FTC Consumer Security Activities

Statement of Commissioner Orson Swindle
on

FTC Consumer Security Activities

Mr. Chairman and Members of the Subcommittee:

Security and privacy of confidential, personal information have been concerns at the FTC for many years, especially in the context of online technologies and electronic commerce ("e-commerce"). In the wake of the September 11 tragedies, all levels of government and industry have directed an enormous amount of attention to the critical nature of information systems and network security. Adequately enhancing this security is a complex challenge, requiring a new way of thinking for everyone involved.

The FTC's consumer security agenda complements the FTC's privacy agenda set forth by Chairman Muris in October 2001, which encompasses all aspects of consumer privacy, both on- and offline. By protecting consumer privacy and security, we hope to increase consumer trust in e-commerce and reap the benefits of this extraordinary tool for education, entertainment, consumer interests and commerce.

In May, the Commission held a two-day workshop on Consumer Security. We sought to identify critical topics demanding immediate attention, in order to enhance consumer security and minimize the vulnerabilities of the nation's critical infrastructure. Workshop participants, including experts from academia, government, and the private sector, examined the most relevant security threats that consumers may face on the Internet. We explored best security practices and how consumers' activities in today's "interconnected" world might make them unwitting participants in various security incidents. The Workshop will serve as a building block for future Commission education and outreach efforts.

The Commission's Offices of Public Affairs and Consumer and Business Education, in consultation with security and technology experts inside and outside of government, are developing a comprehensive, long-term education campaign aimed at promoting a "Culture of Security" among consumers, businesses and organizations in the United States and beyond. The education campaign will offer practical tips and best practices, such as encouraging home broadband users to install firewalls to protect their computers from unwanted infiltration. With the assistance of industry and consumer advocates, we are currently determining what kinds of messages can and should be delivered to ensure the largest possible number of groups and individuals become aware of the challenges that we face today. We hope that information about good security practices will be available to consumers in virtually every aspect of daily life: the workplace, schools, libraries, homes, and, of course, on the Internet. Our goal is to achieve a level of awareness where good security practices become second nature to consumers. Ideally, all of us will one day engage in sensible security practices in the same way that we put on our seatbelts before starting the car or look both ways before crossing a street.

On the international front, the Commission is playing an active role in the policy debate over information systems and network security, especially as these topics relate to consumers. Between December 2001 and June 2002, I served as the head of the United States delegation to the Organization for Economic Cooperation and Development ("OECD") experts group charged with revising the 1992 Guidelines for Security of Information Systems.⁽¹⁾

Originally written over 10 years ago, the OECD's Guidelines lacked relevance in today's interconnected world of information systems and networks. In light of contemporary threats, new technologies, and the essential nature of these systems and networks to our critical infrastructure, the OECD recognized that the Guidelines should be updated. The revised Guidelines, which I expect to receive formal approval later this month, apply to anyone involved with computers, the Internet, and information systems and networks. The Guidelines will be available to both member and non-member countries developing best practices for security in our global economy.

The revised Guidelines will be user-friendly and relevant to the current times and the roles of all participants in the information economy.⁽²⁾ The spirit of that document provides many important messages that will be incorporated into the Commission's outreach and education campaign to create a new way of thinking, or a "Culture of Security," among all members of society when participating in information systems and networks.

Security is on our minds at the FTC, and we hope that greater public awareness will soon follow.

Thank you, Mr. Chairman.

1. The United States delegation consisted of representatives from the Departments of State, Justice, the Treasury, and Commerce and the FTC.

2. Formal release and publication of the revised document is scheduled for September 2002.