Cyber-Security Imperative

A security wakeup call is aimed at vendors.

Its a lamentable state of affairs, but it will probably take years more of identity theft on a massive scale and security breaches of increasing severity to spur common-sense actions that should be taken today. What other explanation seems plausible, in the face of the apparent indifference to a growing list of well-considered recommendations on the issue?

In April, the National Cyber Security Partnership issued several reports outlining steps that should be taken to protect personal and property rights on the Internet. The partnership was formed in response to the White House National Strategy to Secure Cyberspace "to develop shared strategies and programs to better secure and enhance Americas critical information infrastructure."

The laudable work of the partnership is in danger of suffering the fate of so many committee and task force reports: collecting dust. The policies have yet to be broadly embraced and implemented, even by the Department of Homeland Security, despite their clear merit.

One of the most important reports issued by the partnership deals with adopting rigorous cyber-security practices as part of corporate governance. "It is the fiduciary responsibility of senior management in organizations to take reasonable steps to secure their information systems," said Art Coviello, president and CEO of RSA Security and co-chair of the Corporate Governance Task Force, in a statement issued with the report.

Still, many businesses that should get with the program are hanging back. This is leading U.S. Rep. Adam Putnam, R-Fla., chairman of the House subcommittee on technology and information policy, to threaten introducing regulatory legislation, the Corporate Information Security Accountability Act, that would require publicly traded companies to form information security plans. With regulations ranging from HIPAA to Sarbanes-Oxley already on the books, corporations hardly need another compliance headache. And yet thats just what theyll get—and what theyll deserve—if they dont take action on their own.

Some corporate lawyers fear that if security commitments become part of governance procedures, information security failures may constitute negligence. This concern, however, is trivial when compared with the damage that can be done to the nation if the businesses that make up the fabric of the national economy are paralyzed by coordinated cyber-security attacks.

Effective tools are available. One is DomainKeys, a mail authentication system that can blunt phishing scams. Developed by Yahoo and under consideration as a standard by the Internet Engineering Task Force, DomainKeys is implemented in the latest versions of Sendmails MTA (mail transfer agent) software and will be implemented in Yahoo Mail by years end.

Business and government must overcome an evil as daunting as cybercrime—denial—and get on with securing their IT infrastructures.

Were interested in your Opinion. Send your comments to

To read more from the eWEEK Editorial Board, subscribe to eWEEK magazine.


Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Be sure to add our Security news feed to your RSS newsreader or My Yahoo page