Digital Discourse / Policy / Policy - Cybersecurity

SIIA Joins Call for Narrow, Bipartisan Cybersecurity Legislation

April 18, 2012 By

SIIA today announced its endorsement of three bipartisan measures to make improvements to cybersecurity. SIIA joined with the Information Technology Industry Council (ITI) and other trade associations representing a broad range of U.S. companies in a letter to Speaker John Boehner and Minority Leader Nany Pelosi supporting this major national security priority. The measures seek to bring to bear the resources of U.S. companies to protect personal information.

SIIA urges Congress to pass legislation on the following issues that would immediately enhance our cybersecurity posture:

• Improved information sharing through HR 3523;
• Reform of Federal Information Security Management Act (FISMA) through HR 4257;
• Additional cybersecurity R&D through HR 2096 and HR 3834.

Passing these bipartisan measures, which are expected to be taken up in the House of Representatives next week, will improve public and private cybersecurity infrastructure without adding unnecessary expense or bureaucracy.

SIIA has long called for a measured, collaborative approach to cybersecurity legislation in order to protect consumers while allowing companies to continue to innovate. These bills tackle important security issues without adding excessive regulation or bureaucracy that could stifle American technology leadership. They will allow industry to work closely with government to ensure aggressive security that is flexible enough to keep up with the speed and sophistication of today’s cyber attacks.

Ken WaschKen Wasch is President of SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

SIIA Applauds Progress of Senate Cybersecurity Legislation

February 14, 2012 By

With cyber threats more sophisticated and targeted than ever, and growing at an unprecedented rate, now is the time to act on critical cybersecurity legislative priorities. We are pleased to see that Sens. Lieberman, Collins, Rockefeller and Feinstein have made significant progress in striking a balance between preserving innovation and identifying and regulating critical infrastructure.

SIIA continues to believe that cybersecurity legislation could potentially do more harm than good if not done carefully. A regulatory approach would not necessarily make organizations more secure, just more compliant. It is imperative that Congress preserves the ability of technology companies to quickly develop and deploy technology that can detect, prevent and mitigate cybersecurity threats.

We urge swift, bipartisan support for legislation that advances critical cybersecurity priorities and immediately enhances our preparedness. As we identified in a recent letter to Sen. Reid, there are multiple cybersecurity objectives that enjoy strong bipartisan support in the House and Senate, such as enhancing information-sharing between the public and private sectors, reforming FISMA, encouraging increased cybersecurity research and ensuring that law enforcement has the adequate tools and criminal penalties for to protect against cyber crimes.

SIIA is committed to the goal of enacting legislation that will establish a meaningful national framework for data security and for breach notification, and we look forward to continuing to work with Congressional leaders to reach consensus.

Katie CarlsonKen Wasch is President of SIIA.

 

Share|
Filed Under: Government, Policy, Policy - Cybersecurity, Software Tagged With: ,

Now is the Time to Act Swiftly, Enact Key Cybersecurity Objectives

January 18, 2012 By

SIIA offered its views to the Senate on cybersecurity on Tuesday, in a letter to Sen. Majority Leader Harry Reid (D-NV) in advance of the imminent Senate consideration of cybersecurity legislation.

Our members are dedicated to strengthening the nation’s IT infrastructure and protecting against growing cyber threats. These threats are more sophisticated and targeted than ever and are growing at an unprecedented rate. We know that as a nation, we can’t afford to delay advanced protection and instantaneous remediation.

That’s why SIIA believes that the most effective course of action is to focus in the short term on several critical priorities that enjoy broad bipartisan consensus. These key priorities are:

o Enhance information sharing between the public and private sectors,
o Reform of the Federal Information Security Management Act of 2002 (FISMA),
o Enhance and improve law enforcement tools and criminal penalties for cybercrimes, and
o Encourage increased cybersecurity research.

At the same time, SIIA believes that some complex issues of cybersecurity are not nearly as close to broad consensus. Including them in a comprehensive bill would give them short shrift and potentially slow down the bill’s adoption; most importantly and worryingly, the proposals advanced to date on some of these issues would seriously hinder the very innovation that is our best tool against cyber threats. Securing the Nation’s public and private IT networks will require the attention of Congress, the Administration and industry for the weeks, months and years ahead. It’s not something that can or should be achieved with one piece of legislation. Some of these complex issues include:

o Provide a national framework for data security and data breach notification,
o Designate and protect “covered critical infrastructure” (CCI),
o Clarify the role and authorities of the Department of Homeland Security (DHS),
o Ensure the security of the U.S. IT supply chain, and
o Create incentives for individuals and businesses to enhance their cybersecurity preparedness.

