[ISN] Panel lets security makers off the hook

From: InfoSec News (isnat_private)
Date: Thu Jan 09 2003 - 22:52:19 PST

  • Next message: InfoSec News: "[ISN] Rumors of DISA's demise dismissed"

    Forwarded from: security curmudgeon <jerichoat_private>
    [Great. So all this talk about wanting a secure Internet
    Infrastructure meant what? Which of these windbags were talking about
    cyber attack and renegade jolt slurping hackers that could cripple the
    economy while sodomizing their mother over the phone lines? Yet.. they
    don't *really* want to make things better. - jericho]
    By Declan McCullagh 
    Staff Writer, CNET News.com 
    January 8, 2003, 4:45 PM PT
    Security software and hardware makers should not have to submit their
    products for mandatory performance testing, a federal advisory council
    said Wednesday.
    Members of the National Infrastructure Advisory Council (NIAC), a
    presidentially appointed panel, voted during a conference call
    Wednesday afternoon to remove language from a draft cybersecurity
    report that could have required that all "security products that
    protect critical infrastructure" undergo strict review.
    The advisory report is scheduled to be sent to President George W.
    Bush in the next month, and any legal requirements it recommends
    imposing on the private sector would have to be approved by Congress.
    Union Pacific Chairman and CEO Richard Davidson, chairman of NIAC,
    began the call by saying that the performance testing requirement is
    "probably not as palatable to the IT companies and probably is a
    little too strong in terms of regulation recommendations."
    Davidson's note of caution was echoed by Cisco Systems CEO John
    Chambers. "We found that mandatory testing and evaluation testing and
    procedures in the area of security is something that has actually
    slowed down innovation and is always two to three steps behind,"
    Chambers said. He suggested that this could result in a regulation
    that meets a lowest common denominator requirement.
    Akamai Technologies' George Conrades said he would support the
    government's taking a market approach--using its purchasing power--to
    oversight of the cybersecurity industry. This would help quell
    concerns about slowing down innovation, the company chairman and CEO
    said. Conrades also agreed with the removal of the word "mandatory"
    from the report.
    Margaret Grayson, CEO of network security firm V-One, suggested that
    certain "products be required to interoperate with each other." Other
    NIAC members, including Chambers, spoke out against the proposal, and
    Grayson eventually amended the testing requirement to become only
    President Bush created the NIAC by executive order in Oct. 2001, after
    the Sept. 11 terrorist attacks, and appointed most members to it a
    year later.
    The crafting of the NIAC recommendations is linked to the unveiling in
    September of a draft White House proposal recommending that industry
    and individuals take greater care in securing data rather than
    recommending tough new laws and regulations requiring specific
    industry segments to secure themselves.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 00:49:16 PST