Cybersecurity plan criticized

By Rachel Konrad
Associated Press

SAN FRANCISCO — Instead of pursuing strict regulations to guard against cyberterrorism, the federal government and technology industry have decided to jointly develop voluntary standards.

A federal plan to protect against cyberterrorism would involve a voluntary standards program. Critics say the plan won't improve security and could encourage hackers. Advertiser library photo

Members of the CEO Cyber Security Task Force, formed last month after the Palo Alto, Calif.-based trade group TechNet approached federal officials, say their standards would be akin to a "Good Housekeeping seal of approval" for computer security.

In theory, consumers who visit Web sites that display a certification logo would have an extra measure of peace of mind.

Plans call for a public awareness campaign in late summer to push the initiative.

Critics believe, though, that the voluntary standards will promote a false sense of security — and could even encourage attacks.

"As soon as a business advertises that it's adopted a security standard, hackers will take that as a challenge," said Victor Wheatman, vice president for information security at Gartner Research.

"Getting certified is like painting a bull's-eye for hackers."

Howard Schmidt, special adviser to the president for Cyberspace Security, acknowledged that many companies may snub the standards.

Still, he said a voluntary program is the best approach because the government has neither the desire nor the means to monitor — or penalize — companies that don't comply.

"I wish there were a silver bullet so that every company rolled out new security measures on the same timeline, but there's not," Schmidt said after a panel discussion Tuesday at an annual cyber-security conference here. "Ultimately we are taking a free-market approach. Consumers will naturally gravitate to companies that provide the best security, those that comply with the standards."

The standards are the next steps in the National Strategy to Secure Cyberspace, a directive the White House issued in February.

Schmidt said TechNet executives would create the standards with help from some of the 200 cybersecurity specialists in federal agencies such as Homeland Security, Defense and Treasury.

Task force members emphasized that the general standards would not include technical specifications, which could quickly become outdated.

"We'll create baseline standards that raise the level of security for everyone but that all small businesses can meet," said Rick White, president and chief executive of TechNet, whose members include Microsoft, Apple Computer and about 200 other technology companies.

Final recommendations will likely ask companies that provide access to financial statements to make consumers enter more than a simple user name and password, White said.

For transactions requiring higher security, such as the retrieval of medical records in hospitals, the task force might suggest that companies require retina or fingerprint scans. Although such biometric security devices are rare on home PCs, they have gained popularity in corporate data centers.

Task force members would not estimate the cost of compliance.

A tech-savvy law firm with a virtual private network for remote access and a multiple-password access program is already likely to comply, they said.

But a mom-and-pop retailer hoping to open an online division may have to hire a security consultant or overhaul its computer network to get certified.

Many security experts who attended the annual RSA Conference here predicted that the certification program would not improve security — particularly against cyberterrorists or overseas hackers.

One of the hottest trends in technology is offshore outsourcing — the transfer of data management and software development jobs to low-paid workers in India, the Philippines and China. More than 300 of America's Fortune 500 firms outsource some of their information technology work to India, Gartner said.

But companies abroad may not be aware of the standards, or simply unmoved to comply with them.

Skeptics also doubted whether American companies would adopt the standards.

"In many ways, this just increases the cost and complexity of doing business," said Pete Lindstrom, research director for Spire Security.

"In my opinion, this program is a disaster."