April 04, 2001, 10:06 AM — Corporate America's reluctance to be more forthcoming about internal data security measures has come under scrutiny on Capitol Hill.
Buoyed by the effectiveness of the Securities and Exchange Commission's requirements for companies to detail their Y2k preparedness in their earnings reports two years ago, legislators are considering a similar model for cybersecurity.
As with Y2k, the government can help ensure public trust and confidence in the Internet by requiring firms to disclose the security measures they have in place, said Sen. Robert Bennett (R-Utah), chairman of the Senate's Republican-led High-Tech Task Force and the Special Committee on Y2k.
"It made a whole lot of companies far more interested in solving the Y2k problem than they were before," he said, speaking at a recent security policy forum.
A spokesman for Bennett said the senator doesn't plan to introduce legislation that would require new regulations but hopes to get the SEC to take action on its own. However, an SEC spokesman said that the commission isn't in a position to comment on Bennett's remarks.
Scott Wright, director of information security services at Reston, Va.-based The Netplex Group Inc., said such a move would substantially "raise the bar" on security. According to Wright, the only question is, "What size stick does the SEC hold if companies don't meet the requirements?"
Bennett's comments come as more companies begin to look at Internet security as a risk management challenge. Whereas companies once thought of security as keeping unauthorized people out of their networks and securing the privacy of their customer's information, today it's about reducing liability, say experts.
"The issue is not privacy. We don't want privacy on the Internet. We want security," said Bennett. "It comes down to 'I'll show you my security protections if you'll show me yours.' "
Craig Goldberg, CEO of Internet Trading Technologies Inc., a New York-based technology subsidiary of stock trade regulator LaBranche & Co., said his company learned about risk management the hard way. Last March, two former employees launched a subtle but damaging series of denial-of-service attacks in an attempt to blackmail the company into providing them with stock options and other benefits. The FBI eventually arrested the employees, but the attack caused costly interruptions that prevented Goldberg's customers from making online stock trades.
"We took what we thought were reasonable precautions," said Goldberg. However, "it is difficult to stop a determined, highly skilled insider. I learned that security is both about risk management and hiring honest people," he added, advising companies to "do whatever is reasonable" to protect their systems.