Trade group gives Feds low cybersecurity grade
D is for data breach...
IDG News Service - The Cyber Security Industry Alliance has given the U.S. government D grades on its cybersecurity efforts in 2006, and renewed its call for Congress to pass a comprehensive data protection law in 2007.
The CSIA, a trade group representing cybersecurity vendors, gave the U.S. government D grades in three areas: security of sensitive information, security and reliability of critical infrastructure, and federal government information assurance. (See the report in PDF format.)
"Government needs to take these issues very seriously," said Liz Gasster, the CSIA's acting executive director and general counsel.
Among the problems in 2006: The U.S. Department of Veterans Affairs reported a data breach involving the personal information of 26.5 million military veterans and family members. Other agencies also reported multiple lost laptops containing personal information. The CSIA called on agencies to notify citizens of data breaches.
After a rash of reported data breaches in early 2005, members of Congress introduced multiple bills requiring companies with data breaches to notify affected consumers. But a breach-notification law failed to pass, partly because of jurisdictional fights between multiple congressional committees.
A comprehensive data security bill should include breach notification, but also a requirement that all organizations holding sensitive data -- including private companies, government agencies, nonprofits, and educational institutions -- use reasonable security standards, Gasster said. The U.S. Federal Trade Commission has taken action against several companies, but a comprehensive law would give the FTC or another agency broad jurisdiction to investigate data breaches, she said.
The CSIA is optimistic a comprehensive data breach law will pass in the next year, even though it stalled in the last Congress, Gasster added. Major data breaches continue to happen, and consumers will increase the pressure on Congress to act, she predicted. In mid-January, retailer TJX Companies Inc. reported a massive data breach.
"Consumers just are not going to put up with is," Gasster said.
Here's how the CSIA generated its government cybersecurity grades:
- Security of sensitive information, grade D: Congress ratified the Council of Europe Convention on Cyber Crime, allowing the U.S. to work with other signatories on cybersecurity investigations, but failed to pass a comprehensive law to protect sensitive personal information.
- Security and resiliency of the critical information infrastructure, grade D: The Department of Homeland Security appointed an assistant secretary for cybersecurity and telecommunications and implemented some cybersecurity program, but it hasn’t offered a clear agenda for its top cybersecurity research and development priorities or established a survivable emergency coordination network to handle a large-scale cybersecurity disaster.
- Federal information assurance, grade D: Government continues to offer a "mixed bag of successes and failures," the CSIA said, with progress within the White House Office of Management and Budget's enforcement of cybersecurity directives and implementation of U.S. President George Bush's Homeland Security Presidential Directive 12, requiring agencies to start issuing smart identification cards. But the government needs to do a better job in several areas, including security issues with telecommuting and releasing information on the cost of cyberattacks, the CSIA said.
In addition to a comprehensive data protection bill, CSIA called for the U.S. government to strengthen the power of agency chief information officers and called on agencies to increase testing of cybersecurity controls.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts