REDMOND, Wash., Dec. 8, 2000 — Work together, educate the public and develop the best practices possible.
These were the conclusions shared by 250 of the nation’s top security and privacy leaders following two days of discussions at SafeNet 2000. Organized and hosted by Microsoft, the summit was the first of its kind to seek solutions to some of the Internet age’s most vexing problems.
The leaders, who spent much of the summit working in small groups, were unable to come to consensus on some issues or unearth any groundbreaking new methods for increasing security and privacy in cyberspace. But many said they had gained new perspective on how to create a solid backbone of protections for consumers, government, business and other users.
“Often times, we only read about each other in the newspaper,”
said Bob Herbold, executive vice president and chief operating officer at Microsoft, during his closing address.
“It’s great to know you all are real people, and that we all have interests that are more common than we might have thought.”
Working Together
Each of six working groups offered a report Friday afternoon to close the summit. One theme among several of the groups was the need for businesses, government and others to work together to find the best ways to increase cyber security and privacy and to help each other when problems arise.
The Internet has created a shared infrastructure for everyone reliant on information technology. Every time one business or group provides access to the Internet, it is creating potential risk for another, said Bill Bishop of the Institute of Internal Auditors, who spoke for a group that discussed risk management.
“We have a shared responsibility”
that goes along with this access, he said.
A group headed by Microsoft’s Howard Schmidt stressed the need for increased trust between different businesses, groups and organizations. He said that too often, the major players in information technology maintain a small group of trusted colleagues. These different players need to extend their trust and information on security issues to others they may not now work directly with.
These partners should create routines for sharing information when viruses and other security issues arise and practice how they will institute them before problems occur, Schmidt said.
A group headed by Richard Guida of U.S. Department of Treasury concluded that organizations have a responsibility to promote awareness of security vulnerabilities and minimize harm that might result from this vulnerability.
“If you discover a security flaw, it should not and will not remain secret indefinitely,”
Guida said.
If any of these partners misuse the information, they can be cut out of this trust network, Schmidt’s group concluded.
By working together, businesses and organizations can better assess the risk presented by different security problems, said John Meakin of Dresdner Kleinwort Benson, another member of the Risk Management Group. He suggested creating actuarial tables based on shared security information that could be used similar to insurance actuarial tables.
Educating the Public
Several groups agreed about the need to maintain cyber privacy and security policies and publicize them as many ways as is possible — online and offline. These policies should also be easy for the average person to understand, groups said.
The Privacy Technology Group agreed new tools to help users protect information and resources online must, among other things, be user friendly, inexpensive and easily accessible.
“We can’t build it and expect that they will come,”
said Lance Hoffman of George Washington University.
Hoffman’s group couldn’t decide what level of privacy controls should be preset on computers and other devices and whether users should forced to make a choice about privacy settings, even if it is an uninformed choice.
The public can also play a role. Meakin said consumers should reward businesses and other organizations that seek to increase cyber security and privacy.
“We should advise customers to select products whose makers are actively involved in improving security,”
he said.
Develop Best Practices
Groups failed to agree on where the line between legal enforcement and voluntary safety and privacy practice should be drawn, except in few cases, such as privacy of health records.
There was greater consensus about the need for businesses and other organizations to develop and follow practices that minimize the risk of cyber security and privacy problems.
Businesses and organizations should do internal and third party audits of their privacy and security policies, one group suggested. Its members also advocated the need for chief privacy officers to manage, monitor and fight the
“moral high ground”
on privacy issues.
What’s next?
The next challenge for the safety and privacy leaders at SafeNet 2000 will be to follow through on the recommendations. One group agreed to make and distribute a white paper with detailed recommendations.
Herbold challenged all in attendance to continue seeking solutions. He said Microsoft will continue to maintain a leadership role in areas of cyber security and privacy. “Who knows,” he added, “there may even be a SafeNet 2001.”