeek, July 12, 2006
State Department Hack Escalates Federal Data Insecurity

Reports of a hack into U.S. State Department IT systems raises concerns about data security in the federal government to a whole new level. Unlike the laptop thefts that have plagued the Veterans Affairs and Agriculture departments, Federal Trade Commission, and Internal Revenue Service in recent months but gave thieves access to a finite amount of information, the State Department faces the daunting task of clearing up a breach that reportedly gave attackers access to data and passwords that could open the door to future attacks. The idea that government-held data could be breached as the result of an attack rather than the negligence of government workers is a sobering thought and one not addressed by the multitude of hearings and proclamations that followed in the wake of the May theft of a Veterans Affairs laptop and hard drive containing more than 26.5 million records. "With the State Department, we could be talking about classified information, not just personally identifiable data," says Paul Kurtz, executive director of the Cyber Security Industry Alliance.
*Also appeared in VARBusiness and InternetWeek

Washington Post, July 12, 2006
Top Cyber Security Post Still Unfilled After a Year

Critics say the yearlong vacancy is further evidence that the administration is no better prepared for responding to a major cyber attack than it was for dealing with Hurricane Katrina, leaving vulnerable the information systems that support large portions of the national economy, from telecommunications networks to power grids to chemical manufacturing and transportation systems. "What this tells me is that ... [Chertoff] still hasn't made this a priority ... to push forward and find whoever would be the best fit," said Paul Kurtz, a former cyber security advisor in the early Bush administration and now a chief lobbyist for software and hardware security companies. "Hackers have discovered that owners of SCADA systems are very sensitive and that they can make money by threatening to do damage," Paller said, adding that he is aware of at least two incidents just this year in which attackers broke into and threatened to disrupt utility operations unless the owners paid a ransom demand.
*Also appeared in Free Internet Press

CNET, July 13, 2006
Help (still) wanted: Cybersecurity czar

Currently, the agency's top cybersecurity officer is a low- to mid-level position further removed from the secretary. The new official, charged with leading the government's responses to threats and attacks, is supposed to report directly to the undersecretary for preparedness, one of three top level officials who answer directly to Chertoff. "It takes a unique candidate to make the personal and professional sacrifice to join a relatively young organization like DHS and take on the responsibility and the criticism that they'll encounter in that very demanding role," he said. "It is indicative of the ongoing lack of attention being paid to cybersecurity at the most senior levels of government," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, an advocacy group with security companies as its members. "There is no shortage of qualified candidates to serve as assistant secretary, just as there is no shortage of hackers eager to wreak havoc on our information infrastructure and national economy."

GCN, July 13, 2006
Cybersecurity still handled by a 'place holder'

"It’s an unfortunate anniversary," said Paul Kurtz, a former presidential adviser and now executive director of the Cyber Security Industry Alliance. "I can’t understand why it continues to be a low priority." "We are hopeful that the administration will soon be able to nominate a qualified individual for the position," said the Business Software Alliance, which called the position "a profound step toward establishing the authority and recognition needed." "Katrina was a massive issue for the department to deal with," Kurtz acknowledged. "But the time for excuses expired a long time ago. We ought to be able to walk and chew gum at the same time."

GovExec.com, July 13, 2006
Democratic senators criticize administration's cybersecurity efforts

In the wake of several high-profile data breaches at government agencies this year, Senate Judiciary Committee ranking Democrat Patrick Leahy of Vermont said the administration has been reckless in its refusal to fill the position in a timely manner. He said individuals whose personal information has been compromised have paid the price for such mistakes. In the wake of several high-profile data breaches at government agencies this year, Senate Judiciary Committee ranking Democrat Patrick Leahy of Vermont said the administration has been reckless in its refusal to fill the position in a timely manner. He said individuals whose personal information has been compromised have paid the price for such mistakes. Paul Kurtz, director of the Cyber Security Industry Alliance, said the Bush administration has gone "absent without leave" on information security issues and that no government body is more responsible than the Homeland Security. Kurtz said the stakes for inaction are high because the U.S. economy and government security systems depend so heavily on digital infrastructures.

