TechNet: Consistent voice needed on security issues

25.08.2005
Von 
Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.

In 2003, TechNet, a national bipartisan, political organization of senior executives from technology companies, established a CEO Cyber Security Task Force to promote awareness of information security issues among corporate CEOs. The group recently appointed Chris Zannetos, CEO of Courion Corp., a Framingham, Mass.-based provider of identity and access management technologies, as co-chairman of the task force. Zannetos recently spoke with Computerworld about his plans to seek broader support for the group"s efforts and what he sees as the vital role TechNet can play in articulating industry concerns to the government.

What are your immediate priorities as the new co-chairman of TechNet? There really are two immediate priorities. One is to take the security evaluation for CEOs [developed by TechNet] and work across industries to modify it, integrate it and combine it with others so that we can have a more consistent and a more coordinated voice to government and to industry.

The second area is around the Common Criteria [certification for selling to government agencies]. We believe that there is a lot of confusion about Common Criteria and that there may be some unintended consequences of Common Criteria as they currently exist. We all know, and I think everyone in the government would agree, that we are in the early stages of Common Criteria certification standards, and we think it is vital that industry weigh in now on how we move forward with the standard.

Where are you hoping to get the broader industry support for your efforts? We would certainly look at vertical organizations. Security, for instance, is a very important topic in health care, and certainly privacy is. Another good illustration is our work around Common Criteria. We co-organized the first Common Criteria user forum back in 2004 with the Cybersecurity Industry Alliance. That should give you an idea of the sort of organizations that we are going to work with very closely going forward.

Yours is a vendor organization. Will that hamper your ability to work with other groups who may see your organization as being biased? I may be the wrong person to ask that [question], but I haven"t seen that to date. The good news is we have got very broad involvement across vendors on the Cyber Security Task Force. What that leads our customers to believe, maybe, is that some of that vendor bias will be washed out because there"s not one vendor who"s driving this, or two or three. It really is an effort across multiple vendors. But we are in fact sensitive [to the issue], which is why we have been reaching out to other organizations, including those that aren"t vendor-based. We have had very preliminary discussions with a number of customer-only organizations to combine our efforts or at least coordinate our efforts so that we don"t have multiple voices going out to government trying to educate them and ending up confusing those who are creating laws for all of us.

What exactly are the problems with Common Criteria that you mentioned? It takes an organization roughly six to 12 months to be certified at a cost between a quarter-million dollars to a half-million dollars. You have to take your products to labs that have been certified by the government to have them certified. Of course you have to apply resources to support those labs in certification. For many companies, the quarter-million to half a million is not a big deal. But a great deal of the innovation is coming from smaller organizations, and a quarter-million to a half million is a very expensive cost for them. So the question then arises, will these small companies go through certification and have a higher cost structure, and will they survive if they do? If they don"t go through certification, will the U.S. government actually get the most innovative technologies around information security?

Are you concerned about more government mandates on IT security and privacy in the wake of the recent breaches at many companies? In many ways, the government, and in particular the federal government, is a reactive, responsive government. We"ve all seen, how, because of the privacy breach disclosures over the last several months, many [in government] feel they have to do something to help protect consumers, not just from a national security perspective but from an identity theft and personal financial security perspective.

So absolutely, there are many, many efforts within Congress and within the Senate to try and address a variety of different things, whether it is potentially creating an IT version of Sarbanes-Oxley or whether it is database encryption. But their expertise is in governing and creating effective laws and not in information security, which is why we think it is vital to have a vibrant cybersecurity task force within TechNet. We believe it is very important for us to educate our congressmen and our congresswomen and our senators about the potential impact of some draft legislation.

But is there any example where such legislation has had an unintended consequence? When Courion started in 1996, encryption algorithms were classified as munitions. So in the first early years of Courion"s life, we actually couldn"t export our product because the encryption was viewed as strong enough to be classified as a munition. The goal of the government was appropriate in that they didn"t want strong encryption to get into the hands of our adversaries. But the unintended consequence was to make U.S. companies less competitive relative to Canadian and French counterparts who could sell their products throughout the world. That is what we want to avoid as the government addresses privacy and national security issues as they must.