The CSIA recently criticized the federal government for its apparent failure to act on recommendations to improve cybersecurity. What exactly is the problem? [Former White House counterterrorism chief] Dick Clarke, in his last act working for the White House, pulled together in early 2003 a strategy for the president to secure cyberspace. That was in 2003. I was in a task force around corporate governance and reported out to the Department [of Homeland Security]. We are heading out into 2006, and the government has done absolutely nothing to execute on their own strategy. I think it is entirely appropriate that the Cyber Security Industry Alliance and industry leaders call attention to that fact. We are pleased that [Department of Homeland Security Secretary Michael] Chertoff announced that he is going to appoint an assistant secretary [for cybersecurity]. But that was almost six months ago. OK, we had Hurricane Katrina, and he's been preoccupied. But when oh when are we going to get that assistant secretary, and when are we going to start executing on a strategy that was laid out almost three years ago?
Among the failures mentioned by the CSIA was the continued lack of information sharing between government and the private sector on cybersecurity matters. The idea of information sharing is a pretty comprehensive and complex topic. The reason is, while the technologies exist, getting together the people and the process part of it is a lot harder. Is the profile of somebody in the FBI equal to the profile of somebody in the CIA or the DHS? How are you going to get all of these agencies to agree on what level of access is going to be adequate for people at various levels in the government? What kind of access are you going to give to somebody from the FBI to the CIA database? What kind of access are you going to give DHS to the FBI database, etc.? I won't minimize the challenges the federal government has in implementing information sharing.
What do you think of a federal data-breach notification law? I think it's a good thing to have breach-notification regulations. Consumers have the right to know if their identities have been compromised; that's pretty fundamental. I do advocate that the federal government use their preemptive right on this because you don't want companies trying to figure out 30 different state bills. Generally though, we are not in favor of regulations mostly because of concern that government will regulate around technologies, and technologies are ephemeral. What we would rather see -- and we are hopeful because the DHS has created a position of assistant secretary for cyber security -- is the government lead and strongly suggest to industries that they set their own best practices around security in general.
There were an unprecedented number of security incidents reported in 2005. Are the bad guys getting better, or is it simply that breach-disclosure laws are forcing more companies to admit to compromises? The California breach-disclosure law certainly helped. But I think it is clear that attacks on the Internet have evolved from viruses and worms. Those kind of attacks are broad-based and kind of affect everybody equally. But the latest attacks are for criminal gain. They are much more specific in terms of getting at people's information. So I think that's been the single biggest change -- organized crime and your average petty criminal looking at this as a growth opportunity.
What does RSA's recent purchase of Cyota mean for enterprise customers? We are basically responding to the market need that we see for customers. We have said right along that to solve this problem of identity theft, strong authentication is the best practice whose time has come. Obviously, we have been very successful with very active methods of authenticating people with our tokens and digital certificate technology. But increasingly, especially in the U.S. market, there is more and more of a requirement for passive methods of authentication. With the acquisition of Cyota, we've taken a layered approach that goes from the passive to the very active. It is great technology to fill out our authentication story and expand our consumer opportunity.