Creating A Culture of Security

Privacy 2002: Information, Security, and New Global Realities, Sponsored by the Technology Policy Group, Wyndham Hotel

Cleveland, Ohio

Date:
By: 
Orson Swindle, Former Commissioner

Thank you for that generous introduction and for this timely conference. Today, I would like to discuss the security and privacy of our communications and information systems. I must first remind you that my remarks represent only my views and don't necessarily reflect the views of the Federal Trade Commission or any other Commissioner.

A year ago, FTC Chairman Tim Muris announced his privacy agenda to this conference. The Chairman noted that privacy and security are two sides of the same coin. I want to take that thought a step further.

I believe that good privacy and security practices help build consumer trust and create consumer confidence - two qualities that hang in the balance these days. Without trust and confidence, the benefits of information technology in communications, commerce, and entertainment will never reach their full potential.

Throughout the past year, the Commission has pursued cases that emphasize the importance of good security practices to safeguard consumers' privacy and the security of sensitive personal information. The agency's recent settlements with Eli Lilly and Microsoft reflect Chairman Muris' and the Commission's commitment to advancing consumer privacy protection, enhancing security, and making sure that firms keep their promises to consumers.

The tragedies of September 11 left us with great concerns and many lessons to learn, not the least of which is to take action to safeguard our critical infrastructure and minimize our vulnerabilities. As in my old profession - flying Marine Corps fighter jets - safety procedures and regulations are most often products of tragedies. Since September 11 of last year, government and industry are devoting considerable attention and resources to evaluating vulnerabilities within our critical infrastructure and in the essential information systems and networks that make them work.

President Bush acted quickly to address these concerns by developing a National Strategy to Secure Cyberspace. Richard A. Clarke, director of the White House Office of Cyberspace Security, and his team have analyzed and compiled detailed information and ideas from leaders in all sectors of our society and economy. This effort has been a collaborative one - appropriately so, since everyone is involved.

I was honored to participate in the presentation of the draft of the National Strategy to Secure Cyberspace at Stanford University last week. One of the top White House priorities is to ensure the security of computers, information systems, and networks.

Computers are essential in virtually every aspect of our lives today. They help us control our nuclear and electrical power supply, transportation systems, communications, financial systems, medical and emergency service, and even traffic lights, and we are all directly or indirectly linked together within these networks. Dick Clark and his team are looking for your comments on the draft National Strategy.(1) With our help, President Bush and his team are committed to making cyberspace and our critical infrastructure safer.

The goal of securing our national infrastructure is laudable - and necessary. We have no choice in the matter. But it may seem to many consumers like the view from 50,000 feet high. Some may ask, "What's in it for me? How can I be important, with my little old home computer that I use for email, surfing, and holiday shopping? Why should I be concerned?"

Ah, there's the rub. We have quite an education task before us! Let me explain.

Today we're all linked together through information networks and powerful personal computers. We enjoy astonishing benefits, but the connectivity also makes us vulnerable. As a society, we are very dependent upon these networks. People intent on disrupting our information systems and networks can cause us widespread and costly harm.

For example, I'm sure you all remember the infamous "I LOVE YOU" virus of a couple of years ago - one of the most costly viruses ever! This virus infected over 250,000 computers and more than 50,000 websites. As Tina Turner asked in a song, "What's love got to do with it?"

What I find particularly interesting is that so many people opened an e-mail often from a complete stranger with a subject line of "I love you"! I'm not sure what that says about our society. This virus did its damage by using the computers of innocent people - computers used as "zombies" - as a weapon to attack other computers. When attackers penetrate computer systems that aren't adequately protected, they can destroy the computers, destroy or steal valuable data, and even turn those computers into weapons systems against unsuspecting third parties. The same can be said for the home PCs being used by our children.

Last year, another virus, named "CODE RED," infected over 200,000 computer systems and used those computers to launch attacks that tried to take down the White House website. The threat was averted by a combination of federal and commercial computer experts reacting rapidly to block all traffic to that address.