InformationWeek, July 13, 2006
High-Level Homeland Security Cybersecurity Post Still Vacant After One Year

Under Chertoff's plan, the assistant secretary for cybersecurity and telecommunications would be responsible for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets. The assistant secretary also would be called upon to gather critical-infrastructure threat information and lead the national response to cyber and telecommunications attacks. Of course, Homeland Security needs to fill the post first. "I'm without an excuse or a reason as to why this hasn't been done," says Paul Kurtz, executive director of the Cyber Security Industry Alliance and a former member of the Bush White House's National Security Council. For Chertoff to create a high-level cyber security position but neglect to fill that position after a year indicates that the Bush administration places a higher value on physical security than it does on the nation's information infrastructure. Meanwhile, the country lacks a leader with the clout to coordinate communications in the event of a massive IT disruption. "We don't have an established strategy for how we will communicate with each other in the event of an emergency," Kurtz says, citing the federal government's slow response last year to Hurricane Katrina.
*Also appeared in InternetWeek

Washington Internet Daily, July 13, 2006
Agencies

Tech groups took the Dept. of Homeland Security (DHS) to task on the first anniversary of Secy. Michael Chertoff's creation of a slot for an assistant secretary for cybersecurity & telecom (WID July 14/05 p1) -- which remains unfilled. "This is not a simple personnel issue," said Cyber Security Industry Alliance Exec. Dir. Paul Kurtz: "It is indicative of the ongoing lack of attention being paid to cybersecurity at the most senior levels of government." BSA met with DHS last summer to discuss cybersecurity before the position was announced, the group said. DHS Acting Dir.- National Cyber Security Div. Andy Purdy said in the spring the agency would fill the position "in the near future"
*By subscription only

Reuters, July 15, 2006
No quick fix for government data security

The White House has set an early August deadline for government agencies to encrypt sensitive data after the embarrassing theft of millions of veterans' personal information, but experts warn a quick technology fix will not cure security problems. "Agency executives do not know the value of the data they have in their information technology systems and they take security for granted," said Paul Kurtz, director of the Cyber Security Industry Alliance (CSIA) and a former White House computer systems security policy adviser. Encryption vendors disagree. But tellingly, their most recent product and marketing efforts have focused on making the software easier for typical computer users to use.
*Also appeared in InfoWorld, Washington Post, Australian IT, News.com.au, ZDNet, CNET and Reuters India

SC Magazine, July 13, 2006
Opinion: Congress must act on cyber security to avoid confusion

With new, often large-scale breaches of sensitive personal information disclosed almost daily, more than half of the states have already passed legislation requiring notification to victims, and in some cases minimum standards for database protection. But this patchwork quilt is no substitute for a coherent and comprehensive national policy. Of course both the House and the Senate have busy schedules. But data security is a critical issue in an economy where information constitutes the most valuable asset of most companies. Cyber crime has begun to significantly reduce consumers' confidence in online transactions, threatening the long-term viability of the Internet Revolution, which has helped drive productivity and economic growth to historic levels. This is clearly – even to the technology-challenged – a big deal. It also happens to be one of the relatively few major issues that aren't currently mired in partisanship. Meanwhile, state and local governments will continue to step in, doing the best they can but creating the real potential for confusing and contradictory requirements that serve neither business nor consumers. One hopes things won't have to get to that point for Congress to take action.

InformationWeek, July 17, 2006
Cyber Security

Last week marked a dubious anniversary in the Homeland Security Department's brief history. One year ago Secretary Michael Chertoff, as part of a departmentwide restructuring, announced plans for an assistant secretary for cybersecurity and telecommunications. As of last week, that position remained unfilled. Of course, Homeland Security needs to fill the job first. The highest-ranking cybersecurity official in the government is Andy Purdy, acting director for the National Cyber Security Division, and he's several rungs on the org chart below the secretary. One of Purdy's predecessors, Amit Yoran, a former VP with Symantec, resigned in frustration after a year over what he considered a lack of attention paid to computer security issues within the agency. Why is a job like this so important? Look no further than the response to Hurricane Katrina, says Paul Kurtz, executive director of the Cyber Security Industry Alliance, an advocacy group for online reliability, and a former member of the Bush White House's National Security Council. Says Kurtz, "We don't have an established strategy for how we will communicate with each other in the event of an emergency."

