http://www.washingtonpost.com/wp-dyn/articles/A3455-2004Feb24.html By Brian Krebs washingtonpost.com Staff Writer February 25, 2004 Eleven of the nation's top computer security companies are forming a new organization to lobby on cyber-security issues in Washington, breaking ranks with the broader technology industry in hopes that a more cooperative approach to protecting the nation's critical information infrastructure will avert heavy-handed regulation by Congress and the White House. Leaders of the Cyber Security Industry Alliance (CSIA) stress that they remain wary of any government effort to regulate security practices. They are, however, willing to concede that some requirements, perhaps developed under existing federal laws, could improve computer security practices without foisting onerous mandates on businesses. That concession marks a departure from the technology industry's traditional anti-regulatory philosophy and signals an attempt by the computer security community to speed up efforts to implement a White House-sponsored plan to secure the nation's electronic communications networks. "Rather than saying to Congress, 'This is not an issue, stay out,' we as an industry need to figure out how to solve these problems in a proactive way before someone gets fed up and says it's time to legislate," said Sanjay Kumar, the chief executive of Islandia, N.Y.-based Computer Associates and a leading figure in the new organization. One of the first tasks on the alliance's agenda is to develop common standards for reporting and sharing information on the latest Internet security threats. A presidential commission report submitted to the White House earlier this month found that the anti-virus software vendors often create public confusion by giving different names and threat levels to the same computer viruses and worms. Richard Clarke, the former White House adviser who led the drafting of the White House's National Strategy to Secure Cyberspace, said the spate of worms and viruses that plagued the Internet in 2003 put added pressure on the security industry to take action. "Last year was the worst in history in terms of the damage from cyber-attacks," Clarke said. "I think we're getting to the point where Congress wants something to happen, the people and American corporations that buy information technology want something to happen, and so having the technology security industry organized to be part of that debate makes a lot of sense." "This is a maturing industry, and the computer security community needs to speak with a common voice," said Paul Kurtz, who took the top job at the alliance after resigning earlier this month as special assistant to President Bush on critical infrastructure protection. Harris Miller, president of the 400-member Information Technology Association of America (ITAA), acknowledged that the private sector's progress in implementing the national cyber-security plan "has been slower that everyone would like, but the regulations and legislation we've heard about would all be counterproductive." Miller declined to discuss the new alliance, saying only that the ITAA would continue to resist calls for any additional computer security regulation. "Regulation means standards, and standards mean stopping innovation," Miller said. "Because of that, we think more computer security regulations would actually make the country more vulnerable to cyber-attacks than it is today." This conflict was highlighted last year when Rep. Adam Putnam (R-Fla.) suggested that publicly traded companies should certify with the Securities and Exchange Commission that they meet certain cyber-security standards. Putnam shelved the proposal after the ITAA, the Business Software Alliance (BSA) and the U.S. Chamber of Commerce protested. The three associations assembled a series of working groups -- including some members of the new security alliance -- to come up with their own ideas for cyber-security best practices, such as raising awareness of computer security threats, improving response time after attacks, changes in corporate governance to make security a priority and improving software development. Their report is due in early March. The security alliance, meanwhile, said it will seek clarification from Congress on how several recently enacted laws would apply to corporate network security. "There's a misperception that the wired world is dramatically different than the physical world we live in, but many of the rules that control interstate commerce already apply in the wired world," said John Thompson, chairman and chief executive of Cupertino, Calif.-based anti-virus company Symantec Corp. "Why wouldn't we make sure that current laws are being appropriately enforced? We need to become more cognizant of the current laws we have and how they apply in the wired world." The Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act require publicly traded companies to assure the privacy and integrity of consumer health and financial data but few companies can say how they should comply with these regulations from a network security perspective. "Where's the acid test to say whether companies are aligned with these laws? The answer is it doesn't exist," said Tom Noonan, president and chief executive of Atlanta-based Internet Security Systems. The Sarbanes-Oxley Act, enacted nearly two years ago in response to a wave of corporate accounting scandals, requires executives at the nation's public companies to stake their reputations on the integrity of their financial books. It also requires executives to take responsibility for "internal controls" to ensure the accuracy of financial reporting -- a requirement that some say means chief executives must attest to the security of their corporate networks as well. That section of the law goes into effect next year, and alliance members say companies do not yet know how to comply with it. "How can you certify that your internal controls are adequate if you don't know if your corporate security posture is good," said George Samenuk, chairman and chief executive of Network Associates in Santa Clara, Calif. "People are confused about what levers they have to pull and what the penalties are for falling behind, and in the absence of greater clarity a lot of these regulations are just creating confusion." Bill Connor, chief executive at Entrust of Addison, Texas, said the alliance believes that this problem will lessen once corporate executives understand the value of investing more time and money in solid security policies. Failing to do that, he said, can cost more in the long run if Internet attacks cripple their businesses or expose them to customer and shareholder lawsuits. "Cybersecurity is not a technical issue but really a boardroom and executive issue," said Connor, who co-chairs a working group pushing for a set of standards for companies to tell whether their policies comply with existing laws. "In the end, it may take legislation to get companies to do the right thing, but until you have a framework that translates how these risks apply to company's bottom line, new regulation may only increase confusion in the market." John Pescatore, vice president for Internet security at Stamford Conn.-based market research firm Gartner Inc., said that the alliance's unstated goal is its members' bottom lines. "The biggest issue facing the computer security industry is there's nothing that forces the government to buy a lot more than the stuff that they have now," Pescatore said. "What they're looking for are government standards that say 'you must meet this standard to be secure.'" Thompson disputed that notion. "We know how to make money in this business, and I think for someone to suggest that indicates their lack of understanding of the challenges that face the nation on cyber-security." But Network Associates's Samenuk was more pragmatic. "When you talk about large government customers, if we do the right job of education and awareness, then business will flow," Samenuk said. "We have a duty to help people make the right decisions on security, but we're not doing this entirely out of the kindness of our hearts." The other companies in the Cyber Security Industry Alliance include Houston-based Bindview Corp., Redwood City, Calif.-based Check Point Software Technologies, Juniper Networks subsidiary Netscreen Technologies of Sunnyvale, Calif., Palo Alto, Calif.-based PGP Corp., RSA Security of Bedford, Mass. and San Jose, Calif.-based Secure Computing Corp. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Feb 25 2004 - 05:23:08 PST