Cybersecurity Firms Form Industry Association

An anonymous reader writes "Washington Technology is reporting that a new industry association centered around cybersecurity has been formed, to make sure security firms like RSA Security Inc., PGP Corp., Network Associates Inc., and others get their voices heard in Washington." Art Coviello, CEO of RSA Security Inc, is quoted in the article as saying: "The country is faced with the serious threat of terrorism and the possibility of cyberterrorism. If we can speak with one voice, we can play an important role in protecting the nation's critical infrastructure."

the new 'dot com'?

So the next new bubble is exploiting people's paranoia huh?

Just what are we securing here?

[LostCluster]

Let's see. Yesterday on Slashdot we had Microsoft adding anti-viral features into the next generation of Windows and today the anti-malware industry comes up with a lobbist group. Somehow, I think this has more to do of the security of their businesses from Microsoft's strengths than the security of any computers from Microsoft's weaknesses.

Re:Just what are we securing here?

[holizz]

Back when I had a WinXP box... I had to disable the firewall (on as default) so that I could send and receieve files through Windows Messenger... stupid Microsoft. I never used any other firewall or virus protection either and the only thing that destroyed all my data was when I installed over Windows with SuSE.

What was wrong with the HTCIA?

[bc90021]

Why didn't the executive members of these firms join the High Technology Crime Investigation Association? They already exist, and already have quite a number of members, and a lot of law enforcement are members too.

Headed by Paul Kurtz?

[Theatetus]

I thought Kurtz got drummed out of the Homeland Security department (with no shortage of bad blood) after Congress gave his GovNet idea the cold shoulder. Maybe I'm remembering wrong; either way from what I remember of his proposals when he was in DHS they're all based around the idea of putting a (hopefully) impenetrable barrier (a Maginot Firewall?) around critical resources rather than constructing a compartmentalized defense-in-depth.

Am I wrong in remembering that Kurtz was politely but firmly fired? If so will he help CSIA or just make their lobbying efforts more awkward?

What they really want

[seriv]

Something tells me that when they say "get their voices heard," it means a line-item in the next budget. Damn Lobbyists.

Hmm.

[teamhasnoi]

Led by a former Bush official, and made up of companies that are under direct threat of having their business drastically changed by Microsoft and OSS.

Oooh! I can't wait to see what kind of wacky, Orwellian, DRM-filled, DMCA protected bills they will try and shove down our throats with their big money lobbying powers.

Perhaps they'll decide that Microsoft is the reason for the (security) season and we'll get some anti-anti-trust laws in there.

OT- what the hell happened to the comment list in the user tab? Did I just eat a mushroom?

lobby group good, industry censorship bad

I imagine this will be good for making security an issue with lawmakers. But these things have a habit of being bought out by corporate interests. It will be interesting to watch them evolve and see whether a line for the party to toe gets drawn in the sand or whether they really do some good things like attacking the DMCA's restrictions on academic discussion of vulnerabilities.

This is more important than ever with voting becoming privatized (Diebold etc) as certain vulnerabilities are matters of grave public interest.

The whole idea of privatizing voting just does feel right does it? Why should corporate interests be running these things? Is there not such a thing as "society"? And if there is, why can't "society" do some things for itself rather than outsource them to corporations. Getting offtopic here... I will end.

I have a question.

[Faust7]

Why on earth isn't Microsoft on this list?

Now, before anyone chimes in with "Microsoft? Security? Thou smoketh crack!" ... consider this:

Members said the group's mission is to improve cybersecurity through public policy initiatives, public-sector partnerships, corporate outreach, academic programs, adoption of industry technology standards and public education.

Microsoft is an influence in some of those areas, a heavy influence in others, and a governing influence in others.

Would it not be of vital importance that they be a member of this group?

Re:I have a question.

[deadmongrel]

Would it not be of vital importance that they be a member of this group?
I think it would be better microsoft doesn't joing the group. why? 'cause then the security groups policies would be influenced more microsoft's business gains. Microsoft, like any other business organization would first look out for its business interests more than standards.