WashingtonPost.com, July 18, 2006
To Agency Insiders, Cyber Thefts And Slow Response Are No Surprise

The probes usually can't get through that wall. But on the first weekend in June, a hacker made it deep into one server, prompting an announcement late last month that personal information on 26,000 Washington area employees, contractors and retirees may have been compromised. One problem, experts say, is that almost all agencies lack department-wide security programs. Such programs provide "a framework and continuing cycle of activities for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer-related control," Gregory Wilshusen, GAO director of information security, told Congress in March. Paul Kurtz, who worked in the White House on cybersecurity and now is the security-software industry's trade group president, said that senior agency officials had the attitude that they "had much better things to do with my job" than work on information security.

United Press International, July 20, 2006
A year later, still no cybersecurity czar

Paul Kurtz, executive director of the CSIA, said that Hurricane Katrina and other issues have pushed cybersecurity out of the forefront at the Homeland Security Department. "My belief given the passing of time is that this is just unfortunately not a priority for the leadership at the Department," he said. "It's reasonable for some delay in light of Katrina." Though it's unclear who Homeland Security is looking at to fill the position, Kurtz suggested that experience in bureaucratic as well as corporate situations would be helpful. Kurtz said there's been a series of cybersecurity issues in the news, but none have caught enough attention to accelerate the Homeland Security Department's process. "I hope it doesn't take a big event for the Department to focus on the issue," he said. "There's been a number of things that have happened that underscore the need" for the position to be filled.
*Also appeared in Physorg.com, Monsters and Critics.com and Space War

WNDU-TV, July 20, 2006
Prevent Identity Theft

Between government and big company mistakes, the personal information of almost 100 million people was exposed to potential identity theft in the last year. Only a few states require consumers to be notified when there’s a breech, which is why experts suggest you do something as soon as you find out. "Look at your mortgage related info, check in with your financial institutions, and let people know that you’ve experienced this problem, so they can flag your account appropriately, and you have to be attentive," explains Paul Kurtz with the Cyber Security Industry Alliance.

FCW.com, July 21, 2006
House bill boosts DHS CIO, security positions

The Homeland Security Department’s chief information and chief security officers could move up the management chain if Congress passes the DHS fiscal 2007 authorization bill as the House Homeland Security Committee passed it this week. Up to now, the DHS CIO has been seen as an emperor with no clothes and little empire. In a report late last year, DHS’ inspector general said the CIO was not positioned to integrate information technology at the department, and as a result, DHS was still missing critical components in its integration plan. Paul Kurtz, executive director of the Cyber Security Industry Alliance, said that was an indication of the ongoing lack of attention being paid to cybersecurity at the highest levels of government.

Ars Technica, August 4, 2006
"World's Worst Internet Law" ratified by Senate

The Convention had the backing of George Bush, but also of some industry groups like the Cyber Security Industry Alliance, composed of members like McAfee, RSA, Symantec, and F-Secure. But it aroused the ire of civil liberties groups on the left and the right, including the ACLU and the EFF (which called it one of the "World's Worst Internet Laws"). According to the EFF, "The treaty requires that the U.S. government help enforce other countries' 'cybercrime' laws—even if the act being prosecuted is not illegal in the United States. That means that countries that have laws limiting free speech on the Net could oblige the F.B.I. to uncover the identities of anonymous U.S. critics, or monitor their communications on behalf of foreign governments. American ISPs would be obliged to obey other jurisdictions' requests to log their users' behavior without due process, or compensation." It's worth focusing instead on the tradeoffs found in the treaty, and the worries raised by groups like the EFF.

CNET, August 4, 2006
Senate ratifies controversial cybercrime treaty

The treaty is intended to harmonize computer crime laws, especially those in smaller or less developed nations that may not have updated their legal framework to reflect the complexities of the Internet. It requires participating countries to target a broad swath of activities, including unauthorized intrusions into networks, fraud, the release of worms and viruses, child pornography and copyright infringement. "Our primary concern is that there's no dual criminality within the mutual assistance provisions," said Danny O'Brien, activism coordinator with the Electronic Frontier Foundation in San Francisco. "The U.S. is now obliged to investigate and monitor French Internet crimes, say, and France is obliged to obey America's requests to spy on its citizens, for instance--even if those citizens are under no suspicion for crimes on the statute books of their own country." The ratification marks "an important milestone in the fight against international cybercrime," said Paul Kurtz, executive director of the Cyber Security Industry Alliance, which counts Juniper Networks, McAfee, RSA Security and Symantec among its member companies.
*Also appeared in ZDNet

