Putting teeth into U.S. cybercrime policy

Paul Kurtz leads a CEO group pressing for more-effective cybersecurity laws. Will it succeed where others have failed?

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
9 min read
It wasn't so long ago that interest in the topic of online crime was limited to a small circle of technologists. Nowadays, senior government officials talk about it as a potential national security threat. That's where Paul Kurtz comes in.

As the executive director of the Cyber Security Industry Alliance, a consortium of CEOs pressing for more-effective cybersecurity legislation, Kurtz is hoping to make sure any new regulations carry real weight. And since the 41-year-old Kurtz's resume includes a stint on the White House's National Security Council, as well as a period as senior director for national security at the Office of Cyberspace Security, it's a good bet that he'll find an audience willing to hear him out.

Kurtz helped develop the international component of the National Strategy to Secure Cyberspace, as a member of the President's

It has to be made clear to companies that if your software does certain things, then it is going to get blocked.
Critical Infrastructure Protection Board. In his new post, Kurtz believes the CSIA, which was founded in 2003, can succeed where other security interest groups have not.

Unlike industry efforts that have criticized the government for doing too little, or policy groups that have called for action and failed to consider the implications of technology-oriented legislation, Kurtz is looking for middle ground. The security expert believes that by helping the government see the big picture, tech-wise, and aiding politicians in writing laws that have real teeth against cybercriminals, true progress against the tide of online threats can be made.

Earlier this month, CNET News.com caught up with Kurtz com to hear his ideas on where CSIA's battle for better cybercrime legislation currently stands.

Q: Why do you think the CSIA will have an audible voice among the many parties pushing for cybercrime law reform?
Kurtz: Before our group was formed, there really wasn't any organization that was focused on (cybersecurity) policy issues full time. People were following worms and viruses, and talking about best practices, but nobody was really following the legislative agenda on Capitol Hill or developments within the executive branch on a regular basis.

And we're looking in the states as well. We're CEO-driven, which makes us unique as well. We have top-level involvement from our corporate members, not just a passing interest.

The CSIA seems to be looking at spyware legislation quite a bit. Why is that work so important right now?
Kurtz: There is a real concern on the part of the industry to combat spyware. There are so many sites with different forms of adware that download malicious software and tools to people's computers and that are hard to uninstall. The interesting piece is that the adware people are beginning to get concerned and threatening to sue people who try to uninstall spyware, which they claim end-users have agreed to license and load.

Has any progress been made in creating a more comprehensive definition?
Kurtz: It's hard to say. One person's definition tends to differ from someone else's. Some people find a cookie very intrusive, while some people don't find it problematic. But we're talking about the truly malicious stuff--keystroke loggers, software that can't be uninstalled, or programs that take down your system when you try to take them off.

It's really important to make sure that our case is heard in regard to spyware, what our firms are dealing with and how they're trying to protect consumers. Our job is engaging Congress as it is contemplating legislation and making sure that they're working with industry all the way.

We've seen some companies known as spyware sources trying to be more open about their business practices. How do you balance protecting these companies' rights with your efforts to protect consumers?
Kurtz: There are a variety of ways to approach this problem. We're working with the Center for Democracy and Technology, which has pulled together a working group to examine this issue. And this effort includes not only the anti-spyware vendors, but also folks like ISPs and search engines, as well as consumer protection advocates. I think there is a need to look at this stuff in a comprehensive context.

So there is room for legal spyware, if you could call it that?
It has to be made clear to companies that if your software does certain things, then it is going to get blocked. It won't necessarily be easy to do this, but we need to make it clear to the adware people what sort of behavior won't be tolerated.

Clearly, there are some adware companies out there that are trying to do this the right way. The effort isn't about demonizing the entire

adware industry; it's about trying to identify the players operating on the margins, who make things more complicated for everybody. Beyond that, you address the idea of criminalizing the behavior, and that's important too.

So, we need more complex regulations that define spyware and adware properly?
Yes. And there has to be a global context too. We're very interested in advocating for senate ratification of the Council of Europe's Convention on Cybercrime. That would help create a global framework for people to investigate and prosecute cybercriminals. If we look at Can-Spam, it was well intentioned, but it drove everyone overseas. And the Council of Europe's Convention will help us go after cybercriminals around the world.

Isn't a big part of the problem found in the idea that law enforcement doesn't have the time, money or manpower to effectively pursue cyberthreats?
Kurtz: Resources are certainly an issue. But again, with the Council of Europe's Convention, we've seen that with the laws in place, people can be effectively prosecuted. In other words, if the convention is ratified, with the new reach in U.S. law, we could see people prosecuted overseas.

