Cybersecurity task force sparks debate

A cybersecurity task force convened by a U.S. House subcommittee chairman released a series of recommendations this week, but some of the results created rifts between IT vendors and security advocates, including a request to allow IT purchasers to band together to dictate security standards to vendors.

Among the recommendations of the Corporate Information Security Working Group (CISWG), released this week by Rep. Adam Putnam, was a proposal to change U.S. antitrust law to allow IT industry groups to agree on security specifications for software and hardware they purchase. The Information Technology Association of America (ITAA), which participated in CISWG, objected to that proposal, saying it amounts to a call for group boycotts.

“The proposal is that a larger group (of customers) would be able to form what amounts to a buyer’s cartel to enforce a security standard the buyers’ group endorsed,” said Joe Tasker, senior vice president for government affairs at ITAA. “I don’t see evidence that the marketplace has failed here.”

Tasker objected to the antitrust exemption because a buyers’ group could hamper innovation in IT products by having customers, not vendors, setting the standards. Buyers’ cartels are illegal under antitrust law, and most enterprises haven’t demanded security-certified IT products, he added.

“If the buyer sets the standard, who knows if they’re right?” Tasker said. “That’s a prescription for a go-slow approach among vendors. (A buyers’ group) changes the marketplace, and it’s a killer on innovation.”

In October, Putnam (R-Fla.) – chairman of the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census – floated a draft copy of legislation that would have required publicly traded companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. Putnam decided not to introduce the Corporate Information Security Accountability Act of 2003 after loud objections from IT vendors, but he called on vendors and buyers to come up with alternatives to federal legislation.

Putnam has already begun drafting legislation on one CISWG recommendation to identify information security as a component that must be evaluated in the IT investment decision-making and strategic planning for federal agencies, he said in a statement.

“It is important to note that a number of the recommendations require continued work, and form the foundation for the follow up work that will proceed,” he added in his statement. “Additionally, while it was the effort of CISWG to achieve consensus on this set of recommendations, there was not unanimity on all of the recommendations, and some members expressed concern that there were a number of recommendations that were not fully mature and required further discussion and debate.”

The resulting CISWG, with about 25 organizations participating, broke into five subgroups that each worked on recommendations. The procurement subgroup, of which Tasker was a member, came up with the proposal for buying groups. But that proposal would raise vendor concerns over customer groups restraining trade and engaging in anticompetitive behavior, Tasker said. “There was no consensus on that one,” he added. “Some of these things are clearly work-in-progress items.”

But other CISWG members said the buying-group proposal, and a second proposal to better enforce a federal law requiring U.S. agencies to establish and enforce minimum security configuration standards for the systems they deploy, at least deserve to be debated. One section of the Federal Information Security Management Act (FISMA) of 2002 requires U.S. agencies to develop security configurations and benchmarks for the IT products they buy, but that section of the law isn’t being consistently enforced, said Alan Paller, director of research for the SANS Institute.

The ITAA has questioned whether security configurations should be built into the procurement process, which is what could happen under that section of FISMA, Tasker said. If security configurations are built into procurement, it may be difficult for government agencies to later change their security configurations when better alternatives are available, and federal agencies could copy each other’s configurations, instead of deciding what’s best in each agency, Tasker said. Specific security configurations could lock agencies into specific IT vendors, he added.

“I am completely afraid that if you start to set the configuration in the procurement spec, you ossify the system,” Tasker said. “There is no one-size-fits-all system. There is no substitute for human thought and involvement.”

The FISMA section doesn’t require vendors to build in security configurations for free, but it could lead to both government and private organizations demanding secure configurations, Paller said. “Isn’t it a big story that the vendors are saying, ‘Don’t enforce the law’?” he said. “This (law) does not, in any way, tell agencies what software to buy.”

The separate buyer-group recommendation may not successfully result in a change in U.S. antitrust law, but the debate may cause vendors to make changes to their products, Paller said. The proposal shows a “tsunami” of user anger over IT products, Paller said. “I don’t think this (proposal) will go through,” he added. “In the argument against it, the vendors are showing their colors, and the buyers don’t like it.”

Vendors and customers need to get beyond “rhetoric” about antitrust and mandates to come up with ways to improve cybersecurity, said Clint Kreitner, president and CEO of the Center for Internet Security. He called the debate over buyer groups a “healthy process.”

“The last time I checked, success in business comes from meeting your customers’ needs,” Kreitner said. “I don’t see what’s wrong with meeting your customers’ needs in security.”

The CISWG organization also released several other recommendations this week. Among them were a number of recommendations to create incentives for companies to engage in cybersecurity efforts. That subgroup recommended awards programs for private companies and insurance-company incentives given to companies that engage in cybersecurity best practices. Another CISWG subgroup recommended a cybersecurity handbook aimed at small businesses. The CISWG recommendations are available here.

Kreitner’s best practices subgroup listed 81 separate cybersecurity guides available to companies and computer users. “It’s no wonder the corporations are struggling with cybersecurity,” he said. “The guidance that’s out there is very fragmented … and represents the views of competing organizations.”

While there’s debate over the CISWG recommendations, participants praised Putnam’s decision to bring the organizations together to debate security. Paller praised CISWG for including a broad section of IT vendors, buyers and security experts. The CISWG was different from some other cyberscurity task forces in that the members weren’t “all trying to sell something,” Paller said.

The list of recommendations should show lawmakers that private industry can come up with its own cybersecurity solutions, added Tasker. “It was a pretty strong rejection of the need for government regulation,” he said. “We all said (Putnam’s proposal) was unnecessary legislation, and he said, ‘Show me.’ I hope that he’s convinced.”

Paller, however, isn’t convinced that the need for legislation has passed. Private companies aren’t likely to start paying more attention to cybersecurity without some incentive, he said.

“I don’t think any of this (CISWG report) will actually change that,” he said. “Management isn’t going to get religion by being whined at. (Legislation) is the only thing that works.”