Digital Discourse / Policy / Policy - Cybersecurity

SIIA Applauds Passage of Cybersecurity Legislation in House

April 26, 2012 By

SIIA commends today’s House passage of the Cybersecurity Intelligence Sharing and Protection Act (CISPA, H.R. 3523). With cyber threats more sophisticated and targeted than ever, and growing at an unprecedented rate, now is the time to act on critical cybersecurity legislative priorities. We believe the top priority is to establish a framework that enables the public and private sectors to work together in sharing information on known threats and vulnerabilities. H.R. 3523 would accomplish the vital objective of early detection and notification of cybersecurity threats. This is the most critical component of preventing and mitigating attacks, and will increase security across the board.

As important as this bill is, information sharing is not alone enough to protect the nation’s cyber threats. SIIA continues to support quick passage of other key measures before the House to address the nation’s most pressing cybersecurity challenges, while preserving innovation. These measures include:

• HR 4257 to reform of Federal Information Security Management Act (FISMA),
• HR 2096 and HR 3834 to provide for additional cybersecurity R&D.

A strong and responsive cybersecurity system that doesn’t add burdensome regulation will make everyone more secure and keep our country at the forefront of tech innovation.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: ,

Mobile Payments Get Currency

April 25, 2012 By

The FTC is looking at mobile payments this Thursday, an event that caps several weeks of intense attention to this innovative new technology by policymakers. In March the House Financial Services Committee and the Senate Banking Committee held hearings. And the Internet Caucus held a Congressional briefing, which I chaired.

Several years ago a study by ITIF highlighted mobile payment’s opportunities for efficiencies, growth and innovation. It wondered why it hadn’t taken off in the US, the way it had in other jurisdictions such as Japan and Korea. Since then Square, Intuit, Google, ISIS, PayPal have all ramped up their efforts to bring the new service to consumers and retailers in an attractive easy to use package. The majority of Americans will be embracing mobile payments by 2020, a Pew Internet study found last week.

The benefits are enormous. Mobile payment technology means faster checkout, more through put for merchants, the opportunity to send and receive offers and promotions, greater security, and a platform for new innovative services that haven’t been created yet.

It is worth pausing on the benefits of increased security. Unlike traditional magnetic stripe payment card transactions, mobile payments use a different security code for each transaction. Even if the transaction data is compromised, it cannot be used to make a counterfeit card that would work at the point of sale. This takes the merchant system out of harm’s way and reduces risk to cardholders. Mobile payments implemented on a smartphone can also be protected by a password or PIN number, adding barriers to illicit use of a lost or stolen phone. If asked to choose based on security, shoppers would be smart to use mobile payments over traditional cards.

Some have suggested that mobile payments create increased privacy risks because new information would be available to new players. But these risks are speculative and are being addressed in advance by market players who design their systems to be privacy-protective. They know that the market will only work on the basis of trust, careful handling of personal information, and a compelling user experience.

Mobile payment providers collect location information from their users, but only with affirmative consent. Product specific information isn’t collected at all and so cannot be added to a consumer profile to target ads. Cell phone and email information are available to mobile payment service providers at the time of sign up, but are not transferred to third parties such as retailers. Mobile payment services are savvy enough to avoid the mistake of allowing secret, undesirable acquisition of contact information by third parties. Under the Google Wallet rules, for example, contact information could not be disclosed to a retailer for marketing or advertising purposes without affirmative consent.

The privacy default for mobile payments is that consent is needed for any sharing of consumers’ personal information for marketing purposes. Industry participants have set up their systems with this requirement for consent as the default. This privacy-by-default approach renders concerns about privacy violations more theoretical than real. Mobile payment users can feel confident that they can enjoy the conveniences and added security and usefulness of mobile payments without worrying about privacy violations.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: All About Mobile, Government, Mobility, Policy, Policy - Cybersecurity, Policy - Privacy, Software, Software Events Tagged With: , , ,

SIIA Joins Call for Narrow, Bipartisan Cybersecurity Legislation

April 18, 2012 By

SIIA today announced its endorsement of three bipartisan measures to make improvements to cybersecurity. SIIA joined with the Information Technology Industry Council (ITI) and other trade associations representing a broad range of U.S. companies in a letter to Speaker John Boehner and Minority Leader Nany Pelosi supporting this major national security priority. The measures seek to bring to bear the resources of U.S. companies to protect personal information.

SIIA urges Congress to pass legislation on the following issues that would immediately enhance our cybersecurity posture:

• Improved information sharing through HR 3523;
• Reform of Federal Information Security Management Act (FISMA) through HR 4257;
• Additional cybersecurity R&D through HR 2096 and HR 3834.

