Lawmakers and technology providers concede that they must create stronger mechanisms to improve protection of electronic consumer records, but claim that members of private industry must aid in the effort if those plans are to succeed.
At the Authentication and Online Trust Alliance (AOTA) Summit 2007, being held in Boston April 18-19, experts from both communities cited shortcomings in their abilities to prevent online attacks aimed at stealing consumer data.
Although laws and technology products have undergone significant makeovers in recent years to boost security for end users, the situation remains a serious problem for everyone from consumers to the government, according to presenters at the conference.
Massachusetts Attorney General Martha Coakley echoed sentiments expressed previously by other federal officials, including Department of Homeland Security cyber-crime czar Greg Garcia, in calling for a stronger partnership between private industry and the public sector to help improve the current problem of widespread consumer data exposure.
"As someone charged with protecting the interests of consumers, I urge everyone to look at the need for internal policing, for businesses to look at your obligation for security in the first instance to ensure integrity," Coakley said. "There's a need for a partnership that requires communication between the private and public sector to make sure that we can understand the problem and what we should be doing to protect consumers. Lawmakers can't do that alone."
Coakley said that her office is still struggling to understand all the dynamics of the consumer data theft issue, in particular all the elements of information technology's impact on issues of privacy and security. The official pledged that she is working hard to get up to speed quickly.
The Massachusetts Attorney General is currently leading a criminal investigation into the highly publicized data incident experienced by discount retailer TJX Companies, which has its headquarters in the state. Since the incident was first detailed publicly in Jan. 2007, TJX has admitted that hackers broke into its IT systems over a period of several years and made off with over 45.6 million consumer records, the largest such data breach ever reported.
Although after-the-fact analysis of the data theft proves helpful to lawmakers and police in understanding the problems facing both businesses and consumers, private industry should also study the TJX situation and move quickly to improve security to thwart criminal attacks, Coakley said.
"Ultimately it's in the interest of people in industry to ensure that this doesn't go so far that state AGs and federal lawmakers decide to prosecute," Coakley said. "This dialogue has to start today about keeping confidential data safe and making sure that when there is a breach, consumers are notified as soon as possible."
There has been significant debate among lawmakers and members of private industry over the creation of federal legislation that establishes stricter security requirements for companies collecting sensitive consumer data - with a number of high-profile bills currently under consideration on Capitol Hill.
The AG said, however, that federal officials have moved too slowly, and should not pass any law that robs individual states of the power to implement their own regulations.
Coakley cited a recent Supreme Court win on the part of Massachusetts lawmakers who successfully argued that carbon emissions are contributing to global warming as representative of the type of work she believes states should not be forced to account for.
"This win showed that the fed is not doing its job around climate change, and it's sort of a sad state of affairs when states need to go to the Supreme Court to get them to do their job," Coakley said.
"We need to revisit what the fed has or hasn't done. As AGs have stepped into consumer protection issues, most of us have felt that if the fed was doing its job we wouldn't be as organized," Coakley said. "Many people believe that we shouldn't need to go state by state, but we don't want federal pre-emption that abdicates the state's ability to do anything."
Arguably the most significant security issue facing most enterprises today is the large number of vulnerabilities in Microsoft products that have allowed hackers to find ways to break into business networks.
Many security researchers maintain that Microsoft's inability to close off publicly reported product flaws have allowed the consumer data theft and cyber-crime industries to flourish as customers are left unprotected while they wait for software updates to fix the problems.
Scott Charney, vice president of Microsoft's Trustworthy Computing initiative, defended the software giant's policies and said that the firm is working hard to speed the process of creating security patches but faces significant obstacles in doing so.
"The biggest issue in the time it takes to get patches out is in quality and assurance testing. We spend a lot of time testing, and much like cooking soup, no matter how many chefs you hire, it still needs time to simmer," Charney said. "We're trying to do things to help customers be secure even if an update is not deployed and we're trying to reduce this testing process; we can't do this overnight. The ecosystem is complex and there are a lot of other software vendors that need to be involved to ensure that the patches work."
Craig Spiezle, director of online safety at Microsoft and chair of the AOTA, highlighted the continued problem of unwanted spam e-mail as a conduit to much of the criminal activity currently being carried out on the Internet.
By shutting down spam using technological means such as the Sender ID e-mail authentication system, significant improvements are already being made in this area, but the problem is still growing, the expert contends.
"Spam has doubled over the last years; it is defeating traditional filters," Spiezle said. "The rules of the deliverables have changed and are impacting businesses, and at the end of the day fifteen million Americans have become victims of identity theft; as a result there's been a lot of tarnishing of consumers' trust and confidence in the online world."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.