Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
WASHINGTON -- Technology companies and security advocates disagree about a recent series of recommendations released by a cybersecurity task force. The task force, which was convened last week by a U.S. House subcommittee chairman, requested that IT purchasers be allowed to band together to dictate security standards.
Among the recommendations of the Corporate Information Security Working Group (CISWG), released last week by Representative Adam Putnam (R-Florida), was a proposal to change U.S. antitrust law to allow IT industry groups to agree on security specifications for software and hardware they purchase. The Information Technology Association of America, which participated in CISWG, objected to that proposal, saying it amounts to a call for group boycotts.
"The proposal is that a larger group [of customers] would be able to form what amounts to a buyer's cartel to enforce a security standard the buyers' group endorsed," says Joe Tasker, senior vice president for government affairs at ITAA.
Tasker objects to the antitrust exemption because a buyers' group could hamper innovation in IT products by having customers, not vendors, setting the standards. Buyers' cartels are illegal under antitrust law, and most enterprises haven't demanded security-certified IT products, he adds.
"If the buyer sets the standard, who knows if they're right?" Tasker says. "That's a prescription for a go-slow approach among vendors. [A buyers' group] changes the marketplace, and it's a killer on innovation."
Something to Talk About?
But other CISWG members say the buying-group proposal, and a second proposal to better enforce a federal law requiring U.S. agencies to establish and enforce minimum security configuration standards for the systems they deploy, at least deserve to be debated. One section of the U.S. Federal Information Security Management Act (FISMA) of 2002 requires U.S. agencies to develop security configurations and benchmarks for the IT products they buy, but that section of the law isn't being consistently enforced, says Alan Paller, director of research for the SANS Institute.
The ITAA has questioned whether security configurations should be built into the procurement process, which is what could happen under that section of FISMA, Tasker says. If security configurations are built into procurement, it may be difficult for government agencies to later change their security configurations when better alternatives are available, and federal agencies could copy each other's configurations, instead of deciding what's best in each agency, Tasker says. Specific security configurations could lock agencies into specific IT vendors, he adds.
The FISMA section doesn't require vendors to build in security configurations for free, but it could lead to both government and private organizations demanding secure configurations, Paller says. "Isn't it a big story that the vendors are saying, 'Don't enforce the law'?" he says. "This [law] does not, in any way, tell agencies what software to buy."
The separate buyer-group recommendation may not successfully result in a change in U.S. antitrust law, but the debate may cause vendors to make changes to their products, Paller says. The proposal shows a "tsunami" of user anger over IT products, Paller says. "I don't think this [proposal] will go through," he adds. "In the argument against it, the vendors are showing their colors, and the buyers don't like it."
Vendors and customers need to get beyond "rhetoric" about antitrust and mandates to come up with ways to improve cybersecurity, says Clint Kreitner, president and chief executive officer of the Center for Internet Security. He calls the debate over buyer groups a "healthy process."
"The last time I checked, success in business comes from meeting your customers' needs," Kreitner says. "I don't see what's wrong with meeting your customers' needs in security."
In Addition
The CISWG organization also released several other recommendations last week. Among them were a number of recommendations to create incentives for companies to engage in cybersecurity efforts. That subgroup recommended awards programs for private companies and insurance-company incentives given to companies that engage in cybersecurity best practices. Another CISWG subgroup recommended a cybersecurity handbook aimed at small businesses. The CISWG recommendations are available online.
Kreitner's best practices subgroup listed 81 separate cybersecurity guides available to companies and computer users. "It's no wonder the corporations are struggling with cybersecurity," he says. "The guidance that's out there is very fragmented ... and represents the views of competing organizations."
While there's debate over the CISWG recommendations, participants praised Putnam's decision to bring the organizations together to debate security. Paller praises CISWG for including a broad section of IT vendors, buyers, and security experts. The CISWG was different from some other cyberscurity task forces in that the members weren't "all trying to sell something," Paller says.
The list of recommendations should show lawmakers that private industry can come up with its own cybersecurity solutions, adds Tasker. "It was a pretty strong rejection of the need for government regulation," he says.
Paller, however, isn't convinced that the need for legislation has passed. Private companies aren't likely to start paying more attention to cybersecurity without some incentive, he says.
"I don't think any of this [CISWG report] will actually change that," he says. "Management isn't going to get religion by being whined at. [Legislation] is the only thing that works."
