The U.S. government needs to get more serious about cybersecurity, but Congress should look at broader ways to combat security problems than focusing on bills that address specific issues such as spam or spyware, a group of executives from IT security product vendors said this week.
Members of the Cyber Security Industry Alliance (CSIA), meeting in Washington, D.C., Thursday, repeated their call for Congress to create an assistant secretary for cybersecurity position at the U.S. Department of Homeland Security (DHS). Two bills introduced in Congress this year would elevate the DHS cybersecurity job to assistant secretary. T
he administration of President George Bush released its National Strategy to Secure Cyberspace in February 2003, but cybersecurity has taken a back seat to physical security issues since then, said Art Coviello, president and chief executive officer at RSA Security Inc. “We just haven’t seen the Department of Homeland Security provide the leadership we’ve expected out of that (national strategy) effort,” he said.
A DHS spokeswoman didn’t immediately return a phone call seeking comment on the CSIA criticisms. Members of the year-old CSIA, meeting as a rash of data breaches have been announced in recent months, said they committed this week to helping Congress and administration officials understand cybersecurity issues. Coviello and other IT security firm executives questioned Congress’ current approach of passing laws focused on specific cybersecurity concerns in reaction to the latest headlines.
Instead of trying to define scams like spyware or phishing in bills, Congress should focus on broader concepts such as how to protect private data and on comprehensive cybersecurity legislation, said Thomas Noonan, chairman, president and chief executive officer at Internet Security Systems Inc. Currently, 18 bills in Congress deal in some way with cybersecurity, he said.
“As an industry group, we struggle with whether we can be effective if our lawmakers take the position of prescriptive legislation every time there’s a new problem,” Noonan added.
CSIA members said they take issues like phishing and spyware seriously, even as they questioned whether there should be separate laws for each problem. Members suggested that issues like phishing and spyware, which target individual Internet users, should gain the attention of DHS, as there’s growing evidence that organized crime is using ID theft attacks to make money.
“The things that can happen as the result of identity theft can relate to national security,” said John McNulty, chairman and chief executive officer of Secure Computing Corp.
While most CSIA executives said they would welcome the right kind of cybersecurity legislation, not all technology companies favor new laws. Private companies should have time to find their own solutions to data breaches and explain their efforts to Congress, said Howard Schmidt, chief security strategist at eBay Inc., during a forum on ID theft at the Washington think tank the Center for Strategic and International Studies Friday.
“One of the things we’ve probably been missing is having a dialog, bringing the [data] aggregators in, bringing the security people in, and saying, ‘what are you doing, what is your timeframe you’re working on … what are the things you’re doing to show there is improvement?'” said Schmidt, former advisor to Bush for cyberspace security. “Then, if it appears to be there’s not sufficient market response in an appropriate time, then look at some ways of legislating issues. But currently, that dialog is not taking place.”
But others on the same panel questioned if companies were now doing enough to protect customer data, in light of recent data breaches at data brokers ChoicePoint Inc. and LexisNexis, as well as retailer Polo Ralph Lauren Corp., that exposed the personal data of hundreds of thousands of U.S. residents. While not pointing to specific companies, RSA Security’s Coviello noted that in some recent data breaches, it appeared that personal data was not encrypted or that password management was lax.
“We should be thinking not only about government regulation, but also about self-regulation,” Coviello said. “It’s not one or the other, it’s got to be both.”
Joe Raymond, chief architect for Web optimization at E-Trade Financial Corp., called for more banks to use so-called two-factor identification, which combines a unique password with a secure card or token that the customer must present to access an online account. E-Trade, working with RSA Security, has piloted a two-factor authentication system that customers have embraced, Raymond said.
Schmidt agreed that new security methods are needed. “User IDs and passwords are fundamentally dead” as a security guarantee, he said.
Panel members also called for more law enforcement resources to deal with cybersecurity and more consumer education efforts that stress individual responsibility while using the Internet.
But consumer education takes a long time, countered James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.” If you’re going to depend on consumer education, my advice is your life jacket is under the seat,” he said. “If you’re going to depend on consumer education, it’s a very slow process.”