IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Cybersecurity & Consumer Data: What's at Risk for the Consumer?

Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building 

Mr. Daniel Burton
Vice President, Governmental Affairs
Entrust Technologies
7927 Jones Branch Drive
Suite 100
Mc Lean, VA, 22102

Good Morning. Chairman Stearns and Members of the Subcommittee, thank you for the opportunity to provide testimony on this important and timely subject. My name is Daniel Burton, and I am Vice President of Government Affairs for Entrust, Inc. In my testimony today, I will address our view of where the private sector stands in its efforts to secure its information systems and what this Subcommittee can do to accelerate progress.

I want to be very clear in my message. The cyber security problem is not getting better. Since 2001, when this committee held a hearing on this issue, CERT has reported a tripling of cyber security breaches, from 52,000 in 2001 to a projected 150,000 by the end of 2003. Although some companies have recognized the threat of cyber attacks to their business performance and their customers' personal information, most are struggling to deal with the issue. It is incumbent on this Subcommittee to galvanize industry efforts to protect sensitive consumer and business information. This can only be accomplished by securing the private sector IT systems that control the majority of the nation's critical infrastructure. You can do so by strongly endorsing information security governance programs that drive business risk assessment, reporting and accountability.

Entrust is a world leader in securing digital identities and information. Over 1,200 enterprises and government agencies in more than 50 countries use our security software solutions, so we have a good perspective on today's cyber security reality. As a company, we are leading the evolution from defensive, perimeter-oriented technology approaches to a more proactive business security strategy that enables increased productivity. This strategy involves creating a more robust, manageable business security environment through the use of technologies such as encryption, digital signatures, authentication and authorization. We also work with customers to put in place the policies and procedures that protect digital identities and information. Our biggest competition comes not from other companies, but from the "do nothing" business mindset regarding cyber security.

I. Examples of the Problem

A few examples based on Entrust's experience in the market show how enterprises are responding to cyber security today.

Last year, a company that is a large collector and processor of consumer data suffered a breach when one of its customer's employees used the company's servers to hack the passwords of its other customers. The hacker then proceeded to access and copy databases containing highly personal consumer information. Because this company's clients include 14 of the top 15 credit card companies, 7 of the top ten automakers and 5 of the top 6 retail banks, in addition to other major consumer brands, the attack was not a trivial hack. Fortunately, no identity theft complaints have been traced directly to this breach. Despite the fact that many people focus on external threats, it is important to note that this breach, like most, was internal, meaning that it came from an insider. Moreover, it was discovered only by accident ten months after the incident occurred when law enforcement agents researching another breach discovered e-mails describing this one. As soon as the company learned of the attack, it informed its customers, as required by the California cyber security breach notification law (SB 1386), and implemented authentication and encryption systems to better protect its data.

As a major database company with a pretty good security and privacy program, this company believed that it had taken reasonable precautions to protect its data, especially since it was doing as much as many other companies and the penalties for not taking action are vague. In this respect, it is typical of many companies. The reality facing business today is that even if you understand the threat, it is hard to justify more than limited cyber security measures because of the complexity involved and the investment in people, time and resources that is required. In this case, however, the seriousness of the breach and the new penalties created under California SB 1386 forced the company to change the way it thought about protecting its information systems. Today, this company is on the forefront of driving a higher standard and better understanding of cyber security reality.

A second example speaks to the need to treat cyber security as a continuous process. Several years ago, a large financial institution implemented strong authentication and digital signatures on its cash management service offering for its business customers. I should note that billions of dollars traverse this network. Although there was no additional fee to upgrade this technology as new versions of the software were released, the company repeatedly failed to do so. The reason? It did not have the systems in place to treat cyber security as a continuous process. Only when the company failed an audit because it was cut off from software support did senior management become involved and take the necessary steps to upgrade the company's security systems. A third example shows that, despite the lip service they pay to the issue, some companies are unwilling to do anything about cyber security that will affect application performance. A major investment bank realized that it did not have adequate cyber security protections in place and undertook a review of solutions to securely authenticate its sensitive communications internally and with customers. As a condition of this review, however, it stated that it was not willing to sacrifice any application performance for better security. This meant that it would accept only a few milliseconds response time for authentication during fail over. Since no security products can meet this standard, now the company is deciding whether they will tolerate even a minimal performance compromise in order to include security. A fourth example involves Federal agencies, which in their size and complexity are similar to large enterprises. Until a few years ago, the Federal government did not have an adequate cyber security policy, despite the fact that year after year Congressional report cards gave most government agencies an "F" in information security. It was not until Congress passed the Government Information Security Reform Act (GISRA), later amended by the Federal Information Management Security Act (FISMA) - which coupled IT security performance with OMB budget controls -- that Federal agencies began to change. By insisting that cyber security be treated as a governance and budget issue with risk assessment, reporting and senior management engagement, FISMA and OMB forced Federal agencies to begin to upgrade their cyber security programs.