Re:I have a question.

[gid13]

Probably because, as was mentioned in another post, this group may well be being formed as a reaction to MS planning to enter the security business by including anti-virus tech in future Windows versions. It's likely primarily about the survival of these businesses first, security second.

Oh yeah, and thou smoketh crack. ;)

Re:I have a question.

[LostCluster]

The common bond is that all of the members in this group sell products that deal specifically with computer security and not much else. In other words, if MS were to put out a perfectly secure operating system, these companies would lose a good chuck of their revenues...

Government trusts public industry for security.

[juebay]

I could see the government supporting companies like Lockheed and the such. Yet, if I was the president of my very own nation why would I would trust anything in the public software industry, no matter how secure they say they are, when the very technology they create can easily be leaked and used against whoever uses the creations of the cybersecurity companies? Maybe a example would be better. If I worked at a war factory and gave the schematics of some sort of top secret, new tank. There are a couple problems in that the country that receives the information might not be able to use the plans because of lack of complicated subcomponents either because another company makes that subcomponent or the country can't make it because of lack of tools to manufacture. Now if a software company had their code stolen it can be enacted almost immediatly. Maybe the stripped down OSs might not be able to work the code but what prevents other nations from importing the hardware and software to get it to compile and run?

Cyber Terrorism?

[digitaltraveller]

I think most knowledgeable security people read that quote and cringed. I'm dissapointed to see RSA going the fear salesman route. Well if you can't beat the charlatans, might as well join them.

It's generally accepted within the legitimate security community that cyber terrorism is a non-issue. The threat can be completely mitigated by creating laws that prohibit safety critical systems from being connected to the internet. (eg. Traffic systems). And if we expand the definition of cyberspace to the limit, we need to move away from insecure SCADA systems. That's it.

Lobbying for insecure software.

[Ungrounded+Lightning]

Yesterday on Slashdot we had Microsoft adding anti-viral features into the next generation of Windows and today the anti-malware industry comes up with a lobbist group. Somehow, I think this has more to do of the security of their businesses from Microsoft's strengths than the security of any computers from Microsoft's weaknesses.

I agree, but for a different reason.

The entire business model of the anti-malware industry (or at least the named companies) depends on widespread deployment of insecure networks and servers to create a demand for their products.

So one can expect them to advise and pressure congress and other government officials to keep the deployed base as insecure as possible, to maintain and expand their market and thus their bottom line.

Government pressure on the dominant software vendor to improve its own security, government support for (or removal of roadblocks against) secure software alternatives and development models, and government conversion to secure software, are all a threat to their bottom line.

So expect them to advise the government to take action that would inhibit all of the above.

Their intiatives

[-tji]

From their web site, they say their initiatives are:
# Coordinating with the Homeland Security Department to improve information sharing between business and government on cyber threats
# Improving corporate governance of information security
# Improving federal procurement practices and guidelines
# Identifying gaps in cybersecurity research and development
# Collaborating with U.S. and international standards development organizations to support emerging technology standards and specifications for cybersecurity
# Supporting campaigns to improve awareness of cybersecurity
# Supporting cybersecurity academic and workforce development programs
# Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.

They sound pretty reasonable to me..

They one that might have some bad implications is the last one:

# Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.

Because Bruce Schneier is for the people

[0x0d0a]

It's a business lobbying consortium. It's not designed to advocate the views of the individual -- it's to try to siphon Homeland Security money into the coffers of RSA and a couple of security-related companies.

That doesn't mean that it won't have positive benefits -- I would *dearly* love to somehow see increased emphasis on security finally convince people to use PGP more -- but these people are not out to try and make your life better, a la the EFF.

Speaking With One Voice

[handy_vandal]

If we can speak with one voice, we can play an important role in protecting the nation's critical infrastructure.

Speaking with one voice is a good thing: Strength in Unity.

Speaking with one voice is a bad thing: Way of the Fascist.

-kgj