Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
LONDON--The Cyber Security Industry Alliance, an international security group, doesn't maintain a colored alert system indicating threat levels, but if it did, says former White House security director Paul Kurtz, the shade of the day would be a bright orange for "high risk."
"It's not appropriate to say the sky is falling, but I do think we are taking information security for granted," Kurtz said in an interview here Friday.
It's this concern that prompted Kurtz to come to Europe last week in his current role as executive director of the CSIA, a public policy advocacy group focused on cybersecurity issues. CSIA was launched in February 2004 by a handful of IT security firms, including RSA Security, McAfee, and Symantec, and it is now seeking to expand its membership in Europe and to begin tackling issues across the Atlantic.
Lower Priority for United States
Industry representatives approached Kurtz early last year, while he was still serving as special assistant to the president and senior director for critical infrastructure protection on the White House's Homeland Security Council, responsible for both physical and cybersecurity.
"At first I thought Washington needs a new association like a hole in the head, but then after I thought about it I elected to leave the White House," Kurtz says. Part of the reason was that cybersecurity had been "put in the backseat" while physical security took precedence, he said. "It was very frustrating."
At CSIA, Kurtz and the member companies want to work on global cybersecurity issues such as privacy and information integrity, as well as to help develop policies like notifying the public when their information has been exposed in a data breach. The group is focused on enterprise issues and it's CEO-driven--its board comprises executives from McAfee, Symantec, and RSA, among others.
"The bottom line is that the private sector is going to get attacked," Kurtz says.
The U.S. government isn't taking cybersecurity seriously enough, and has in fact reduced its research and development spending in the latest budget, he says.
One possible reason behind the lack of concern is that some in the government still believe that cybercriminals are "pimply-faced teenagers" and not organized crime gangs, according to Kurtz.
Recent Attacks
But for the private sector, the threat has become much more real, as recent high-profile cases have managed to grab headlines and shake consumer confidence. In just one recent incident, it was revealed earlier this month that some 40 million credit card numbers may have been accessed by a hacker who infiltrated the network of a company that processed payment information for MasterCard International.
"As we've seen over the last few months, a lack of attention to detail can spill into the papers," Kurtz says.
And consumers are becoming more aware of the threats. According to a recent CSIA survey of likely U.S. voters, 97 percent of those polled said that they rate identity theft as a serious problem, while 93 percent said they saw spyware as a serious concern. Furthermore, fear of identity theft is keeping 48 percent of those polled from making purchases online, the survey found.
"I mean half of the market is not engaged in e-commerce!" Kurtz says. "It goes to show that these problems have potentially long-term implications."
By motivating the private sector to take action against cyberthreats, CSIA hopes its work will have a ripple effect on public sector practices.
"We need to raise these issues, but at the same time we need to make sure that the government doesn't overreact," Kurtz says.
Industry Leads
Overregulation is a concern for the industry. The sector is looking for strong government leadership on IT security issues, but at the same time many of those polled by the CSIA don't trust the U.S. Congress to do what's right for the Internet, Kurtz says.
"There's a lot of debate about the roles and responsibility of government and industry in information security. This is one of the things we are trying to work out," he says.
Overall, the CSIA is promoting a holistic approach to security and is willing to work with the variety of concerned players, Kurtz says. In Europe, for instance, it has begun working with agencies such as the EU's Article 29 working party on data protection.
"We are in Europe to take the next step and really think about these issues more broadly," Kurtz says. The association expects to eventually extend into Asia, with the goal of establishing a global organization.
"So often the U.S. rides in to 'save the day,' but we do not want to bring a U.S. solution--we want to bring a harmonized solution," Kurtz says.