Passing these bipartisan measures, which are expected to be taken up in the House of Representatives next week, will improve public and private cybersecurity infrastructure without adding unnecessary expense or bureaucracy.

SIIA has long called for a measured, collaborative approach to cybersecurity legislation in order to protect consumers while allowing companies to continue to innovate. These bills tackle important security issues without adding excessive regulation or bureaucracy that could stifle American technology leadership. They will allow industry to work closely with government to ensure aggressive security that is flexible enough to keep up with the speed and sophistication of today’s cyber attacks.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

SIIA Applauds Progress of Senate Cybersecurity Legislation

February 14, 2012 By

With cyber threats more sophisticated and targeted than ever, and growing at an unprecedented rate, now is the time to act on critical cybersecurity legislative priorities. We are pleased to see that Sens. Lieberman, Collins, Rockefeller and Feinstein have made significant progress in striking a balance between preserving innovation and identifying and regulating critical infrastructure.

SIIA continues to believe that cybersecurity legislation could potentially do more harm than good if not done carefully. A regulatory approach would not necessarily make organizations more secure, just more compliant. It is imperative that Congress preserves the ability of technology companies to quickly develop and deploy technology that can detect, prevent and mitigate cybersecurity threats.

We urge swift, bipartisan support for legislation that advances critical cybersecurity priorities and immediately enhances our preparedness. As we identified in a recent letter to Sen. Reid, there are multiple cybersecurity objectives that enjoy strong bipartisan support in the House and Senate, such as enhancing information-sharing between the public and private sectors, reforming FISMA, encouraging increased cybersecurity research and ensuring that law enforcement has the adequate tools and criminal penalties for to protect against cyber crimes.

SIIA is committed to the goal of enacting legislation that will establish a meaningful national framework for data security and for breach notification, and we look forward to continuing to work with Congressional leaders to reach consensus.

Katie CarlsonKen Wasch is President of SIIA.

 

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Software Tagged With: ,

Now is the Time to Act Swiftly, Enact Key Cybersecurity Objectives

January 18, 2012 By

SIIA offered its views to the Senate on cybersecurity on Tuesday, in a letter to Sen. Majority Leader Harry Reid (D-NV) in advance of the imminent Senate consideration of cybersecurity legislation.

Our members are dedicated to strengthening the nation’s IT infrastructure and protecting against growing cyber threats. These threats are more sophisticated and targeted than ever and are growing at an unprecedented rate. We know that as a nation, we can’t afford to delay advanced protection and instantaneous remediation.

That’s why SIIA believes that the most effective course of action is to focus in the short term on several critical priorities that enjoy broad bipartisan consensus. These key priorities are:

o Enhance information sharing between the public and private sectors,
o Reform of the Federal Information Security Management Act of 2002 (FISMA),
o Enhance and improve law enforcement tools and criminal penalties for cybercrimes, and
o Encourage increased cybersecurity research.

At the same time, SIIA believes that some complex issues of cybersecurity are not nearly as close to broad consensus. Including them in a comprehensive bill would give them short shrift and potentially slow down the bill’s adoption; most importantly and worryingly, the proposals advanced to date on some of these issues would seriously hinder the very innovation that is our best tool against cyber threats. Securing the Nation’s public and private IT networks will require the attention of Congress, the Administration and industry for the weeks, months and years ahead. It’s not something that can or should be achieved with one piece of legislation. Some of these complex issues include:

o Provide a national framework for data security and data breach notification,
o Designate and protect “covered critical infrastructure” (CCI),
o Clarify the role and authorities of the Department of Homeland Security (DHS),
o Ensure the security of the U.S. IT supply chain, and
o Create incentives for individuals and businesses to enhance their cybersecurity preparedness.

In particular, SIIA would welcome forward movement on a good data security and breach notification legislation. However, House and Senate consideration of this legislation in 2011 revealed many significant differences still needing to be resolved.

While SIIA does not support a heavy regulatory approach to cybersecurity, we do believe that positive incentives have a higher probability of success in two ways: a higher chance of better actual cybersecurity outcomes, and a higher probability of actually becoming law. The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Furthermore, positive incentives (rather than negative ones) are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success. SIIA strongly supports exploring positive incentives for individuals and businesses of all sizes as a long-term ongoing approach to securing the Nation’s IT infrastructure.

We are hopeful that the Senate can pass cybersecurity legislation that will quickly address some of the most critical threats to our nation’s IT infrastructure. SIIA members – whose companies work tirelessly to develop and deploy cutting edge cybersecurity solutions – will continue to actively engage policymakers to rapidly enact legislation that promotes technological innovation as the key to better cybersecurity.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

Congress: Let’s Battle Cyber Crime Together

December 1, 2011 By

Cyber threats are more sophisticated and targeted than ever and are growing at an unprecedented rate–and it makes sense that Congress is paying more attention to such a significant issue.

