Digital Discourse / Policy / Policy - Cybersecurity

SIIA Says Proposed EU Cybersecurity Strategy is too Prescriptive and Overly Broad

February 7, 2013 By

In reaction to today’s European Union cybersecurity announcement, SIIA is concerned that the new strategy is too broad in the scope of industries to be covered and will threaten innovation. In response, I issued the following statement:

SIIA commends the European Commission for conducting a thoughtful, comprehensive review of network and information security across the European Union. There is a critical need to focus on the best cybersecurity practices that will help protect governments, businesses and citizens around the world from increasingly sophisticated cyber-attacks.

However, we are concerned about the scope of the Commission’s regulatory approach.  It is overly broad, too prescriptive and threatens to suppress the very innovation that will help businesses, governments and citizens anticipate and address changing cybersecurity threats.

The proposal’s cybersecurity performance requirements will likely lead to technical mandates and rigid regulatory standards and reporting obligations.  Its scope goes well beyond critical infrastructure, where the harms from cyber-attacks are the greatest.  In doing so, it threatens to engulf a broad range of other industries, thereby wasting scarce security resources on areas where the dangers are not urgent.

Today’s cyber threats are global and ever-changing – rigid, far-reaching regulations will almost certainly do more harm than good.  SIIA supports policies that provide the necessary flexibility to keep up with rapid technological developments pertaining to both threats and protections.  SIIA and its member companies look forward to working with the Commission as it considers this proposal and possible amendments.

Ken WaschKen Wasch is President of SIIA. Follow the SIIA Policy team on Twitter at @SIIAPolicy.

Share|
Filed Under: Policy, Policy - Cybersecurity

SIIA Announces Commitment to Data-Driven Innovation as a Top Policy Priority in 2013

January 17, 2013 By

The SIIA Government Affairs Council met Wednesday to outline the organization’s policy priorities for 2013.  In addition to identifying the specific initiatives it will pursue in the year ahead, SIIA and its member companies expressed a commitment to making data-driven innovation a top policy priority in the year ahead.  The SIIA Government Affairs Council includes: Reed Elsevier, IBM, Adobe, Cengage, Dow Jones, Intuit,  Kaplan, Kiplinger, Google, McGraw Hill Education, McGraw Hill Financial, Oracle, Pearson, Red Hat, SAS, and Thomson Reuters.

A key theme unifying the work of SIIA on behalf of its members is an increased focus on advancing the effective collection and positive use of data. It is essential that public policy recognizes that innovation and business strategies are increasingly driven by data. Importantly, data-driven innovation not only holds the promise of advancing economic opportunity and jobs, but of providing tremendous consumer and societal benefits.

With so much at stake, SIIA is committed to actively promoting the economic and social value of data-driven innovation. Our efforts will involve direct outreach to legislators, along with a White Paper that includes recommendations for policymakers and governments. Our goal is to make certain that public policy helps enable the tremendous societal and economic benefits of data-driven innovation.

With members in both technology and information services, SIIA is uniquely positioned to highlight and address the public policy issues that arise from the increased salience of data-driven innovation. We began to focus more strongly on this issue in 2012, and it will be an even more important part of our work in 2013.

SIIA also announced its general tech policy priorities for 2013, along with policy priorities in the areas of: intellectual property; public sector IT, and; education technology. [Read more...]

Share|
Filed Under: Content, Education, Government, Policy, Policy - Cloud Computing, Policy - Cybersecurity, Policy - Intellectual Property, Policy - Privacy, PSIG, Public Sector Innovation Summit, SIIA News, Software, Software Events

Maintain Cybersecurity Spending

October 2, 2012 By

A recent article in Politico warned that cybersecurity could be a casualty of a sequester ax.  The problem is that without a change in course, the federal budget is headed for a uniform across the board reduction and that would include the multiple programs that carry out our nation’s responsibilities for protecting federal networks, staving off foreign cyber attacks and researching new technologies. As Politico put it: “Many of those initiatives would be hit hard by deep cuts beginning in 2013 unless Congress pushes back the target date for its legally mandated cuts, exempts some categories of spending or does away entirely with its fallback, deficit-reduction plans.”

