Cybersecurity group: Everyone has a role to play

No one "silver bullet" will solve cybersecurity problems, but everyone from home computer users to cybersecurity vendors are responsible for keeping the Internet secure, said representatives of a new cybersecurity educational group.

A group of cybersecurity vendors, consumer groups, trade associations and e-commerce companies launched Americans for a Secure Internet (ASI) in Washington, D.C., Thursday, with members calling for all Internet users to educate themselves on cybersecurity issues. ASI, whose members include eBay Inc., Internet Security Systems Inc. and the Computing Technology Industry Association (CompTIA), launched a Web site intended to educate users of all levels on cybersecurity issues: http://www.protectingthenet.com/.

ASI called on a number of groups to take action on cybersecurity. Cybersecurity problems that need to be addressed range from Internet user behavior and habits to computer and networking hardware, members said. "We have been playing a kind of technology blame game here in town, or searching for a silver bullet," said Tom Santaniello, manager of U.S. public policy for CompTIA. "The mindset up until now is we can purchase an IT security solution off the shelf."

The efforts of ASI and other cybersecurity groups may keep the U.S. Congress from passing cybersecurity mandates, added Bob Dix, staff director for the technology and information policy subcommittee of the House Government Reform Committee. In late 2003, Representative Adam Putnam, a Florida Republican and the subcommittee's chairman, floated draft legislation that would have required companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission, but the proposal was shelved after criticism from IT vendors and other companies.

But the threat of the bill, plus efforts from industry groups like ASI, have increased the awareness of cybersecurity among private companies, Dix said during an ASI kick-off lunch. Although the Putnam legislation may never been introduced, the subcommittee will continue to push private companies to deal with cybersecurity issues, Dix said. One such method is for government agencies to push for secure products during the procurement process, he said.

"We looked at procurement practices, and we got a little push-back on that," Dix said. "Some of the people in the vending community feel that the government shouldn't inject itself in procurement, but I'd argue this: The federal government spends US$60 billion a year in IT goods and services. The opportunity to say in the marketplace, 'we want higher quality, more secure products than what we buy', seems to be a reasonable position for a purchaser to take."

ASI's first steps will be to bring together all kinds of IT and consumer groups to start talking about cybersecurity, said Mark Blafkin, director of communications for the Association for Competitive Technology. "Right now, it's about ways to facilitate these diverse interests to come together to talk about cybersecurity," Blafkin said. "We're trying to create the broadest coalition possible."

Unlike some other groups dedicated to cybersecurity, ASI will focus on Internet user issues as well as enterprise issues, Blafkin said. Consumer Alert is among the 11 original members of ASI.

The focus on educating individual users is important, said Jim Dempsey, executive director of the Center for Democracy and Technology. Problems like spam e-mail and spyware in software erode the trust users place in the Internet, he said.

Dempsey also praised ASI speakers for discounting the one quick fix approach to cybersecurity. "This is the first event that I've been to where the lead-in line was people saying, 'there is not a silver bullet'," Dempsey said. "How many one-pagers, or 250-pagers have we read that purported to offer a silver bullet to a problem? Here is a group of companies and trade associations that have come forward and said, 'it's more complicated than it looks'."