Cybersecurity group knocks US government efforts

The U.S. government has made little progress in most cybersecurity areas in the past year, despite warnings from several groups, a trade group representing cybersecurity vendors said Tuesday.

The U.S. Department of Homeland Security (DHS) has failed to hire an assistant secretary for cybersecurity even though DHS Secretary Michael Chertoff announced an elevated position in July, and cybersecurity research and development within the U.S. government is “at a crisis,” said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA).

The U.S. government has a “special role” to play in promoting and modeling cybersecurity, he said.

“The bottom line is there continues to be a lack of leadership, hard work and execution when it comes to securing the information infrastructure,” Kurtz said. “Let me be clear: We are not seeking to condemn the government or those currently involved in cybersecurity. They have good intentions. However, execution is what counts in the end.”

CSIA also released a survey showing significant consumer concerns about online safety and graded the U.S. government on 12 cybersecurity priorities that the group released in December 2004. The group gave the U.S. government six “D” grades and one “F” on seven of the 12 priorities. Only one priority received a grade higher than a “C.”

A DHS spokesman wasn’t immediately available for comment on the CSIA report.

One high-ranking Democrat used the CSIA report to criticize DHS in a statement released Tuesday. “Where is the government’s leadership on cybersecurity?” said Representative Bennie Thompson of Mississippi, the ranking Democrat on the U.S. House Committee on Homeland Security. “How long will the nation have to wait? I, for one, hope Mr. Chertoff doesn’t wait until a cyberattack causes billions of dollars in damages or results in lost lives before he decides to appoint an assistant secretary to take charge of our nation’s cyber crisis.”

CSIA gave the government a “B” for making progress toward ratifying the Council of Europe’s Convention on Cybercrime. In July, the U.S. Senate Foreign Relations Committee approved the document, which would allow greater international cooperation in cybercrime investigations, but the full Senate has not taken a vote.

Europe’s cybercrime laws are “light years ahead” of those in the U.S., said Phillip Dunkelberger, president and chief executive officer of CSIA member PGP Corp.

Among those CSIA priorities earning “D’s”: direct a federal agency to track costs of cyberattacks; promote cybersecurity corporate governance in the private sector; and strengthen information sharing between the government and private sector. There’s been “little action” in the federal government on those priorities in the past year, CSIA said.

In the survey, done in November by CSIA and Pineda Consulting, respondents were asked to rate the safety of networks and services on a scale from one to 10, with 10 the safest. The average safety score for the Internet was 4.9, and consumer data also scored at 4.9. Health data and financial networks scored slightly better, both at 5.2.

The survey of 1,151 U.S. adults found 48 percent of Internet users avoid making purchases online because of concerns about information security. Sixty-five percent of respondents agreed that the U.S. government needs to give information security a higher priority, CSIA said.

CSIA members said they’re worried about a lack of consumer confidence in the Internet. “Assume that 48 percent of consumers were afraid to go to the mall because they could potentially be hijacked,” said Steve Solomon, chairman and chief executive officer of Citadel Security Software Inc. “What would Congress do then?”

CSIA released 13 cybersecurity recommendations for the U.S. government going forward. The list, with many items repeated from CSIA’s 2004 list, includes:

— Pass a national data breach notification bill.

— Pass a national spyware protection bill.

— Increase research and development funding for cybersecurity.

— Promote telework options for government employees, thus creating a backup network of computers for government agencies.

— Include cybersecurity planning as the U.S. government moves toward Internet Protocol version 6 (IPv6), a more full-featured replacement for the current IPv4.

The full CSIA report is available at: https://www.csialliance.org/StateofCyberSecurity2006/Information_Security_Report.PDF.