Today, the House Small Business Committee held a cyber hearing on protecting small businesses, where Phyllis Schneck, Vice President for McAfee, Inc., testified on behalf of SIIA. And yesterday, Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) unveiled new bipartisan cyber security legislation to provide the government “the authority to share classified cyber threat information on potential attacks with approved American companies.”

There’s no doubt that American companies need help dealing with cyber crime. McAfee Labs finds, for example, that both malicious URLs and malware have grown almost six-fold in the last two years, and that 2010 saw more new malware than all previous years combined. Likewise, cyber crime perpetrators have evolved from simple, low-budget, hackers into well-financed criminal operations that contribute to a multi-million dollar cyber crime industry.

But Congress must be careful to allow companies to attack cyber crime head-on, without limiting their ability to innovate and grow.

There are two schools of thought on government’s role in achieving a desired outcome:  one that posits that regulatory mandates are the best way to incent good behavior (in this case, strong cyber security measures); and, alternatively, one that asserts that positive outcomes are best achieved via positive incentives.  

The heavily regulatory approach would not necessarily make organizations more secure – just more compliant. And it would dampen innovation too. On the other hand, positive incentives have a higher probability of success in two ways: a higher chance of better actual outcomes, and a higher probability of producing legislative success.  The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Doing so could also provide rare proof that the phrase “win-win” is not always a cliché. 

Postive incentives are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success.

Learn more about today’s testimony on McAfee’s blog.

Laura Greenback is Communications Director at SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

Botnets are Best Addressed with Multi-stakeholder Approach

November 14, 2011 By

Today, SIIA filed comments in the Departments of Commerce and Homeland Security’s proceedings geared toward addressing the problems of botnets and other malware. The harm from malicious software is well known–it can turn computers into elements of a robot network (or botnet), and can be activated by outside entities to launch denial of service attacks, send spam, or harvest personal information. The extent of the problem is hard to quantify, but in the aggregate undoubtedly imposes substantial economic costs on individuals and enterprises.

SIIA’s comments are in response to a process set in motion in September, when the Departments of Commerce and Homeland Security set out to craft a framework to address botnets and malware. The proceeding got a boost in October, when Howard Schmidt, Cybersecurity Coordinator for the Obama Administration, and Cameron Kerry, General Counsel for the U.S. Department of Commerce appeared at an event held by the Center for Strategic and International Studies focused on the need for public/private collaboration in fighting malware.

We endorse the fundamental idea of a voluntary approach, in which the government brings together relevant parties to confer on best practices. Our comments support mult-stakeholder discussions on how the private sector can develop and maintain timely and voluntary programs to detect and notify end-users that their machines have been infected with botnets or other malware and provide mitigation support that will eliminate these infections.  SIIA wants to be part of these ongoing discussions.

Collaboration and cooperation between the public and private sector are key to addressing the problem in a holistic way. Some suggest a government role to subsidize the notification and mitigation efforts needed to clean up infected computers.  In this model, researchers inform network companies (or they become aware through their own traffic monitoring activity) of IP addresses of infected computers on their networks. The network companies communicate with the customer whose computer appears to be infected and offer them a government- sponsored clean-up scheme, which they are entitled to use if they wish. Australia, Japan and Germany provide a collaborative framework that follow this rough model.

In the United States, search engines are already taking steps to warn users that their computers might be infected. In July 2011, Google discovered that some unusual traffic connecting to its search engine was caused by computers infected with a specific strain of malware.  Google responded by displaying a prominent warning at the top of its search results page when it appeared that a user’s computer was infected with this malware.

Despite these efforts, SIIA believes that there would be great benefit from further discussion of collaborative efforts to address this problem. We have several points to further the discussion:

*  A voluntary code of conduct approach is preferable to regulatory intervention.
*  ISPs need to be involved because they have a privileged role in the infrastructure.
*  Other participants should include security firms, search engines and computer services companies.

SIIA welcomes this facilitation role in the case of collaborative efforts to manage the botnet problem.  We urge that the agencies act as the convener and facilitator providing a platform for the airing and discussion of the views of industry, non-governmental organizations, technical experts and international participants.  We also want to make sure that the codes that emerge from this process are voluntary self-regulatory standards, not de facto regulatory mandates.

For further discussion of the general problem of botnets, see Tyler Moore, Richard Clayton, and Ross Anderson Economics of Online Crime, Journal of Economic Perspectives, Volume 23, Number 3, Summer 2009, Pages 3–20. See also Symantec and McAfee, Botnets Demystified and Simplified.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,
« Older Posts
Newer Posts »