In particular, SIIA would welcome forward movement on a good data security and breach notification legislation. However, House and Senate consideration of this legislation in 2011 revealed many significant differences still needing to be resolved.

While SIIA does not support a heavy regulatory approach to cybersecurity, we do believe that positive incentives have a higher probability of success in two ways: a higher chance of better actual cybersecurity outcomes, and a higher probability of actually becoming law. The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Furthermore, positive incentives (rather than negative ones) are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success. SIIA strongly supports exploring positive incentives for individuals and businesses of all sizes as a long-term ongoing approach to securing the Nation’s IT infrastructure.

We are hopeful that the Senate can pass cybersecurity legislation that will quickly address some of the most critical threats to our nation’s IT infrastructure. SIIA members – whose companies work tirelessly to develop and deploy cutting edge cybersecurity solutions – will continue to actively engage policymakers to rapidly enact legislation that promotes technological innovation as the key to better cybersecurity.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With:

Congress: Let’s Battle Cyber Crime Together

December 1, 2011 By

Cyber threats are more sophisticated and targeted than ever and are growing at an unprecedented rate–and it makes sense that Congress is paying more attention to such a significant issue.

Today, the House Small Business Committee held a cyber hearing on protecting small businesses, where Phyllis Schneck, Vice President for McAfee, Inc., testified on behalf of SIIA. And yesterday, Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) unveiled new bipartisan cyber security legislation to provide the government “the authority to share classified cyber threat information on potential attacks with approved American companies.”

There’s no doubt that American companies need help dealing with cyber crime. McAfee Labs finds, for example, that both malicious URLs and malware have grown almost six-fold in the last two years, and that 2010 saw more new malware than all previous years combined. Likewise, cyber crime perpetrators have evolved from simple, low-budget, hackers into well-financed criminal operations that contribute to a multi-million dollar cyber crime industry.

But Congress must be careful to allow companies to attack cyber crime head-on, without limiting their ability to innovate and grow.

There are two schools of thought on government’s role in achieving a desired outcome:  one that posits that regulatory mandates are the best way to incent good behavior (in this case, strong cyber security measures); and, alternatively, one that asserts that positive outcomes are best achieved via positive incentives.  

The heavily regulatory approach would not necessarily make organizations more secure – just more compliant. And it would dampen innovation too. On the other hand, positive incentives have a higher probability of success in two ways: a higher chance of better actual outcomes, and a higher probability of producing legislative success.  The private sector responds to incentives, and aligning the interests of the private sector with the outcomes that are in the national interest makes sense. Doing so could also provide rare proof that the phrase “win-win” is not always a cliché. 

Postive incentives are clearly the most effective way to drive higher levels of trust and actual cooperation between the private sector and government – vital things needed to produce real success.

Learn more about today’s testimony on McAfee’s blog.

Laura Greenback is Communications Director at SIIA.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

Botnets are Best Addressed with Multi-stakeholder Approach

November 14, 2011 By

Today, SIIA filed comments in the Departments of Commerce and Homeland Security’s proceedings geared toward addressing the problems of botnets and other malware. The harm from malicious software is well known–it can turn computers into elements of a robot network (or botnet), and can be activated by outside entities to launch denial of service attacks, send spam, or harvest personal information. The extent of the problem is hard to quantify, but in the aggregate undoubtedly imposes substantial economic costs on individuals and enterprises.

SIIA’s comments are in response to a process set in motion in September, when the Departments of Commerce and Homeland Security set out to craft a framework to address botnets and malware. The proceeding got a boost in October, when Howard Schmidt, Cybersecurity Coordinator for the Obama Administration, and Cameron Kerry, General Counsel for the U.S. Department of Commerce appeared at an event held by the Center for Strategic and International Studies focused on the need for public/private collaboration in fighting malware.

We endorse the fundamental idea of a voluntary approach, in which the government brings together relevant parties to confer on best practices. Our comments support mult-stakeholder discussions on how the private sector can develop and maintain timely and voluntary programs to detect and notify end-users that their machines have been infected with botnets or other malware and provide mitigation support that will eliminate these infections.  SIIA wants to be part of these ongoing discussions.

Collaboration and cooperation between the public and private sector are key to addressing the problem in a holistic way. Some suggest a government role to subsidize the notification and mitigation efforts needed to clean up infected computers.  In this model, researchers inform network companies (or they become aware through their own traffic monitoring activity) of IP addresses of infected computers on their networks. The network companies communicate with the customer whose computer appears to be infected and offer them a government- sponsored clean-up scheme, which they are entitled to use if they wish. Australia, Japan and Germany provide a collaborative framework that follow this rough model.

