[ISN] Trade group gives Feds low cybersecurity grade

From: InfoSec News (alerts@private)
Date: Thu Feb 01 2007 - 03:36:19 PST


By Grant Gross
January 31, 2007
IDG News Service

The Cyber Security Industry Alliance has given the U.S. government D 
grades on its cybersecurity efforts in 2006, and renewed its call for 
Congress to pass a comprehensive data protection law in 2007.

The CSIA, a trade group representing cybersecurity vendors, gave the 
U.S. government D grades in three areas: security of sensitive 
information, security and reliability of critical infrastructure, and 
federal government information assurance. (See the report in PDF format. 

"Government needs to take these issues very seriously," said Liz 
Gasster, the CSIA's acting executive director and general counsel.

Among the problems in 2006: The U.S. Department of Veterans Affairs 
reported a data breach involving the personal information of 26.5 
million military veterans and family members. Other agencies also 
reported multiple lost laptops containing personal information. The CSIA 
called on agencies to notify citizens of data breaches.

After a rash of reported data breaches in early 2005, members of 
Congress introduced multiple bills requiring companies with data 
breaches to notify affected consumers. But a breach-notification law 
failed to pass, partly because of jurisdictional fights between multiple 
congressional committees.

A comprehensive data security bill should include breach notification, 
but also a requirement that all organizations holding sensitive data -- 
including private companies, government agencies, nonprofits, and 
educational institutions -- use reasonable security standards, Gasster 
said. The U.S. Federal Trade Commission has taken action against several 
companies, but a comprehensive law would give the FTC or another agency 
broad jurisdiction to investigate data breaches, she said.

The CSIA is optimistic a comprehensive data breach law will pass in the 
next year, even though it stalled in the last Congress, Gasster added. 
Major data breaches continue to happen, and consumers will increase the 
pressure on Congress to act, she predicted. In mid-January, retailer TJX 
Companies Inc. reported a massive data breach.

"Consumers just are not going to put up with is," Gasster said.

Here's how the CSIA generated its government cybersecurity grades:

* Security of sensitive information, grade D: Congress ratified the 
  Council of Europe Convention on Cyber Crime, allowing the U.S. to work 
  with other signatories on cybersecurity investigations, but failed to 
  pass a comprehensive law to protect sensitive personal information.

* Security and resiliency of the critical information infrastructure, 
  grade D: The Department of Homeland Security appointed an assistant 
  secretary for cybersecurity and telecommunications and implemented 
  some cybersecurity program, but it hasnt offered a clear agenda for 
  its top cybersecurity research and development priorities or 
  established a survivable emergency coordination network to handle a 
  large-scale cybersecurity disaster.

* Federal information assurance, grade D: Government continues to offer 
  a "mixed bag of successes and failures," the CSIA said, with progress 
  within the White House Office of Management and Budget's enforcement 
  of cybersecurity directives and implementation of U.S. President 
  George Bush's Homeland Security Presidential Directive 12, requiring 
  agencies to start issuing smart identification cards. But the 
  government needs to do a better job in several areas, including 
  security issues with telecommuting and releasing information on the 
  cost of cyberattacks, the CSIA said.

In addition to a comprehensive data protection bill, CSIA called for the 
U.S. government to strengthen the power of agency chief information 
officers and called on agencies to increase testing of cybersecurity 

[1] https://www.csialliance.org/resources/pdfs/CSIA_06Report_07Agenda_US_Govt.pdf

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 03:48:22 PST