A Need for Greater Cybersecurity
Report Urges CEOs to Safeguard Computer Networks From Attacks 

By Jonathan Krim
Washington Post Staff Writer
Monday, April 12, 2004; Page A02 

Chief executives of U.S. corporations and their boards of directors should assume direct responsibility for securing their computer networks from worms, viruses and other attacks, an industry task force working with the federal government said.
The group stopped short of urging legislation to require chief executives to certify their companies' cybersecurity measures, as they are now required to do for financial statements after numerous accounting scandals. But in a report to be released today, the group said that cybersecurity should be taken just as seriously by top management.
"The best way to strengthen U.S. information security is to treat it as a corporate governance issue that requires the attention of boards and CEOs," the report said. For too long, the 37-member task force said, senior executives have ignored computer security or left it to their technology officers, who might not have the clout or inclination to make necessary changes.
The report is the latest in a series produced as part of an industry partnership with the Homeland Security Department to address computer breaches that have cost businesses and consumers billions of dollars over the past several years. Members of the task force included representatives from technology companies, such as Intel Corp. and Verisign Inc., academics and other corporate officials.
Early last year the Bush administration announced a national strategy to improve cybersecurity, including requirements for government agencies to strengthen their networks. But after heavy lobbying from technology companies, the initiative recommended no mandates on the private sector and left it up to the companies to work with the government to devise self-regulatory steps for improvement.
That approach has been criticized by many cybersecurity experts and some members of Congress, who argue that the dangers of hacking and cyberterrorism are too great to wait for companies to change their ways.
The report to be released today again rejects government mandates. But it recommends that auditing firms examine cybersecurity readiness when certifying that companies have adequate internal and financial controls.
"Any system of internal control . . . has to take into account cybersecurity," said Arthur W. Coviello, chief executive of RSA Security Inc. and co-chairman of the group. If such auditing occurs, he said, government regulations will not be necessary. The plan would require major auditing firms to agree on guidelines for evaluating cybersecurity controls.
The report also lays out how companies should incorporate cyber-security into their corporate governance procedures, and recommends that the proposals be adopted by all companies.
The recommendations include requiring chief executives to order annual security evaluations and to report the results to their boards of directors.
F. William Conner, chief executive of the cybersecurity firm Entrust Inc. and the group's other co-chairman, said that the guidelines offer chief executives a detailed roadmap for how to make cybersecurity a higher priority.
The task force also asks companies to certify on their Web sites that they have adopted the guidelines, and urges the Homeland Security Department to push companies to adopt them. 
The report does not suggest a deadline for compliance. Conner and Coviello said they hope the report will be read by chief executives and put on the agenda of their boards of directors as soon as possible.
Last fall, Rep. Adam Putnam (R-Fla.), who chairs the House Government Reform Committee's subcommittee on technology, information policy, intergovernmental relations and the Census, began to circulate legislation that would have forced companies to disclose cybersecurity breaches and conduct regular security audits. He withdrew the bill after technology trade groups asked that their members be given time to develop voluntary measures. Putnam's committee staff formed another working group of companies and academics, who issued similar guidelines.
Robert Dix, staff director of Putnam's subcommittee, praised the work of the various groups and said that for now, Putnam was willing to see how the recommendations are received before reintroducing his bill.