In the United States, search engines are already taking steps to warn users that their computers might be infected. In July 2011, Google discovered that some unusual traffic connecting to its search engine was caused by computers infected with a specific strain of malware.  Google responded by displaying a prominent warning at the top of its search results page when it appeared that a user’s computer was infected with this malware.

Despite these efforts, SIIA believes that there would be great benefit from further discussion of collaborative efforts to address this problem. We have several points to further the discussion:

*  A voluntary code of conduct approach is preferable to regulatory intervention.
*  ISPs need to be involved because they have a privileged role in the infrastructure.
*  Other participants should include security firms, search engines and computer services companies.

SIIA welcomes this facilitation role in the case of collaborative efforts to manage the botnet problem.  We urge that the agencies act as the convener and facilitator providing a platform for the airing and discussion of the views of industry, non-governmental organizations, technical experts and international participants.  We also want to make sure that the codes that emerge from this process are voluntary self-regulatory standards, not de facto regulatory mandates.

For further discussion of the general problem of botnets, see Tyler Moore, Richard Clayton, and Ross Anderson Economics of Online Crime, Journal of Economic Perspectives, Volume 23, Number 3, Summer 2009, Pages 3–20. See also Symantec and McAfee, Botnets Demystified and Simplified.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: , , ,

SIIA Joins Call for U.S. Action to Promote Cross-Border Data Flows

November 3, 2011 By

Today, SIIA endorsed principles for promoting cross-border data flows. SIIA joined with the National Foreign Trade Council and other trade associations representing a broad range of U.S. companies in supporting this major business priority. The principles seek to bring to bear the resources of trade law to promote the global flow of data across national boundaries.

American businesses are being harmed by the many barriers inhibiting the flow of data across international borders. Many countries want to impose restrictions on the transfer of data, while others seek to inhibit access by companies or individuals to lawfully available information located outside their jurisdiction. Still others demand that companies provide computing or information services through domestic facilities, in effect requiring localization of plant and equipment.

These practices inhibit economic growth, trade in services, innovation and the free expression of ideas in the global economy. The principles endorsed by SIIA underscore the significance of the problem and encourage the U.S. government to seek remedies in a variety of international organizations. The forums where this problem can be addressed include the World Trade Organization (WTO), Asia Pacific Economic Cooperation (APEC) forum, OECD, and regional trade negotiations such as the Trans-Pacific Partnership.

SIIA’s goal is to have the U.S. government treat these practices as violations of current international rules concerning digital goods, services and information. By joining with the rest of the U.S. business community in endorsing these principles, SIIA is urging the U.S. government to identify these practices as violations of international rules and resolve them through WTO or bilateral consultations.

The principles also address the important issues of intellectual property protection and limitations on liability for internet intermediaries. But rather than reinventing the wheel, the principles reference the approach contained in the Communiqué on Principles for Internet Policymaking related to intellectual property protection and limiting intermediary liability developed by the Organization for Economic Cooperation and Development (OECD) in June 2011.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: Policy, Policy - Cybersecurity Tagged With: ,

Cybersecurity is a major national security issue

October 6, 2011 By

Yesterday, SIIA applauded the House Republican Cybersecurity Task Force’s conclusion that cybersecurity is a major national security issue and a critical component of economic growth. In particular, SIIA strongly supports the Task Force’s support for a global approach to cybersecurity that seeks international consensus to avoid fragmented, unpredictable national requirements.

The recommendations appropriately recognize the need to avoid hobbling U.S. industry with a set of U.S.-only standards. The Task Force instead calls for international colaboration and heavy engagement with the private sector on security standards that are not U.S.-centric.

Public-private cooperation is vital for the success of any security regime. SIIA appreciates that the Task Force has focused on enhancing incentives, not increasing regulations, to encourage private companies to step up cybersecurity. In the fast-changing world of cybersecurity, strict mandates could hinder businesses from adapting to the ever-changing technology landscape.

The fact is, strong cybersecurity initiatives already exist within the marketplace. When there is agreement that the needed level of security goes beyond that for which a business case can be made, the most effective role for government is to provide businesses with support and further incentives.

SIIA further concurs that improving information-sharing is a critical element of cybersecurity. SIIA members are industry leaders in providing a wide range of cybersecurity products and services to help users protect themselves. The government could play a very effective role in promoting public awareness of threats–and best practices to protect against those threats.
 

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Policy, Policy - Cybersecurity, Software Tagged With: ,
« Older Posts
Newer Posts »