However, we know that the practical implications of actually succeeding in prosecuting people out of the country are still not high. The Convention could help change this. And if we can get countries like the Philippines, Singapore, Malaysia and Indonesia--where a lot of this stuff is coming from--to sign off, we can get the framework to pursue cybercriminals on a more worldwide level.

But it would seem that we'd still need help on the ground in those countries--and here--to really deter this behavior.
Kurtz: The Convention would at least help to level the playing field. Prosecutors in the U.S. still do not have a reasonable expectation of successfully prosecuting people in these regions. The U.S. cannot

One of the individuals implicated in the Bali terrorist bombings released a book, and the last chapter talked about using cyberfraud as a means to fund operations.
stand on a soapbox and advocate that we're serious about fighting cybercrime in a global fashion until we ratify the Convention. Once we do that, we can turn to other countries to follow suit and actually pass the laws in order to pursue these criminals.

Not to harp on the matter, but people seem discouraged that even when the criminals are found, it's very hard to prosecute them.
Kurtz: I wouldn't dispute that. Having the laws is not a panacea, it's a first step. And it will help to add more law enforcement resources--and that's another step. No matter what, you're still going to see these attacks. That's where we'll still need technology to help us protect ourselves.

One of the important things about this organization is to look across the scope from the simple awareness of cybersecurity as a safety issue to building up education in cybersecurity, to looking at the policy implications of what the executive and legislative branches are considering, to looking at criminal behavior and increasing penalties. We have to look at the whole picture.

The rise of online fraud seems to stand as one of the larger technological threats to national security, as it could enable terrorists to raise funds. Will there be more federal action around cybercrime if homeland security is factored into discussions?
Kurtz: I think there is some value in that concept. For one thing, we've seen a change in hacking behavior over the last year-and-a-half, where the activity is now being conducted for a profit. There's a lot of money being raked in. Some numbers I've seen indicate that 5 percent of all phishing attacks are successful, which is scary when you consider the volume in these attacks that we're seeing.

But is phishing a threat to national security?
Kurtz: I think there's cause for concern when you consider the potential nexus between hacking for profit, organized crime and extremist or terrorist elements.

A lot of people, when they speak of cyberterror, are speaking in limited terms about people launching cyberattacks--mainly denial-of-service scenarios. I'm not pushing that off the table, but this other idea may be far more serious. And I frankly don't feel that we have a good

handle on that. We have to know what that nexus is. One of the individuals implicated in the Bali terrorist bombings released a book, and the last chapter talked about using cyberfraud as a means to fund

Having the laws is not a panacea, it's a first step.
operations. We have to wonder if Americans are already funding the next terrorist attack.

Can I draw a direct line between all that right now? I can't. But we need to put two and two together and begin to figure out ways to make sure this isn't going to happen.

So the threat is real, and people should worry about it?
Kurtz: Right now, I think it's mainly a threat to consumers. It's a threat to e-commerce in how much money is being lost because of cyberfraud. And then there's the idea that it could be a threat to national security. But I don't want to cast cyberfraud specifically in terms of a homeland security issue. If you do that, you make the mistake of thinking that this is all Uncle Sam's problem.

There is some good news, in terms of ISPs doing a better job of protecting consumers. There are a lot of things that private industry can do as well as consumers. But the government does have a lot on its plate to consider.

Microsoft recently filed 117 suits against phishers, and one of the main reasons they did so was to find out who the people running these sites were. Should others follow suit?
If you look at the ability of federal law enforcement to respond to these issues or handle complaints, frankly what happens at the Federal Trade Commission is that all these complaints go into a central database, and that is searched to find patterns in behavior. The cases or individuals that prove to be most problematic get passed on to law enforcement to pursue. That leaves the average consumer with not much that they can do, and not a lot of recourse. As a result, I think that Microsoft's move is not a bad idea.

The recent consumer data losses at ChoicePoint and elsewhere are getting a lot of coverage, and generating legislation. What is CSIA doing to that end?
Kurtz: We're looking at the various legislation that's already been proposed, and we're trying to lay out some of the technical issues and how companies can be smarter about securing such large volumes of data. We're also going to come out with a list of recommendations for Congress to consider. For example, looking at the existing requirements out there, in pieces of legislation such as HIPAA (the Health Insurance Portability and Accountability Act), and how those are working, before new requirements are created.

At the end of the day, we are going to see legislation addressing data warehousing issues and protection of personably identifiable information. In this context, as Congress pulls together a framework, we want to talk about the technical solutions that are available.

Technical solutions are available to secure and protect data. Again, it's not a panacea, but as Congress considers new laws, it's important that they're given all the right information to consider.