A final example shows that when companies view cyber security as a business enabler that improves productivity, they are more likely to be proactive. Several years ago, a major insurance company with a large database of confidential customer records realized that it was a prime target for identity thieves and hackers. The insurance company couldn't simply lock up its records since it had thousands of field agents that needed to access them to service customer needs. In order to solve this problem, the insurance company did a comprehensive risk assessment and, using digital signatures and authentication technology, implemented an information security governance plan that encompassed strategy, technology, people and process. By proactively securing its IT systems, the company not only protected confidential customer information, but also created the secure business operations necessary to increase the productivity of its agents.

Although these examples paint different responses to the cyber security threat, they all underscore a similar theme -- without a better business understanding of cyber security costs, benefits and penalties, most companies will take only limited cyber security measures.

II. Where Do We Stand?

Regardless of how you grade industry's response, there is no doubt that the cyber security risk is increasing. Although some companies are responding, overall business progress has been slow. The current situation brings to mind the "boiling frog" metaphor. If you drop a frog in boiling water, it will jump out. However, if you put a frog in a pot of water and gradually raise the temperature, the frog will cook. I think many companies are being "cooked" when it comes to cyber security.

Like quality improvement, cyber security is not a one-time event, but a continuous process. Just as few managers understood the quality movement when Deming first introduced it, few business leaders fully grasp the new and evolving discipline of cyber security today. We are at the beginning of this brave new digital frontier, and Congress must find ways to accelerate industry's understanding and progress. Companies make little distinction between cyber terrorism, cyber crime and cyber vandalism. The fact that different actors with different motives perpetrate these attacks may be significant to government enforcement agencies, but it is of little consequence to industry. As far as industry is concerned, the primary question is not, who was responsible for the attack? But, how much damage did it cause? What is the likelihood that it will happen again? And, what are the cost, liability and brand implications? Anything that Congress can do to bring incentives for constructive action and clarity to industry's assessment of costs and benefits will help in the effort to protect our critical infrastructure.

The growing array of Federal legislation has not adequately addressed this issue. Some major laws affecting cyber security are already in place, such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. These laws, however, tend to treat cyber security as a secondary issue and cite requirements that are often so vague that they do little to improve focus or understanding of the issue or help industry better calculate costs and benefits. Faced with weighing ambiguous cyber security risks against other business and economic realities, companies have tended to follow one of three paths. Some have chosen to do nothing and wait until either the threat becomes more potent or regulatory requirements get clarified. Others -- probably the majority -- have made some initial efforts, but have not really integrated cyber security into their core business operations. A third group - comprised of only a rare few exceptions -- has embraced cyber security as a market differentiator, integrating it into their core operations and elevating it to an executive management concern.

Two other cyber security laws, however, are having a more immediate and profound effect on market behavior: the California cyber security breach notification act (SB 1386) and the Federal Information Security Management Act (FISMA). These laws are specific about cyber security penalties and programs. By creating private rights of action and penalties for failure to report breaches of unencrypted personal information, SB 1386 has changed industry's cost-benefit analysis. And by treating cyber security as management responsibility that entails risk assessment and reporting, the Federal Information Security Management Act outlined a roadmap for Federal agencies that has enabled progress.

III. The Information Security Governance Imperative

Given the increased awareness of the problem, the lack of understanding, and the legislative ambiguity, Entrust has moved proactively to foster collaboration between the public and private sectors on this topic. We first began working this issue inside our company, with the active engagement of our Board of Directors and executive management. At the direction of our CEO, Entrust began to develop and implement just such a cyber security governance program last year. As an information security software company, we felt it was our responsibility to help create a framework that would allow for appropriate risk assessments, performance measures, management guidelines and board audits. The program we developed is tailored to the business needs of Entrust and embodies our interpretation of ISO/IEC 17799 and how the Federal Information Management Act (FISMA) can be applied to the private sector. We identified 141 elements that were important to measure progress. When we started, 25 of these elements were in the red, indicating the need for serious improvement; today, only two are. Our journey is off and running but not over.

