National Cyber Security Day is a well-kept secret

U.S. residents adjusting to the daylight savings time change will have to be forgiven for sleeping through much of National Cyber Security Day on Sunday. The semi-annual event passed with nary a mention, even as antivirus software companies warned customers of yet another virulent e-mail worm.

A spokesman for the National Cyber Security Alliance, a government-industry group that sponsors the event said the group is doing a good job of communicating with the public. However, the lack of fanfare on Sunday had at least one computer security expert wondering about the effectiveness of industry-led efforts to address cybersecurity and improve the security of the U.S.’s information technology infrastructure.

First held in 2002, the semi-annual National Cyber Security Days are coordinated with daylight savings in April and October in the U.S. and are intended to raise the public’s awareness of cybersecurity issues and promote safe online practices, said Keith Nahigian, a spokesman for the alliance.

In the past, the group has planned major news and events to coincide with its Cyber Security Days. In October, the Alliance held a press conference to announce the award of a US$650,000 matching grant from the U.S. Department of Homeland Security (DHS) to fund a national advertising campaign promoting safe computing for Internet users and small business owners, Nahigian said.

However, no major news or initiatives were planned for Sunday, when the Alliance’s “big deliverable” was an updated list of “security tips” for computer users, which was published on the www.staysafeonline.info Web page, Nahigian said.

That list, which offers oft-heard advice such as “don’t open e-mail from unknown sources,” “use (antivirus) software,” and “back up your computer data” required multiple revisions and took “a lot of time” to complete, Nahigian said.

The group also released public service announcements for radio and worked with universities, including Rutgers in New Jersey and George Mason University in Virginia, to hold security education and awareness events, he said.

Asked about the school’s involvement with Cyber Security Day, a spokeswoman for George Mason University cited an article dated March 26 from the school’s student newspaper that said the school would hold a series of seminars on subjects like “Desktop Strategies to Secure Your Cyber Space” and “Filesharing: Music, Movies, Software–How to Avoid Being Subpoenaed,” in coordination with National Cyber Security Day.

For the most part, the job of marking Cyber Security Day fell to alliance members such as Symantec Corp., America Online Inc. (AOL) and the U.S. Federal Trade Commission (FTC), Nahigian said.

“Individual (member) companies are doing stuff,” he said, citing announcements from Symantec and AOL.

The FTC released a statement with the alliance and the Council of Better Business Bureaus on April 2, encouraging small businesses to perform semiannual security audits and providing its own security checklist, which was almost identical to the alliance’s list.

A Symantec spokeswoman said that the company didn’t do any promotions for Cyber Security Day. AOL did not respond to a request for comment.

The alliance press release, dated April 1, includes quotes praising the alliance and Cyber Security Day from FTC Commissioner Orson Swindle and Amit Yoran, DHS’s National Cyber Security Division director. However, the statement is short on new information. Instead, it rehashes well-worn programs such as the FTC’s September 2002 educational initiative featuring “Dewie” the turtle, AOL’s educational instant messaging robot “AOLSafetyBot” and Symantec’s free “Symantec Security Check,” when describing “sponsor activities” for the latest National Cyber Security Day.

Cyber Security Day in April may have been the victim of intense planning for the next Cyber Security Day, in October, Nahigian said.

The group is planning something “very large” for that day that will include corporate and government involvement. “We’re really reaching out to the Hill,” he said, referring to Capitol Hill.

The low-key observance of Cyber Security Day in April belies an “overwhelming” amount of work behind the scenes on alliance task forces to device cybersecurity strategies, he said.

“Members of the alliance have been working across the board,” he said.

However, one cybersecurity veteran and an alliance member said he wasn’t even aware of the approaching Cyber Security Day and has doubts about the group’s effectiveness.

“I didn’t even know. I’m embarrassed,” said Alan Paller, research director of the SANS Institute when asked about the event on Monday.

“It is so ineffective at anything other than having meetings. … It’s hard to even guess what’s going on,” Paller said.

Projects like the www.staysafeonline.info Web site are a good idea, but add little to the work already being done by agencies like the FTC, Paller said. Paller also doubts whether improving user awareness — the ostensible purpose of the alliance — will make a difference while software security vulnerabilities persist.

“The software (alliance members) sell is so completely flawed (that) user education is useless,” he said.