The Internet Security Alliance provides an email subscription service which enables you to easily subscribe to information that is of interest to you. This service is free and creating your custom subscriber profile is fast and easy! Please click HERE to create your subscriber profile now.

 

 

Cyber Security: Sharing Of Data To Protect Web Seen As Lacking by Heather Greenfield, October 24, 2007

 

A House Oversight and Government Reform subcommittee is spending Tuesday afternoon reviewing government and private-sector efforts to secure the nation's Internet infrastructure. The House Homeland Security Committee held a similar hearing last week.

The attention comes in part because the Homeland Security Department has declared October as Cyber Security Awareness Month, but the hearings are timelier after a recent video leak to the media. It showed an experiment at one of the national laboratories in which a researcher hacked into a power-plant control system and set fire to it with the click of a mouse.

Getting a grasp of the history of improving cyber security is a challenge in part because the threat has changed. Larry Clinton, president of the Internet Security Alliance, said in prepared testimony that as America has moved from vulnerabilities that might have taken months to exploit to the current era of immediate attacks, "just getting information is no longer nearly enough."

Homeland Security Assistant Secretary Greg Garcia assured lawmakers that the department has been holding regular meetings with the private sector over the last several years to strategize on how to better secure critical infrastructure like the Internet. But he said the department's role is more leadership and it cannot force companies to adopt preferred security practices.

A Government Accountability Office report released last week said that despite all the talk about cyber security, more action is needed to better coordinate overall strategy among various federal agencies and the private sector. The report also said that until Homeland Security addresses weaknesses in information-sharing about threats, it will not be able to effectively address vulnerabilities between the public and private sectors.

Since the department's creation, the U.S. Computer Emergency Response Team, or US-CERT, has taken over information services that trade groups like the ISA had provided through contracts and non- disclosure agreements to its members.

Clinton offered recommendations that industry wants government to make to improve its approach to information-sharing.

"The traditional model is to withhold information and disclose if necessary," Clinton said. "The lack of sharing of information and government requirements for treating corporate information once disclosed is one of the major reasons that the necessary trust environment has not been established, and the information-sharing regime is widely held to be inadequate by all sides."

Clinton said the US-CERT information is useful but not all that is needed. "Treating cyber security just by providing information is like treating a staph infection with a Band-Aid."

 Click here for Clinton's Written Testimony

May 22, 2007

A Year After Major Breach, Data Security Bills Stalled          by Heather Greenfield

     Tuesday was the one-year mark since Congress learned of a stolen laptop computer that contained personal data on 26.5 million veterans and active-duty military personnel. But while Congress last year cleared data-protection measures aimed specifically at the Veterans Affairs Department whose employee lost that computer, it has not passed broader legislation.

     Larry Clinton, President of the Internet Security Alliance, said he is encouraged that recent security breaches have made lawmakers aware of cyber-security problems but lamented the limited activity to correct the problems. "I find it a little disheartening the approaches [to improve security] haven't been implemented and a little disappointed the approaches don't seem to grasp the problem we're dealing with here," Clinton said.

     "The reason we didn't get good data-security legislation last year was the jurisdictional lines -- not a lack of consensus on ideas," Clinton said.

May 8, 2007

Tech Groups Object to Senate Proposal to Create DHS Preparedness Standards
BNA, Alexei Alexis

Technology groups are lobbying against Senate-passed legislation to establish a national emergency preparedness program for the private sector.

The proposal, part of a larger measure (S. 4) to implement unfinished recommendations of the 9/11 Commission, would authorize the Department of Homeland Security, in consultation with industry groups, to develop voluntary preparedness standards and a process for certifying whether companies are in compliance.

"The bill gives DHS exceedingly broad authority to set standards," said Larry Clinton, president of the Internet Security Alliance, in a recent BNA interview.

April 27, 2007

April 25, 2007

Groups Raise Concerns about Cybersecurity Standards.

.com

Legislation that would authorize the U.S. Department of Homeland Security to create emergency preparedness standards for private industry takes the wrong approach toward cybersecurity, some experts said Tuesday.

Larry Clinton, president of the Internet Security Alliance, agreed. "Once [the standards] are washed through DHS, it's a different standard than I would understand as voluntary," he said.

Members of several industries, including IT, trucking and hospitality, raised concerns at the CSIS event focusing on the legislation from a cybersecurity perspective. Although the legislation requires DHS to seek the input of private industry groups while developing the emergency preparedness standards, it gives DHS Secretary Michael Chertoff broad power to create the standards, said Michael Hickey, vice president of government affairs for national security policy at Verizon Communications Inc [and ISAlliance Board Member].

Chairman Bennie Thompson's speech at the "9/11 Legislation and the Private Sector" event paneled by ISAlliance President, Larry Clinton.

April 11, 2007

Security alliance pitches government incentives.

.com

The Internet Security Alliance (ISAlliance) has published a white paper outlining a new set of guidelines for fighting cyber-criminals that calls on privately-held companies to do a better job of securing their IT systems, but asks the federal government to lend a hand in that work. In the paper, ISAlliance -- a collaboration of the Electronic Industries Alliance and Carnegie Mellon University's CyLab -- lays out a set of measures it would like the federal government to adopt in order to aid, protect and reward businesses who invest in defending their operations.

ISA pushes for security incentives over regulation.

The U.S. government should explore new incentives for companies to invest in cybersecurity instead of focusing on regulation, a cybersecurity trade group said. The ISA (Internet Security Alliance), made up of IT vendors and customers, called on the U.S. government to abandon old regulatory approaches in favor of incentives like cybersecurity insurance, awards programs, and caps on legal liability for companies that adopt cybersecurity best practices.