And then the news hit that the White House itself had been the target of a cyber attack. Fortunately, this time, no classified systems were compromised and no data was extracted.  This time.

It is not often that events illustrate so vividly the risks to the nation in continuing an unacceptable compromise policy.  No one really wants a sequester, and no one really wants the consequences that would flow from one. Policymakers need to do what it takes to avoid it.

But failing that, the Administration should find a way to prioritize cyber security spending.  Congress did not agree on all aspects of the stalled cybersecurity legislation, but they did agree that more Federal funding for cyber security programs and research was an urgent national priority. Sequester planning should maintain that priority.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow the SIIA Public Policy team on Twitter at @SIIAPolicy

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

The Value of Large-Scale Data Collection and Analysis: BotNet Prevention

May 30, 2012 By

At today’s White House event on Stopping Botnets, Michael DeCesare, Co-President of McAfee, made a compelling case for the value of large-scale data analysis in botnet prevention.

“We’re often asked what can be done to combat botnets, and here is the basic answer: We need to make sure that individual machines are not infected in the first place. We need to do this by delivering security faster than our adversaries deliver malware…Indeed, having real-time visibility into emerging threats and a comprehensive view across the threat landscape is a powerful means of defeating botnets, which can multiply extremely quickly. One robust technology that enables this real-time global visibility is called Global Threat Intelligence. With Global Threat Intelligence, millions of sensors scan the Internet across the globe and feedback real-time data on botnets and other threats. This data is instantaneously correlated and fed back into security products, delivering real-time protection to customers, as we identify and block the malicious files, IPs and URLs used by the botnets. With even more threat data from more security organizations fed into this network, customers would get even more comprehensive visibility into the quickly changing patterns of botnet infestations and could take immediate steps to counter them.”

Mr. DeCesare’s comment at the White House today echoes what all security professionals know: constant monitoring of the Internet by security firms and real-time analysis of the vast quantities of data collected is absolutely vital to the fight against infected computers and other cybersecurity threats.

Other companies also collect and analyze Internet data for the purpose of cybersecurity threat detection. Google recently launched a notification effort for users of computers and routers infected with the DNSChanger malware. Users will see a message at the top of the Google search results page. Without the compilation and analysis of vast amounts of Internet information such a notification project could not even get off the ground.

The problem is enormous. According to McAfee’s latest quarterly report, more than 5 million systems were infected with botnets per month between January and March of 2012. The collection and analysis of massive amounts of Internet data for security threats cannot by itself solve this worldwide collective problem. But without it efforts to reduce the problem will surely fail.

At the White House meeting today, speakers emphasized the need for public private partnerships, collaboration across industry, the need for all agents in the ecosystem to do their part, the importance of the government as a convener of collective effort. While all this is important and can be done with additional regulation, the domestic and international policy space must be large enough to accommodate the needs of security firms to collect and analyze large amounts of Internet data.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: ,

SIIA, Industry Gather at White House to Pledge Leadership Role in Stopping Botnets

May 30, 2012 By

At a White House event today, the Software & Information Industry Association (SIIA) expressed a commitment to working with the Administration to address the growing dangers posed by botnets. SIIA is part of a multi-industry group that today announced its Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace. SIIA President Ken Wasch and representatives of other industry groups were joined by Cybersecurity Coordinator Howard Schmidt, Secretary of Homeland Security Janet Napolitano, other administration officials and industry leaders including Michael DeCeasare CEO of McAfee.

As the leading organization representing software and digital media companies, SIIA and its members are at the forefront of the fight against botnets and other forms of Internet security threats. For example, McAfee provides a suite of tools for consumers and businesses to keep their systems free of infections and to remove malware and botnets from their infected systems. And Google recently launched a notification effort for users of computers and routers infected with the DNSChanger malware.

SIIA is committed to addressing botnet security threats by working collaboratively with the government and by promoting the work of our members. It is vital that industry and government work together to ensure that public policy encourages private sector innovation and flexibility. After all, it is the products and tools produced by companies such as McAfee and Google that are empowering consumers and businesses to fight Internet security threats.

