White House hosts Net security summit

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2630067,00.html

By Bob Sullivan, MSNBC
September 19, 2000 3:03 PM PT

A group of key high-tech executives agreed at a White House meeting
earlier today to move forward on a plan to set minimum security
standards for big companies that connect to the Internet, MSNBC.com
has learned. The meeting was attended by Microsoft, IBM, Oracle,
Boeing, the National Security Agency and U.S. Secretary of Commerce
Norm Mineta.

The meeting was seen as a first step to set universal minimum security
standards for business-to-business companies, according to Alan
Paller, director of the SANS Institute.

In B2B commerce, companies often tightly link computer systems so, for
example, a parts supplier can find out if its customers are running
low on inventory and ramp up production even before an order is
placed. But that means the stakes are high in B2B networks, where
corporations must open at least some of their internal systems to
other companies.

The group's first action was to set up a committee headed by Paller
and Exodus Communications (Nasdaq: EXDS) security chief Bill Hancock.
That committee will review existing, smaller projects to set standards
within limited networks and report back to the larger group within 30
days.

Reinventing the wheel

"We don't want to reinvent the wheel," Paller said. While most of the
corporations present expressed little willingness to support a set of
government-controlled regulations, there were general requests to
clarify Internet crime jurisdictional issues. The group also
acknowledged a need to include foreign governments and corporations in
the work of setting minimum standards, since Internet-based attacks
can come from outside the country as easily as inside U.S. borders.

"There is only one network," he said.

For most of the three-hour meeting, corporate executives shared war
stories about computer break-ins they'd suffered, Paller said. The
final hour of discussion turned to proposed solutions.

One proposal for minimum standards that might serve as a model came
from Visa International , Paller said. Visa already plans to impose
its standards on all of its 21,000 logo merchants within 12 months,
Paller said. They include: Firewall installation, operating system and
application patch updates, and use of encryption for both stored and
transmitted data.

A center for net security?

Paller also discussed a SANS-supported proposal for a permanent
organization devoted to setting such standards on a broader basis. The
group would include representatives from several industries and be
called the "Center for Internet Security." Paller said he hopes such a
group will begin work within two weeks.

"What we're going for is ... if you follow these standards, we can
protect everyone from a denial-of-service attack," Paller said.

Tuesday's summit meeting also included representatives from the
Critical Infrastructure Assurance Office, the Defense Advanced
Research Projects Agency, the National Institute of Standards and
Technology, and corporations like Exodus Communications, EDS and
Covisint -- an online parts exchange set up by five major automakers.

Reaching agreement on minimum standards is essential, Paller said,
because many of the problems of computer security stem from confusion
and ignorance rather than lack of effort, he said. He said during the
meeting two different security firms presented data showing that
nearly all break-ins are the result of simple errors like failure to
install software patches.

"We don't need to tell everybody who's doing security to do more," he
said. "We need to bring the 99 percent of the world not doing anything
and bring them up to standard."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".