Government Technology, August 4, 2006
CSIA Applauds Ratification of Cybercrime Treaty

Signed by the United States in November 2001, the Convention on Cybercrime is the first and only international, multilateral treaty specifically addressing the need for cooperation in the investigation and prosecution of computer network crimes. It requires global law enforcement cooperation with respect to searches and seizures and provides timely extradition for computer network based crimes covered under the treaty. "Today marks an important milestone in the fight against international cybercrime. Through its support of the cybercrime treaty, the U.S. is strengthening international laws and empowering law enforcement authorities to protect our information-based systems," said Paul Kurtz, executive director of CSIA. "National borders are virtually irrelevant to cybercriminals, making global cooperation absolutely critical in the battle against Internet-related crime. The cybercrime treaty provides a much-needed international framework to investigate and prosecute perpetrators of computer crimes that cross our border." Ratification of the Convention on Cybercrime minimizes the barriers to international cooperation that currently impede investigations and prosecutions of computer-related crimes, making it an important tool in the global fight against those who seek to disrupt computer networks, misuse sensitive or private information, or commit traditional crimes using Internet-enabled technologies.
*Also appeared in Public CIO

GCN, August 4, 2006
Senate ratifies international cybercrime treaty

The Senate has ratified the Council of Europe Convention on Cyber Crime, the first multinational, multilateral treaty to require cooperation among law enforcement agencies in the investigation and prosecution of computer network crimes, including the execution of searches and seizures, and extradition of individuals sought for these crimes. "The United States was a leading participant in the negotiation of the Convention and expects it to have a significant law enforcement impact, particularly in terms of our ability to obtain assistance from other countries in the investigation and prosecution of trans-border computer-related crimes," said Senate Foreign Relations Committee chairman Richard Lugar (R-Ind.). "In particular, it will enhance our ability to cooperate with foreign governments in fighting terrorism, computer hacking, money laundering and child pornography, among other crimes." Major IT advocacy groups welcomed the news. The Information Technology Association of America, the Cyber Security Industry Alliance, and the Business Software Alliance (BSA) all praised the Senate for taking action.
*Also appeared in Washington Technology

Red Herring, August 4, 2006
US Ratifies Cybercrime Treaty

The treaty, known as the Council of Europe Convention on Cybercrime, is the first that tries to create a consensus among nations on laws to tackle crimes like hacking, fraud, child pornography, and copyright infringement. The goal of an international treaty would be to establish a "common criminal policy" to combat cybercrime. The pact requires all participants, as the first step, to define criminal offenses and sanctions under their domestic laws to tackle crimes in four categories: child pornography, fraud and forgery, copyright infringement, and security breaches. "National borders are virtually irrelevant to cybercriminals, making global cooperation absolutely critical in the battle against Internet-related crime," said Paul Kurtz, executive director of CSIA. "The cybercrime treaty provides a much-needed international framework to investigate and prosecute perpetrators of computer crimes that cross our border."

IDG News Service, August 4, 2006
Senate approves cybercrime treaty

The Senate late Thursday voted to ratify the Council of Europe's Convention on Cybercrime, approved by the European group in 2001. President Bush sent the treaty to the Senate for ratification in November 2003, and groups such as the Cyber Security Industry Alliance (CSIA) and the Business Software Alliance (BSA) have called for the Senate to act on the treaty. The treaty calls for signatory nations to cooperate on cybercrime investigations, although the U.S. government could deny cooperation requests when they violate U.S. free speech or other rights. The treaty also calls for signatory countries to pass similar cybercrime laws, addressing issues such as computer intrusion, computer-facilitated fraud, child pornography and copyright infringement, but the U.S. already has a robust set of related laws. The treaty also has weak privacy protections, EPIC said. "The Cybercrime Convention is much more like a law enforcement 'wish list' than an international instrument truly respectful of human rights," EPIC said in the letter.
*Also appeared in InfoWorld and Computerworld

National Journal’s Technology Daily, August 4, 2006
Cyber-Crime Pact Sent To Senate In 2003 Is Ratified

