By Grant Gross
IDG News Service
May 10, 2006
Terrorists and organized criminals are using computer vulnerabilities
to line their pockets, but many cybersecurity ideas coming out of the
U.S. Congress may not help much, some experts said Wednesday.
Legislation that would require companies with data breaches to notify
affected customers will create new expenses for companies, much the
way the Sarbanes-Oxley Act did, said Bruce Kobayashi, a law professor
at George Mason University. Congress passed Sarbanes-Oxley, or SOX, in
2002, and the law requires public companies to report their internal
processes for ensuring the accuracy of financial reports.
"I think Congress has to ... slow down," said Kobayashi, speaking at a
data security conference sponsored by conservative think tank the
Progress & Freedom Foundation (PFF). "Otherwise, we're going to get
some SOX-type legislation in which firms spend a lot of money sending
Since a rash of data breaches in early 2005, Congress has introduced
more than 10 bills related to data breach notification. Four bills are
awaiting action on either the Senate or the House of Representatives
floor, but the bills differ in their approach, and each would have to
pass through the other chamber to become law. Congress is scheduled to
adjourn for the year in early October.
The working model for a data breach bill seems to be the SOX law,
which has cost U.S. businesses hundreds of millions of dollars,
Kobayashi said. "The model is a sledgehammer," he said. "What
economists hope is Congress steps back and looks at the costs and
benefits before they do something like that."
But others speaking at the PFF conference said cybersecurity problems
are more serious than most people realize. The U.S. Federal Bureau of
Investigation gets frequent reports of hackers attempting to extort
companies by threatening to release customer data, and the U.S.
Department of State has warned of terrorist organizations training
hackers, said Alan Paller, director of research for the SANS
"You get shot trying to rob jewelry stores," Paller said. "[Hacking]
is a much better way to raise money to buy the bombs."
Some consumer groups and businesses have called for a national data
breach notification law. Businesses such as data broker ChoicePoint
Inc., which in February 2005 announced a breach affecting about
150,000 people, have called for a national breach notification law
instead of complying with a "patchwork" of nearly 30 such state laws.
Kobayashi called for Congress to pass a law allowing companies to
comply with one state law, much the way U.S. corporations register in
Delaware because of its corporate tax law. "We have seen innovation at
the states," he said. "I don't have any answers, but I'm sure that
neither does Congress."
Instead of waiting for Congress to act, businesses should demand more
secure IT products, said Ken Silva, chief security officer for
security vendor VeriSign Inc. He encouraged technology buyers to join
organizations that advocate for more secure products.
"We can't wait for Congress to solve this problem because it's not
going to solve the problem," Silva said. "The fact of the matter is
extortion is already illegal. Passing a law to make electronic
extortion even more illegal looks good on television, but it doesn't
really solve the problem."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.