April 9, 2007

Carrot or Stick? The debate continues on how to encourage the sharing of cybersecurity data. 
.com

Two years ago, the Homeland Security Department outlined plans to enumerate and protect cyberassets in its National Infrastructure Protection Plan (NIPP). “It was a traditional military approach,” said Larry Clinton, President of the Internet Security Alliance, a nonprofit group representing the information technology industry and academics. “And it got nowhere.”

Since then, after many talks with the IT industry, DHS has moved to include cybersecurity in all of the 17 infrastructure sectors that have developed their own protection plans, including energy, water, food, IT and financial services. “The integrated approach is a step in the right direction,” Clinton said. [Click on link for more]

April 2, 2007

The Feds weigh in on Windows security.  Will the White House make a difference in computer security? 
News.com

The President's Office of Management and Budget recently sent out a directive to federal chief information officers to secure their Windows PCs. In what some said could have ripple effects well beyond Washington, the White House sent out a memorandum on March 22 that instructed all federal agencies (PDF) to adopt standard security configurations for Windows XP and Windows Vista by February 1.

"If the government states that it is only going to buy systems that are more secure, that sends a terrific signal," said Larry Clinton, president of the Internet Security Alliance, a group that represents large corporate technology users. "It is a significant step. All the technology providers will now have to adapt their products to meet those standards." [Click on link for more]

March 27, 2007

People Column: Leader At Internet Group Gets Promoted by Heather Greenfield

    It's no surprise that Larry Clinton has become the new president of the Internet Security Alliance. He has been at ISAlliance since 2002 as the deputy executive director and chief operations officer. He also wrote "A 12-Step Program to Cyber Security for Small Businesses" for the alliance and has testified on Capitol Hill about the government's role in creating incentives for better security. Clinton said it is hard for government to legislate better security because technology and the Internet change at such a rapid pace and many of the cyber attacks originate in other countries. "What we're trying to do is develop an entirely different model for broad information security," he said. "We want to create financial incentives for industry to constantly update their systems."
In this new position, he hopes to do more to help companies understand their economic stake in security because "one person's insecurity is everyone's insecurity."

Clinton takes charge at Internet Security Alliance, http://www.politico.com/news/stories/0307/3297.html

March 1, 2007

Experts Struggle To Find Answers To Cyber Threats.  Larry Clinton (ISAlliance Deputy Executive Director) and others on the Cyber Security panel at the Armed Forces Communication and Electronics Association Homeland Security Conference,  want government to encourage companies to adopt best practices. Clinton cited a PricewaterhouseCoopers study that said firms using them did not face the downtime and revenue loss as others even though they faced the same number of attacks. Panelists said incentive programs had worked for other industries like agriculture or for flood insurance. [Click on link for more]

September 18, 2006

For more on the ISAlliance/ANSI Information Security package click here.

Internet Security Alliance, Institutes Information Security Improvements. The Internet Security Alliance and the American National Standards Institute have instituted a joint program to provide business leaders with practical tools for managing information security.

US authorities to prioritise information security.  vnunet.com News

Alliance, ANSI team to right Cyber Security woes. TelecomWeb
 

September 13, 2006

ISAlliance testifies before the Energy and Commerce Telecommunications and Internet Subcommittee. To read the written version of the ISAlliance testimony, click here.  

About one-fourth of America's economic value -- or some $3 trillion -- moves over network connections each day and may be vulnerable to cyber attacks, according to the Internet Security Alliance. "What we need is a unifying motivator to get everyone to do the right thing," said Larry Clinton, Chief Operating Officer of the Internet Security Alliance.  Bush  admin says to name cyber security czar soon.  WashingtonPost.com 

 June 4, 2006

ISAlliance hosts Cyber Security Executive Panel with ISAlliance Board members, Jeff Brown (Raytheon), Lawrence Dobranski (Nortel), and Ken Silva (VeriSign) presenting How Industry is Coping with Information Security Compliance. 

April 20, 2006

ISAlliance issues comments on the Department of Homeland Security's National Infrastructure Protection Plan.

April 2005

Addressing Network Security - iQ Magazine Cisco.  

Final Word: Can Congress Mandate Cyber Security? Business Management

February 7, 2005 

Feds look to finalize IT security controls. NIST has issued the last draft of the new requirements. Adopting standards such as those proposed by NIST is crucial to the security of federal systems and to overall Internet security, said Larry Clinton, chief operating officer at the Internet Security Alliance (ISA) in Arlington, Va. But mandating compliance, even in the public sector, is a bad idea, he said. [Click on link for more]

April 2004

The way the security-industry experts see it, if you're a small-business owner, Internet security is your problem.Not your IT department's problem. Your problem, and your responsibility. Safe Specs, Systems Security Article - Technology Inc.com. [Click on link for more]

October 1, 2003 

The Internet is one of our most critical infrastructures and possibly the most difficult to defend. It is inherently international, interactive and interdependent, and it is constantly changing. And no one owns it. If a traditional regulatory structure were used to control the Internet, many regulations would be outdated before they were published. Even worse, such a regulatory process could provide nefarious users a roadmap of Internet vulnerabilities. Larry Clinton, On the Record, Government Exec.com [Click on link for more] 

August 6, 2003

The Internet Secruity demon that won't die. "A traditional regulatory model applied to the Internet is doomed to failure. By the time it was regulated, you'd be dealing with an Internet that was two years older," says Larry Clinton, chief operating officer at the Internet Security Alliance.  [Click on link for more]