WASHINGTON -- A U.S. Senate subcommittee that has been largely focused on data privacy issues turned its attention Monday to what many see as that topic's hand-in-hand partner: information security. But a panel of experts who testified at a hearing said the best thing Congress can probably do is to show restraint in passing any laws directed at security.

   ADVERTISEMENT
  

Free IT resource

Hear how top CIOs turn change into a competitive advantage.

Sponsored by HP

Free IT resource

Try Sun servers, workstations and storage products free for 60-days.

Sponsored by Sun Microsystems

RELATED LINKS
»  Google delivers ad-supported video clips via AdSense
»  3Com waiting for details of Bain/Huawei acquisition bid
»  Indian outsourcers' U.S. shopping spree
»  Business RSS feed 

IDG ENTERPRISE NETWORK
The Broader the E-Biz, the Bigger the Lawsuit  (CIO)
Time To Change  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
"One thing that you should not do is pass [security-related] legislation that cannot be enforced," said Vinton Cerf, senior vice president of Internet architecture and technology at WorldCom. Doing so could lead "to all kinds of side effects," including companies and individuals simply ignoring the law, he added.

Bruce Schneier, founder and chief technology officer at Counterpane Internet Security in Cupertino, Calif., told the Senate's Subcommittee on Science, Technology and Space that current approaches to data security aren't working. "Every year, the problem gets worse," he said. "Security is failing us."

But while Schneier was critical of software vendors for producing bug-laden packages and then selling the products under contracts that excuse themselves from any security liabilities, he, too, argued against adopting new laws as part of an attempt to fix the problem.

Instead, Schneier said he sees insurance carriers playing a larger role in improving security through risk management -- a process that could change how users pick the software they buy. More secure software would mean lower insurance rates, he said. If that becomes reality, Schneier added, purchase decisions "will no longer be 100 percent technical."

The subcommittee chaired by Sen. Ron Wyden (D-Ore.), a leading advocate of privacy legislation, isn't considering any specific IT security legislation at this point. Monday's hearing was called merely to draw attention to the security issue, according to subcommittee members.

Nor is Wyden himself advocating any specific security rules. He said at the hearing that the primary role he envisions for Congress is to give law enforcement agencies the tools they need to track down hackers, encourage education, and provide incentives for security-related research and development work.

However, the full Committee on Commerce, Science, and Transportation, of which the subcommittee is a part, is expected to consider several data privacy bills that may include computer security requirements. And security was already a component of financial privacy rules set in the Gramm-Leach-Bliley Act of 1999, which took effect this month.

Harris Miller, president of the Information Technology Association of America trade group in Arlington, Va., testified before the subcommittee that government agencies should start by doing a better job of protecting their own systems.

"The U.S. government must lead by example," Miller said.