WASHINGTON — Neither the Bush administration nor Congress is providing
significant leadership or legislation to secure the United States against
cyber attacks, a security trade association charged Tuesday.
In its first public criticism of the White House and lawmakers’ efforts to
follow up on President Bush’s 2003 much-ballyhooed National Strategy to Secure Cyberspace, the Cyber Security Industry Alliance (CSIA) said Washington has taken only “limited steps” to improving the security of the
The steps are so limited, the CSIA contends, that it gave both the White House and Congress a D for their efforts in 2005.
“Currently, there is little strategic direction or leadership from the
executive branch in the area of information security,” said Paul Kurtz, CEO
of the CSIA. “Ensuring the resiliency and integrity of our information
infrastructure and protecting the privacy of our citizens should be higher
on the priority list for our government.”
Kurtz said this year’s massive data breaches, a barrage of security
vulnerabilities and the disruption of communications during Hurricane
Katrina highlight the urgent need for improved information security
preparedness and response.
Instead, Congress has so far failed to pass either data-breach disclosure or
spyware legislation. Lawmakers did approve creating the new position of
Assistant Secretary of Cyber Security with the Department of Homeland
Defense, but the White House has yet to fill the slot.
“Six months downstream, it’s time to put a person in that place,” Kurtz said.
“Part of leadership is delegation.”
Kurtz called the 2004 Homeland Security Presidential Directive calling for the United States to reduce
identity fraud and protect personal privacy a “toothless tiger with no money
attached to it.”
Kurtz also noted government cyber-security funding has been
“CSIA believes the government has a responsibility to lead, set priorities,
coordinate and facilitate protection and response,” Kurtz said.
To underscore the economic impact of Washington’s inaction on cyber
security, the CSIA also issued its first Digital Confidence Index (DCI),
benchmarking the confidence of Americans in the country’s information
infrastructure. The first numbers came up with a DCI ranking of 58 on a
The DCI benchmarks six areas of U.S. confidence: finance, health data,
telecommunications, Internet, consumer data and power grids.
“A score of 58 on the DCI is less than a passing grade. That’s not a good
sign,” said James Lewis, director of the Technology and Public Policy
Program for the Center of Strategic and International Studies. “It’s getting
kind of old that we’re not making progress.”
Lewis added, “The effect of a loss of confidence in the networks Americans
rely on every day for business transactions, electricity, personal and
business communications and even health services will be felt over time.”
Having flunked Washington’s 2005 cyber security efforts, the CSIA, whose
members include Entrust, RSA Security, McAfee and Symantec, challenged
lawmakers and the administration to a new set of goals.
CSIA’s 2006 agenda will address implementing national laws on data breach notification and
spyware, filling the Assistant Secretary of Cyber Security
position and increasing funding for cyber-security research and development.
The purpose of our [agenda] is not to dwell on past events or direct blame
on any one institution,” Kurtz said. “Rather, we wanted to assess where we
are today in terms of protecting the integrity of the information
infrastructure so that we can determine which steps need to be taken to make