Setting a cybersecurity agenda for the 110th Congress
- By William Jackson
- Oct 31, 2007
Cyberspace is becoming an increasingly dangerous neighborhood, and some members of Congress are looking for ways to help clean it up.
'There is a rising debate in Congress on how to best combat the growing cyberthreat,' Rep. Kirsten Gillibrand said Wednesday at a roundtable discussion hosted by the Congressional High Tech Caucus.
The caucus is a group of more than four dozen representatives and senators working to set an IT legislative agenda for the 110th Congress.
It is not as if they don't have options. During the past few years a score or more bills have been introduced in both houses on subjects such as computer crime, infrastructure protection, spyware and data breaches. A number of them now are pending. Few have made it to floor votes, let alone into law.
Industry and consumer advocates speaking at the roundtable ' which actually was a long rectangle ' suggested different approaches to the problem. Jeannine Kenney, senior policy analyst at Consumers Union, called for a strong national breach notification law as a way to help protect personal identification from theft or exposure.
'Industry and government are not investing in cybersecurity measures,' Kenney said. 'We need to create incentives to make these investments. One way to do that is requiring that consumers are always notified when their personal information is breached.'
That is fine ' up to a point ' with the information technology industry, which would like to see a national standard replace the current patchwork of more than 35 state notification laws. The Cyber Security Industry Alliance wants any notification law to include safe harbors 'for businesses that implement strong, pre-breach security measures.'
But what CSIA calls a safe harbor, Consumers Union would call a loophole. Kenney said any effective law would have to eliminate such loopholes in order to give companies incentives to do everything possible to protect personal data.
Stuart Pratt, president at the Consumer Data Industry Association, and Hugo Teufel III, the Homeland Security Department's chief privacy officer, both said that collecting personal data can improve security and resulting risks to privacy are an acceptable trade-off.
'There does not have to be any balance between privacy and security,' Teufel said. 'They go hand in hand.'
'Data has been used to prevent fraud,' Pratt said. Current risks require people to accept what a short time ago would have been considered invasions of privacy, he said.
John McCumber, strategic programs manager at Symantec, and Richard Howard, director of VeriSign's iDefense Security Intelligence group, called for a more professional approach to security to counter more professional cyberattacks.
'It has become a business,' Howard said. Both he and McCumber described organized crime groups that design, market and use malicious code, then package stolen data for wholesale and retail sale.
Although lots of security technology is available, technology will not solve policy and human issues that create vulnerabilities, and IT security is not a science, McCumber said.
'It is something we need to be able to measure,' he said. 'We need to move this into science.'