To that aim, SIIA is part of the Industry Botnet Group (“IBG”), which was formed earlier this year to collaborate on and encourage voluntary efforts to reduce the effectiveness of botnets. Botnets infect computers, threatening the trust and confidence of online users and undermining the efficiencies and economic growth spurred by the Internet. The IBG’s principles call on Internet participants to coordinate and communicate with each other and voluntarily work to fight the effectiveness of botnets across the botnet lifecycle. More information is available at www.industrybotnetgroup.org.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Security, Software Tagged With: , ,

SIIA Applauds Passage of Cybersecurity Legislation in House

April 26, 2012 By

SIIA commends today’s House passage of the Cybersecurity Intelligence Sharing and Protection Act (CISPA, H.R. 3523). With cyber threats more sophisticated and targeted than ever, and growing at an unprecedented rate, now is the time to act on critical cybersecurity legislative priorities. We believe the top priority is to establish a framework that enables the public and private sectors to work together in sharing information on known threats and vulnerabilities. H.R. 3523 would accomplish the vital objective of early detection and notification of cybersecurity threats. This is the most critical component of preventing and mitigating attacks, and will increase security across the board.

As important as this bill is, information sharing is not alone enough to protect the nation’s cyber threats. SIIA continues to support quick passage of other key measures before the House to address the nation’s most pressing cybersecurity challenges, while preserving innovation. These measures include:

• HR 4257 to reform of Federal Information Security Management Act (FISMA),
• HR 2096 and HR 3834 to provide for additional cybersecurity R&D.

A strong and responsive cybersecurity system that doesn’t add burdensome regulation will make everyone more secure and keep our country at the forefront of tech innovation.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: ,

Mobile Payments Get Currency

April 25, 2012 By

The FTC is looking at mobile payments this Thursday, an event that caps several weeks of intense attention to this innovative new technology by policymakers. In March the House Financial Services Committee and the Senate Banking Committee held hearings. And the Internet Caucus held a Congressional briefing, which I chaired.

Several years ago a study by ITIF highlighted mobile payment’s opportunities for efficiencies, growth and innovation. It wondered why it hadn’t taken off in the US, the way it had in other jurisdictions such as Japan and Korea. Since then Square, Intuit, Google, ISIS, PayPal have all ramped up their efforts to bring the new service to consumers and retailers in an attractive easy to use package. The majority of Americans will be embracing mobile payments by 2020, a Pew Internet study found last week.

The benefits are enormous. Mobile payment technology means faster checkout, more through put for merchants, the opportunity to send and receive offers and promotions, greater security, and a platform for new innovative services that haven’t been created yet.

It is worth pausing on the benefits of increased security. Unlike traditional magnetic stripe payment card transactions, mobile payments use a different security code for each transaction. Even if the transaction data is compromised, it cannot be used to make a counterfeit card that would work at the point of sale. This takes the merchant system out of harm’s way and reduces risk to cardholders. Mobile payments implemented on a smartphone can also be protected by a password or PIN number, adding barriers to illicit use of a lost or stolen phone. If asked to choose based on security, shoppers would be smart to use mobile payments over traditional cards.

Some have suggested that mobile payments create increased privacy risks because new information would be available to new players. But these risks are speculative and are being addressed in advance by market players who design their systems to be privacy-protective. They know that the market will only work on the basis of trust, careful handling of personal information, and a compelling user experience.

Mobile payment providers collect location information from their users, but only with affirmative consent. Product specific information isn’t collected at all and so cannot be added to a consumer profile to target ads. Cell phone and email information are available to mobile payment service providers at the time of sign up, but are not transferred to third parties such as retailers. Mobile payment services are savvy enough to avoid the mistake of allowing secret, undesirable acquisition of contact information by third parties. Under the Google Wallet rules, for example, contact information could not be disclosed to a retailer for marketing or advertising purposes without affirmative consent.

The privacy default for mobile payments is that consent is needed for any sharing of consumers’ personal information for marketing purposes. Industry participants have set up their systems with this requirement for consent as the default. This privacy-by-default approach renders concerns about privacy violations more theoretical than real. Mobile payment users can feel confident that they can enjoy the conveniences and added security and usefulness of mobile payments without worrying about privacy violations.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: All About Mobile, Government, Mobility, Policy, Policy - Cybersecurity, Policy - Privacy, Software, Software Events Tagged With: , , ,
« Older Posts
Newer Posts »