After 18 years of high-powered work in the federal government, which included counterterrorism, strategic arms control, and the national cybersecurity strategy, Paul Kurtz got an offer he couldn't resist.
He was working as a special assistant to the president in the White House's Homeland Security Council when a group of CEOs from some of the top cybersecurity companies – Symantec, RSA Security and McAfee among them – told him about an idea of theirs. The cybersecurity industry needed to pull together and speak with a common voice on public policy issues affecting infosec, they said, and asked him to lead the effort. Already looking to move to the private sector, yet not wanting to give up security, Kurtz leaped at the chance. "To me, it seemed like a truly significant opportunity to affect change," he recalls.
So with Kurtz at the helm, the Cyber Security Industry Alliance (CSIA) launched in February. Based in Washington, D.C., the advocacy group aims to improve cybersecurity through public policy initiatives, academic alliances, public awareness, and alignment with industry standards efforts. The 13-member organization, comprised solely of security software, hardware and service vendors, has been welcomed by some security experts, but viewed skeptically by others.
The security industry "has a special role to play," Kurtz asserts, adding that CSIA is the only group focused solely on internet security, while other trade groups, such as TechNet and the Business Software Alliance, address it only part-time.
Getting down to business
Explaining CSIA's philosophy, Kurtz says: "We see cybersecurity as very much of an economic and business issue. Our economy is hemorrhaging billions with identity theft, downtime, loss of intellectual property. We need to encourage individual businesses to look at this issue more closely."
He adds, though, that terrorists are not behind the billions lost from cybercrime, but hackers and organized crime. "It's not to say I don't think we won't see terrorists launch cyberattacks," he says. "If we can improve cybersecurity on the basis of business and economy, we'll raise the bar and harden our overall networks to attacks that will eventually come from terrorists."
CSIA is taking a bipartisan approach to public policy, working with both Democrats and Republicans to raise, as Kurtz, a registered lobbyist, puts it "the overall understanding of cybersecurity policy issues at play."
On the policy front, the group has several key initiatives. One is to push the concept of corporate governance relating to cybersecurity. Another is to help clarify the IT security requirements in Sarbanes-Oxley, which publicly traded companies are grappling with, according to Kurtz.
"There isn't clear guidance in that area. CSIA can't offer guidance, but we can offer a product that can talk about what was the legislative history, whatever oversight agencies such as the SEC said, and look at what corporate America has done," he says.
The organization plans to produce a similar document for HIPAA. Overall, when it comes to legislating cybersecurity, CSIA sees a need for clarification on existing laws, but opposes additional mandates.
More than policy review
Besides keeping an eye on policy issues, CSIA drafted input for an ongoing government review of the National Information Assurance Partnership's (NIAP's) Common Criteria Evaluation and Validation Scheme for IT Security, which evaluates IT product conformance to international standards.
Another focus for CSIA is establishing alliances with academic institutions that have an interest in internet security, such as George Mason University School of Law's Critical Infrastructure Protection Project. It also recommends more collaboration between government, the security industry and end-users to improve the NIAP testing process.
"It's not about trying to have research money pour into our own firms," he says. "There's a gap between what the government and private sector are doing on research and development, and what educational institutions are doing, and there's a need to try to close that gap."
Symantec chairman and CEO John Thompson, who led the charge behind the creation of CSIA and serves as its chairman, says the group evolved out of a realization that cybersecurity has become a multi-billion dollar part of the IT industry and that regulatory, interoperability, and user-awareness issues all affect its future success.
Thompson hopes that "we'll be able to have an impact on how technology policy in this area really does evolve, so that we don't have regulatory initiatives that make false promises to consumers or businesses or impact the innovation of the industry overall."
Boosting confidence in security
Ultimately, he hopes, CSIA can "create an environment where people can have a sense of confidence that what the industry is doing to secure the internet infrastructure is, in fact, helping to build a better internet infrastructure."
RSA's president and CEO Art Coviello says the time was right for the industry to come together. "Cybersecurity is becoming a bigger issue, not only with the government, but also as one of the crucial factors in driving the internet economy," he says.
While CSIA will weigh in on policy issues, standards development – such as those around web services security – also are critical, believes Coviello, who co-chairs CSIA's standards committee: "We won't achieve as much potential with the internet if we don't get standards of interoperability generally and with security specifically. Some of us compete, some of us don't, but all of us are interested in making a level playing field that advances things."
Ron Moritz, Computer Associates' chief security strategist and CSIA standards committee member, says that the unified voice the organization gives the industry is essential when talking with legislators and federal officials. He believes that Kurtz's Washington experience made him ideal for the job.
"He's got a tremendous challenge, because the plate of the CSIA is quite full. So far, he's doing a bang-up job," says Moritz.
Coviello notes that Kurtz brings an enormous amount of commitment and leadership to the post. "He's not one of those leaders who simply say 'It's got to be my way'," he explains. "He knows how to build a consensus, which I think is necessary to move the ball forward."
Indeed, a co-operative spirit is one of CSIA's major strengths, comments Michael Rasmussen, analyst at Forrester Research."It wants to work with other factors that come into the security equation," he says. "It might represent the vendor end, but it's willing to work with end-users and associations of professionals out there in the field doing security operations."
Since CSIA is new, the jury's still out on its effectiveness, says Amit Yoran, director of the National Cyber Security Division in the Department of Homeland Security. But he adds: "We are optimistic that we'll be able to develop a positive working relationship with it and that, ultimately, it will be able to add value to the nation in helping to improve cybersecurity."
John McCarthy, executive director of the CIP project at George Mason University School of Law, says it's critical for the university to have an alliance with an organization such as CSIA to provide a real-world outlook as it develops critical infrastructure and homeland security programs.
"What Paul and his group bring is a perspective and needs from the industry's view that researchers don't have on a routine basis," he says. "The goal of programs like CIP is to align research objectives with the needs articulated by the industry and government."
Yet other security experts are more skeptical of CSIA. When it launched, Andrew Braunberg, analyst at market-research firm Current Analysis, said the organization might be more of a mechanism to make it easier for its vendor members to sell into government accounts, a criticism Kurtz flatly rejects. "I'm not here trying to advance particular contracts for firms or working with appropriations people on the hill to get contracts for our firms," he insists.
Bruce Schneier, CTO at Counterpane Internet Security, was one industry professional who opted against joining CSIA. "The world does not need more lobbying groups," he explains.
CSIA has a great opportunity to boost cybersecurity by promoting the idea that government should lead by example in its procurement practices, says Alan Paller, director of research at the SANS Institute. "But some of the officers of some of the member companies are hooked on the 'any government action is bad' mantra," he claims.
"If that's the theme, then all they're doing is reinforcing the argument that government should stay out of security when in fact government leadership in security is the only lever there is."
The idea of government leading by example through procurement isn't new and is one CSIA plans to encourage, states Kurtz.
CSIA also intends to expand its membership. In June, it launched an affiliate member program for small security firms and large IT enterprises that provide operating or networking systems or systems integration.
Just as with his previous work, cybersecurity requires the translation of extremely technical issues into policy terms. It's a challenge Kurtz relishes.