Security incidents like these cost businesses, other organizations, and consumers billions of dollars every year. It is estimated that the worldwide economic impact of security breaches in 2000 and 2001 cost more than $30 billion, and that doesn't take into account intangibles such as damage to trust and confidence.

My intent today is not to terrify but to raise awareness and urge us all to action. Recent reports tell us that the average consumer is not instinctively aware that this is something he or she should be concerned about. Obviously, we have work to do!

American society and societies around the world need to think about security in a new way. Our perceptions must change. We must create a "culture of security" based on awareness, taking personal accountability and responsibility for our conduct, and taking whatever actions that we - as individuals, families, firms, workers, students, teachers, and organizations - can take to foster safe computing.

This new way of thinking, this culture of security will not spring from new laws or regulations or simply from technical innovations. But, it's not as complicated as it sounds. We already take safety precautions in order to limit risks in our everyday lives. We take our cars in for regular checkups. We wear our seat belts. We lock our houses when we leave. We need that kind of risk-minimizing thinking with our computers, and we all have to get involved.

Developing a "culture of security" will be a challenge. It will require an understanding of the problems, a substantial investment of time and energy, a great deal of education, and, most important, leadership from all aspects of society.

The good news is that we can do this. If we all work at it, we can enhance online security quite significantly, and if we do it right, it should become second nature to us.

I am reminded of being taught as a child to always look to the left and the right before crossing the street. I instinctively do this every day of my life.

This may sound elementary, but we need to make safe computing a routine thing, too. Security practices have to become second nature, just like the habits we learned as children. That's how we will establish a culture of security.

You've heard me say "we" a lot today. Let me be clear: When I say "we," I mean all of us. Since we're all interconnected by computers, we are all involved and have a role to play. This includes families, teachers, students of all ages, consumers, employees, and CEOs .

We all have to get this right. We must get to that point where we are intuitively looking "both ways" as we approach the cyberspace superhighway. How do we acquire this "new way of thinking?"

I believe that the first step involves awareness and education. Starting with ourselves, we must convince our families, friends, colleagues, and employees that computer security is important. I strongly urge corporate executives, educators, business managers, and community leaders to take the lead. It's simply the right thing to do. Get the word around in your circle of influence. People will listen to you because you're leaders.

Interestingly, about 85 percent of our information systems are owned and operated by the private sector, not by the government, so that means industry must step up to the plate and lead by example. Companies have to make strong and effective security and privacy practices a part of their corporate culture. They must educate their employees, clients, and associates with whom they share information systems. If you're a corporate leader, the most important point I want you to take away today is this: if you don't make security and privacy a part of your corporate culture, the FTC surely will be part of your future.

The FTC and other government agencies have a role to play but the government can't do this alone nor should it try. In May of this year, the FTC held an outstanding workshop on Consumer Security to discuss and identify security issues. What we learned at that workshop will serve as the basis for further activities at the Commission.

Remember, we will only be as strong as our weakest link. Schools teach our children how to use computers, but the kids get very little information about security practices. Again, it really should be as simple, and as instinctive, as looking to the left and right before crossing the street. And please remember: good habits last a lifetime.

Today, I am pleased to announce the FTC's consumer security website. You can see the address behind me ( www.ftc.gov/infosecurity). This comprehensive website for the Commission's security education campaign offers free publications, such as "Safe at Any Speed: How to Stay Safe Online if You Use High-Speed Internet Access." This publication provides practical ways to safeguard information and encourages businesses and individuals to recognize their personal responsibilities regarding the security of information.

The Internet and associated technology have literally made us a global community. Our neighbors in the global community are joining us in this enormous effort to educate and establish a culture of security. For example, the Organization for Economic Cooperation and Development (OECD), an organization with which I had the honor to work during the past year, has issued a set of principles for establishing a culture of security - principles that can assist us all in minimizing our vulnerabilities. They are contained in a document recently published by the OECD entitled "Guidelines for the Security of Information Systems and Networks."

These Guidelines are an excellent starting point. The nine principles at the core of the OECD Guidelines can be incorporated at all levels of use and learning about information systems, networks, and computers. For your convenience, there is a link to this document on the Commission's website.

