computerwoche.de

Archiv

RSA CEO: US gov't cybersecurity efforts lacking

09.01.2006
Art Coviello, president and CEO of RSA Security Inc., is a founding member and co-chairman of the standards committee of the Cyber Security Industry Alliance (CSIA), an Arlington, Va.-based consortium of technology companies. He is also co-chairman of the National Cyber Security Summit 's Corporate Governance Task Force, which reports to the U.S. Department of Homeland Security. In an interview with Computerworld, Coviello talked about a lack of federal leadership on cybersecurity issues and the challenge of information-sharing.

Why did the CSIA recently criticize the federal government for failing to act on recommendations to improve cybersecurity? [Former White House counterterrorism chief] Dick Clarke, in his last act working for the White House, pulled together in early 2003 a strategy for the president to secure cyberspace. That was in 2003. We are heading out into 2006, and the government has done absolutely nothing to execute on their own strategy. I think it is entirely appropriate that the Cyber Security Industry Alliance call attention to that. We are pleased that [Homeland Security Secretary Michael] Chertoff announced that he is going to appoint an assistant secretary [for cybersecurity]. When are we going to get that assistant secretary, and when are we going to start executing on a strategy that was laid out almost three years ago?

What is the state of information-sharing between government and the private sector on cybersecurity? The idea of information-sharing is pretty comprehensive and complex. While the technologies exist, the people and the process part is a lot harder. Is the profile of somebody in the FBI equal to the profile of somebody in the CIA or the DHS? How are you going to get all of these agencies to agree on what level of access is going to be adequate for people at various levels in the government? I won't minimize the challenges.

Should there be a federal data-breach notification law? I think it's a good thing to have breach-notification regulations. Consumers have the right to know if their identities have been compromised. I do advocate that the federal government use their preemptive right on this, because you don't want companies trying to figure out 30 different state bills. Generally, though, we are not in favor of regulations, mostly because of concern that government will regulate around technologies, and technologies are ephemeral. We would rather see the government lead and strongly suggest to industries that they set their own best [security] practices.

Does the unprecedented number of security incidents in 2005 show that bad guys are getting better or that breach-disclosure laws are forcing companies to acknowledge compromises? The California breach-disclosure law certainly helped. But I think it is clear that attacks on the Internet have evolved from viruses and worms. But the latest attacks are for criminal gain. They are much more specific in terms of getting at people's information. That's been the single biggest change -- organized crime and your average petty criminal look at this as a growth opportunity.

How do you respond to security analysts who say that token-based authentication like what RSA Security offers is too cumbersome and expensive? I take exception to that. You enter a [personal identification number], and you read a number off a token. I don't think that's particularly cumbersome. People do understand that this is a device to authenticate them, and it gives them a high degree of confidence.