The Senate on Thursday ratified a cyber-crime treaty that was drafted by the Council of Europe. The treaty was finalized in 2001 and sent to U.S. senators in 2003 for ratification. Groups such as the Business Software Alliance, Cyber Security Industry Alliance, Information Technology Association of America, and NetChoice commended the Senate for the vote and called it an important step in combating international computer-related crime. The treaty, which dates back to 1997, is considered the main multilateral treaty to support cooperation in the investigation and prosecution of computer crimes. The convention harmonizes national cyber-crime laws and enables law enforcers to instruct Internet service providers to temporarily store data for potential use in criminal investigations. The United States had input in the drafting of the treaty and signed the document in 2001. Including the United States, 16 of the 43 signatory nations have ratified the pact. Paul Kurtz, executive director of CSIA, noted the importance of protecting information-based systems. "National borders are virtually irrelevant to cyber criminals, making global cooperation absolutely critical in the battle against Internet-related crime," he said in a statement. BSA also said the agreement will help domestic agencies with international efforts to fight crime.
*By subscription only

City Debate.com, August 7, 2006
Is Fear of Online Financial Transactions Just A Bunch of Hype?

According to the Cyber Security Industry Alliance, nearly fifty percent of U.S. Citizens avoid online financial transactions because they’re afraid their financial information will be stolen. According to a survey from digital security company Entrust, eighteen percent of people have slowed or stopped banking online for fear of identity theft. To make online financial transactions safer, banks are implementing things like stronger authentication and fraud monitoring.

Computing, August 14, 2006
US signs cybercrime convention

The US Senate has signed the international Convention on Cybercrime. The convention aims to promote greater international cooperation on internet facilitated investigations. The Convention on Cybercrime is the first treaty on computer-related crime and the collaboration of electronic investigation. The Cyber Security Industry Alliance (CSIA) and Business Software Alliance (BSA) will be responsible for acting on the treaty. Participating countries including the UK are required to target activities including computer intrusion, computer-facilitated fraud, the release of worms and viruses, child pornography and copyright infringement. Fifteen European nations including Albania, Denmark, France, Norway and Ukraine, have fully ratified the final document. The UK has yet to fully ratify the document which requires the implementation of the convention’s principles into national laws; however most of them are already part of UK law.
*Also appeared on VNUNet.com

Federal Computer Week, August 14, 2006
House committee sets IT priorities for DHS

The House Homeland Security Committee has passed an authorization bill outlining several information technology initiatives for the Homeland Security Department. Some critics say the bill shows that lawmakers are losing patience with DHS’ IT efforts. The authorization legislation gives the committee a framework for oversight and communicates its priorities to the department. Some House members apparently believe the department moves too sluggishly to address IT issues and needs the spur. "I think there’s a growing receptivity on Capitol Hill to these kinds of issues," said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA). "I’ve seen people asking more questions, and they’ve been more aggressive about saying they are dissatisfied." The House bill, which authorizes $34.7 billion in DHS spending for fiscal 2007, details various programs and policies the department should implement. For example, it would establish a group of DHS chief operating officers who would have control over their counterparts in various DHS agencies, have direct authority over planning and operations, and have the authority to direct budget spending and control other financial resources. DHS critics say the pendulum is beginning to swing to a point where pressure from Congress could begin to produce action by DHS. The CSIA, for example, has been pushing the department to fill the position of assistant secretary to lead a DHS Office of Cybersecurity and Telecommunications. That post remains unfilled more than a year after Secretary Michael Chertoff first announced it. "Ultimately, if DHS was doing its job, this bill would not be necessary," Kurtz said.

Investment News, August 24, 2006
Fight on ID theft gets bogged down in politics

Although 39 states define identity theft as a felony, it is less than a felony in eight states and a misdemeanor in three others, including California, where Frank Troise was victimized three years ago. "Even those corporations that support this want to remain anonymous, because they think if they support it, they are acknowledging a problem, and that opens the door to a class-action lawsuit," he said. "The financial services industry is in the best position to judge risk in this area because of the procedures they've had in place for a long time," said Paul Kurtz, executive director of the Cyber Security Industry Alliance in Arlington, Va. "There's a lot at stake here, and there's a trust deficit," he said. "Yet, it has become silly season when it comes to protecting consumers' personal information."
*By subscription only

 

Copyright ©2006 Cyber Security Industry Alliance. All rights Reserved.