Companies Form Computer Security Lobby

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A3455-2004Feb24.html

By Brian Krebs
washingtonpost.com Staff Writer
February 25, 2004

Eleven of the nation's top computer security companies are forming a
new organization to lobby on cyber-security issues in Washington,
breaking ranks with the broader technology industry in hopes that a
more cooperative approach to protecting the nation's critical
information infrastructure will avert heavy-handed regulation by
Congress and the White House.

Leaders of the Cyber Security Industry Alliance (CSIA) stress that
they remain wary of any government effort to regulate security
practices. They are, however, willing to concede that some
requirements, perhaps developed under existing federal laws, could
improve computer security practices without foisting onerous mandates
on businesses.

That concession marks a departure from the technology industry's
traditional anti-regulatory philosophy and signals an attempt by the
computer security community to speed up efforts to implement a White
House-sponsored plan to secure the nation's electronic communications
networks.

"Rather than saying to Congress, 'This is not an issue, stay out,' we
as an industry need to figure out how to solve these problems in a
proactive way before someone gets fed up and says it's time to
legislate," said Sanjay Kumar, the chief executive of Islandia,
N.Y.-based Computer Associates and a leading figure in the new
organization.

One of the first tasks on the alliance's agenda is to develop common
standards for reporting and sharing information on the latest Internet
security threats. A presidential commission report submitted to the
White House earlier this month found that the anti-virus software
vendors often create public confusion by giving different names and
threat levels to the same computer viruses and worms.

Richard Clarke, the former White House adviser who led the drafting of
the White House's National Strategy to Secure Cyberspace, said the
spate of worms and viruses that plagued the Internet in 2003 put added
pressure on the security industry to take action.

"Last year was the worst in history in terms of the damage from
cyber-attacks," Clarke said. "I think we're getting to the point where
Congress wants something to happen, the people and American
corporations that buy information technology want something to happen,
and so having the technology security industry organized to be part of
that debate makes a lot of sense."

"This is a maturing industry, and the computer security community
needs to speak with a common voice," said Paul Kurtz, who took the top
job at the alliance after resigning earlier this month as special
assistant to President Bush on critical infrastructure protection.

Harris Miller, president of the 400-member Information Technology
Association of America (ITAA), acknowledged that the private sector's
progress in implementing the national cyber-security plan "has been
slower that everyone would like, but the regulations and legislation
we've heard about would all be counterproductive."

Miller declined to discuss the new alliance, saying only that the ITAA
would continue to resist calls for any additional computer security
regulation.

"Regulation means standards, and standards mean stopping innovation,"  
Miller said. "Because of that, we think more computer security
regulations would actually make the country more vulnerable to
cyber-attacks than it is today."

This conflict was highlighted last year when Rep. Adam Putnam (R-Fla.)  
suggested that publicly traded companies should certify with the
Securities and Exchange Commission that they meet certain
cyber-security standards.

Putnam shelved the proposal after the ITAA, the Business Software
Alliance (BSA) and the U.S. Chamber of Commerce protested.

The three associations assembled a series of working groups --
including some members of the new security alliance -- to come up with
their own ideas for cyber-security best practices, such as raising
awareness of computer security threats, improving response time after
attacks, changes in corporate governance to make security a priority
and improving software development. Their report is due in early
March.

The security alliance, meanwhile, said it will seek clarification from
Congress on how several recently enacted laws would apply to corporate
network security.

"There's a misperception that the wired world is dramatically
different than the physical world we live in, but many of the rules
that control interstate commerce already apply in the wired world,"  
said John Thompson, chairman and chief executive of Cupertino,
Calif.-based anti-virus company Symantec Corp. "Why wouldn't we make
sure that current laws are being appropriately enforced? We need to
become more cognizant of the current laws we have and how they apply
in the wired world."

The Health Insurance Portability and Accountability Act (HIPAA) and
the Gramm-Leach-Bliley Act require publicly traded companies to assure
the privacy and integrity of consumer health and financial data but
few companies can say how they should comply with these regulations
from a network security perspective.

"Where's the acid test to say whether companies are aligned with these
laws? The answer is it doesn't exist," said Tom Noonan, president and
chief executive of Atlanta-based Internet Security Systems.

The Sarbanes-Oxley Act, enacted nearly two years ago in response to a
wave of corporate accounting scandals, requires executives at the
nation's public companies to stake their reputations on the integrity
of their financial books. It also requires executives to take
responsibility for "internal controls" to ensure the accuracy of
financial reporting -- a requirement that some say means chief
executives must attest to the security of their corporate networks as
well. That section of the law goes into effect next year, and alliance
members say companies do not yet know how to comply with it.

"How can you certify that your internal controls are adequate if you
don't know if your corporate security posture is good," said George
Samenuk, chairman and chief executive of Network Associates in Santa
Clara, Calif. "People are confused about what levers they have to pull
and what the penalties are for falling behind, and in the absence of
greater clarity a lot of these regulations are just creating
confusion."

Bill Connor, chief executive at Entrust of Addison, Texas, said the
alliance believes that this problem will lessen once corporate
executives understand the value of investing more time and money in
solid security policies. Failing to do that, he said, can cost more in
the long run if Internet attacks cripple their businesses or expose
them to customer and shareholder lawsuits.

"Cybersecurity is not a technical issue but really a boardroom and
executive issue," said Connor, who co-chairs a working group pushing
for a set of standards for companies to tell whether their policies
comply with existing laws. "In the end, it may take legislation to get
companies to do the right thing, but until you have a framework that
translates how these risks apply to company's bottom line, new
regulation may only increase confusion in the market."

John Pescatore, vice president for Internet security at Stamford
Conn.-based market research firm Gartner Inc., said that the
alliance's unstated goal is its members' bottom lines.

"The biggest issue facing the computer security industry is there's
nothing that forces the government to buy a lot more than the stuff
that they have now," Pescatore said. "What they're looking for are
government standards that say 'you must meet this standard to be
secure.'"

Thompson disputed that notion. "We know how to make money in this
business, and I think for someone to suggest that indicates their lack
of understanding of the challenges that face the nation on
cyber-security."

But Network Associates's Samenuk was more pragmatic.

"When you talk about large government customers, if we do the right
job of education and awareness, then business will flow," Samenuk
said. "We have a duty to help people make the right decisions on
security, but we're not doing this entirely out of the kindness of our
hearts."

The other companies in the Cyber Security Industry Alliance include
Houston-based Bindview Corp., Redwood City, Calif.-based Check Point
Software Technologies, Juniper Networks subsidiary Netscreen
Technologies of Sunnyvale, Calif., Palo Alto, Calif.-based PGP Corp.,
RSA Security of Bedford, Mass. and San Jose, Calif.-based Secure
Computing Corp.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.