Although I'm sure you'll want to take a careful look at the OECD Guidelines document, let me just briefly share some of the concepts that the principles set forth in a common-sense manner.

Today, users at all levels, including home users, access the internet, information systems and networks with powerful computers. They need to be aware of the environment in which they are involved and its vulnerabilities. They need to recognize they are responsible for protecting their computers and that their failure to act also may cause harm to others.

Since we are all connected by computers, information systems, and networks, we need to respond to vulnerabilities and security incidents so as to minimize potential harm to not only ourselves but to others.

It is important that we use safe computing and respect the rights of others.

We must recognize that good security practices are dynamic, not a one-time "fix-it-and-forget-it" exercise. We must routinely update our security protection.

Good security and safe computing begin with design and continue with implementation and updates. It's up to us to make good purchasing decisions and use the available tools and practices so we can engage in safe computing.

If that all sounds like a lot of common sense, that's the idea. Well, let's all show exactly how sensible we are and put those principles into action!

I know that most here today are at the forefront of privacy and security. Some of you may even believe there is a need for more privacy legislation. In my view, a better option consists of a combination of market forces, industry leadership, innovation, and government oversight and enforcement of existing laws, similar to what has happened in the privacy sphere.

We have made a lot of progress in recent years improving privacy practices in the online world. The news media has played a critical role by raising consumer awareness. Heightened awareness has led consumers to demand improvements for greater privacy protection. Industry has responded with better information collection and privacy protection practices and by providing more tools to help computer users protect their own privacy.

The improvement of security should follow a similar path. For obvious reasons, however, there must be an even greater sense of urgency.

Computers and networks are fabulous tools. They've become an increasingly important - virtually indispensable - part of our lives. But as we join the "always on" network, we become more vulnerable to attack. We must protect ourselves from potential harm caused by others with malicious intentions.

Awareness, responsibility, and action remain essential. We must keep the dialogue going, learning more and more from each other and working together to find the best solutions.

The FTC has made security a priority, and we have a big job ahead of us. But the FTC is a small agency and can't do it alone. We have lots of information on what consumers and business should be doing to protect themselves, and we've consulted with many industry and consumer advocacy groups. (Some of you likely helped us assemble this information.) Now we're looking to leaders like you to help us spread the word to families, customers, friends, and associates. We need a cascade of knowledge about a culture of security flowing down throughout our society.

I hope I can count on you to be our partners in protecting the safety of our nation's critical infrastructure by helping us instill a new way of thinking - a culture of security for our information systems and networks - as we continue our long battle against terrorism.

To put it bluntly, a culture of security is not a choice any more; it's an imperative.

Dewie the Turtle

Now you've all probably been wondering who this little green guy is behind me, observing this presentation. This guy is my good friend Dewie the Turtle. We created Dewie as our FTC mascot to promote good online security.

Dewie will help us educate consumers of all ages, and he reminds us of the story of the tortoise and the hare where knowledge, experience, and persistent effort win the race - a good theme for us today because we're in this for the long haul.

Dewie's shell shields him from harm. Although we can't carry a shell around with us like Dewie, we can follow some of his practical tips for computer users of all ages, such as:

  • Use strong passwords.
  • Always use and update anti-virus software.
  • Use firewall technology - especially if you are using highspeed Internet connections - to protect yourself from intrusions and hackers.
  • Don't open email from any strangers, and avoid suspicious looking e-mail- particularly if they are professing love.
  • If a virus infects your computer, please contact your Internet Service Provider and your software vendor - and, children and students should be instructed to notify parents and teachers.

These are common-sense actions that go a long way to help us be more secure in our computing. Dewie is with us for the duration to help create a new way of thinking and promote safe computing. We have work to do, lots of practical knowledge to pass around, and lots of good habits to form.

We are counting on you and other prominent leaders to join with us in this effort as we venture out on the Information Superhighway.

Please don't forget: be sure to look left and right before you cross that street!

1. See www.securecyberspace.gov.