As an information security software company who lives in this space, our experience raises real concerns about the status of the average company and the country. As we discovered at the starting point of our cyber security review, we were not nearly as secure as we would have predicted. This discovery made us wonder whether other companies are are making real and "measurable" progress since many of them lack a framework.

As a result of our experience, Entrust brought this framework to the Business Software Alliance (BSA) who created a cyber security task force co-chaired by Entrust's CEO, Bill Conner. The BSA report, entitled, Information Security Governance: Toward a Framework for Action, released in October 2003, found that information security is not only a technical issue, but also a corporate governance challenge. To quote that report,

While there is broad consensus on the actions needed to create strong security, too often responsibility is left to the chief information officer or the chief information security officer. In fact, strong security requires the active engagement of executive management. By treating these challenges as a governance issue and defining specific tasks that employees at all levels of an organization can discharge, enterprises can begin to create a management framework that will lead to positive results.

A governance framework is important because it guides the implementation, evaluation and improvement of cyber security practices. An organization that creates such a framework can use it to articulate goals and responsibilities and evaluate progress over time. One of the most important aspects of such a framework is that by defining business and cyber security responsibilities within an organization, it creates a roadmap for improvement. By specifying who does what and forcing companies to report on their results to their own boards, it allows companies to assign specific responsibilities and translate awareness into action.

Effective cyber security governance programs usually have three basic functions: risk assessment, reporting and accountability. Their payoff comes from the fact that they insist on the systematic oversight and execution necessary to make cyber security part of a company's core business operations. Simply identifying best practices is not enough; they must be married with effective implementation at all levels of an organization. To be effective, each information security program must be tailored to the needs of the individual business and industry in which it operates. It must identify business drivers; clarify roles and responsibilities; recognize commonalities; define metrics; include periodic progress reports to executive management; and specify what corporate executives, business unit heads, senior managers, and CIOs should do.

According to the BSA information security governance report, the board and the CEO has responsibility for overseeing policy coordination, business unit compliance and accountability. The business unit head has responsibility for providing information security protection commensurate with the company's risks and business needs, as well as training, controls, and reporting. The senior manager has responsibility for securing information and systems, assessing assets, determining appropriate levels of security, cost-effectively reducing risk, testing and controls. The CIO and CISO have responsibility for developing and maintaining compliance with the security program, designating a security officer, developing the required policies, assisting senior managers, and conducting a security awareness program.

IV. Conclusion

Congress should embrace requirements for information security governance and reporting. Citing the Y2K experience, some have emphasized the need for a ruling that would require public companies to report on cyber security governance programs in their SEC filings. In order for such a provision to be successful, it will be necessary to avoid esoteric requirements that increase the cost and complexity of implementing solutions but do little to increase cyber security and shareholder value. Others have cited the online privacy debate and emphasized the need for voluntary reporting about cyber security policies and breaches, backed up by FTC enforcement. For this approach to succeed, it must also encompass the need to secure business information systems. Still others have compared cyber security to the quality movement and insisted that government provide incentives for companies to undertake the training and process improvements necessary to secure their information systems.

We would recommend the following lessons for companies intent on securing our critical infrastructure:

A business information security governance framework for risk assessment and reporting with executive management engagement and board oversight is essential. A good governance framework will produce a transparent process that allows management to assign responsibility and make investment decisions to address unacceptable risks. Businesses need to get on with it -- just do it. Information security is a very broad topic with seemingly endless detail. Companies should not try to solve the problem all at once. Instead, they should begin with the top-level policy issues. The important thing is to get started. Too many programs never get off the ground because the effort looks too daunting. Business information security governance is a continuous improvement program. Like quality, cyber security improvement requires numerous iterative exercises in a continuous journey. Companies should complete one cycle of the program at a high level, report to the Board on their performance, fine-tune their program and begin another cycle with slightly more rigor. Repeated cycles will lead to real improvements.

Whatever course is taken, the objective should be to encourage companies to treat cyber security as a corporate governance issue that includes business risk assessment and reporting with management accountability. The cyber security threat is real, and there is strong consensus around the steps that industry must take. Congress needs to do everything it can to drive more effective programs in the private sector. This Subcommittee has extensive experience dealing with complex issues, and we are confident in your abilities to address this one. We are at an inflection point in the effort to strengthen cyber security and need your leadership.