[ISN] Tech industry put on security notice

From: InfoSec News (isn@private)
Date: Fri Dec 05 2003 - 01:02:25 PST

  • Next message: InfoSec News: "[ISN] Cisco warns of wireless security hole"

    http://news.com.com/2100-7355_3-5113165.html
    
    [Fark.com summed this up as...  Department of Homeland Security tells
    IT industry to get secure or they will have to create a department to
    regulate IT, get pork funding, pretend that IT is secure, and $100
    billion later end up where they started  - WK]
    
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    December 3, 2003
    
    SANTA CLARA, Calif. -- At first blush, the National Cyber Security 
    Summit had all the makings of a tech industry love fest. 
    
    The Summit, put on by four pro-business organizations, had major 
    officials from the Department of Homeland Security praising 
    industry-led initiatives and promising to forestall any legislation. 
    
    Yet, while the government officials--including department Secretary 
    Tom Ridge and Robert Liscouski, assistant secretary for infrastructure 
    protection--said they would go to bat for industry efforts to better 
    corporate network security, they warned that companies better not 
    strike out. 
    
    "There should be no mistake about where we stand," Liscouski said 
    during a press conference at the summit. "We are not going to let 
    anybody who operates in this space dodge their responsibility, and I 
    will be sticking my finger into people's chests to make sure they live 
    up to their responsibilities." 
    
    While some security experts have criticized the Bush administration's 
    plan to protect the Internet, known as the National Strategy to Secure 
    Cyberspace, Liscouski and other officials stressed that the policy 
    document was just a guideline to help secure the Internet and that 
    supporting legislation could be one way that the Department of 
    Homeland Security could hold companies' collective feet to the fire. 
    
    "The National Strategy didn't call for specific pieces of 
    legislation," said Amit Yoran, director of the National Cyber Security 
    Division at the Department of Homeland Security. "That does not mean, 
    however, there is no role for legislation." 
    
    The tougher stance answered many critics' calls for legislating 
    responsible security measures for businesses, in much the same way 
    that the Graham-Leach-Bliley Act and the Health Insurance Portability 
    and Accountability Act (HIPAA) set data security standards for 
    companies. At least one study has indicated that such legislation is a 
    primary driver in corporate information security spending.
    
    Liscouski promised to head off legislation and let companies have a 
    first stab at the problem. "I can be your advocate to everyone who 
    wants to put legislation on the block to make you do your jobs," he 
    said during a morning keynote speech. 
    
    By midday, however, Liscouski was taking a less amiable tack. "This is 
    not the (Department of Homeland Security) advocating the industry's 
    message," he said. "This is a partnership. It is not about ensuring 
    that the industry gets its own way." 
    
    The Department of Homeland Security has marked the security of the 
    Internet and e-commerce infrastructure as a top priority. 
    
    "Terrorists know that a few lines of code could, ultimately, wreak as 
    much havoc as bombs," Ridge said during his keynote speech. "The 
    enemies of freedom use the same techniques as hackers do. We must be 
    as diligent and determined as hackers are." 
    
    While most security professionals have dismissed predictions of 
    "cyberterrorism" as the stuff of fiction, they haven't denied that 
    cyberattacks are a serious threat for businesses. Eric Benhamou, 
    chairman of network provider 3Com, pointed to the MSBlast worm and 
    Sobig virus that hit companies hard this past summer as a wake-up call 
    for even the least security-conscious companies. 
    
    "The pain level experienced by companies due to cyberattacks has 
    increased sharply to the point that it can't be ignored," he said. 
    
    
    Uniting to push security
    
    The four organizations that sponsored the Summit--the Business 
    Software Alliance (BSA), the Information Technology Association of 
    America, the TechNet lobbying group and the U.S. Chamber of 
    Commerce--brought together five groups of company executives and 
    security professionals to hammer out proposals in five different 
    areas. 
    
    The five task forces focused on creating awareness in home computer 
    users and small businesses, establishing a cybersecurity early warning 
    system, making information security part of corporate governance, 
    advocating technical best practices for security, and pushing security 
    improvements into the software development process. 
    
    The four organizations said that educated companies will do the right 
    thing and secure themselves, and it should not just be about selling 
    technology. "Cybersecurity is not just a technology issue, but an 
    issue that should be considered across the corporation," said Robert 
    Holleyman, CEO of the BSA. 
    
    Most companies should already be having security discussions at the 
    boardroom level, said Art Coviello, CEO of digital security company 
    RSA Security and co-chairman of the Corporate Governance Task Force. 
    "CEOs are already on the hook for (their company's security), whether 
    they know it or not...I don't need Sarbanes-Oxley to know that I have 
    a fiduciary responsibility to protect my networks."
    
    TechNet, a lobbying group in Washington, D.C., that represents the 
    technology industry, released a 75-question evaluation for companies 
    to allow their chief executives to find out the state of security in 
    their companies. The four groups said that such tools should give them 
    the ability to gauge the progress of the industry to secure itself. 
    
    Assistant Secretary Liscouski, former director of information 
    assurance for Coca-Cola, seemed to think the task forces were moving 
    in the right direction. In any event, he seemed reluctant to be part 
    of the boardroom again.
    
    "Government is not going to sit on the board of a company to make sure 
    they are doing the right thing," he said. "If they can't step up to 
    the plate, we have other measures. However, at the end of the day, 
    that's not where we want to be." 
    
    The goal, Liscouski stressed, is not to regulate but to secure the 
    industry. 
    
    "We do not want what we fear: a catastrophic cyberattack or a 
    catastrophic physical attack enhanced by a cyberattack," he said. "We 
    are not going to sit back and let another event occur." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Dec 05 2003 - 03:35:53 PST