The CSIA recently criticized the federal government for its apparent failure to act on recommendations to improve cybersecurity. What exactly is the problem? [Former White House counterterrorism chief] Dick Clarke, in his last act working for the White House, pulled together in early 2003 a strategy for the president to secure cyberspace. That was in 2003. I was in a task force around corporate governance and reported out to the Department [of Homeland Security]. We are heading out into 2006, and the government has done absolutely nothing to execute on their own strategy. I think it is entirely appropriate that the Cyber Security Industry Alliance and industry leaders call attention to that fact. We are pleased that [Department of Homeland Security Secretary Michael] Chertoff announced that he is going to appoint an assistant secretary [for cybersecurity]. But that was almost six months ago. OK, we had Hurricane Katrina, and he's been preoccupied. But when oh when are we going to get that assistant secretary, and when are we going to start executing on a strategy that was laid out almost three years ago?
Among the failures mentioned by the CSIA was the continued lack of information sharing between government and the private sector on cybersecurity matters. The idea of information sharing is a pretty comprehensive and complex topic. The reason is, while the technologies exist, getting together the people and the process part of it is a lot harder. Is the profile of somebody in the FBI equal to the profile of somebody in the CIA or the DHS? How are you going to get all of these agencies to agree on what level of access is going to be adequate for people at various levels in the government? What kind of access are you going to give to somebody from the FBI to the CIA database? What kind of access are you going to give DHS to the FBI database, etc.? I won't minimize the challenges the federal government has in implementing information sharing.
What do you think of a federal data-breach notification law? I think it's a good thing to have breach-notification regulations. Consumers have the right to know if their identities have been compromised; that's pretty fundamental. I do advocate that the federal government use their preemptive right on this because you don't want companies trying to figure out 30 different state bills. Generally though, we are not in favor of regulations mostly because of concern that government will regulate around technologies, and technologies are ephemeral. What we would rather see -- and we are hopeful because the DHS has created a position of assistant secretary for cyber security -- is the government lead and strongly suggest to industries that they set their own best practices around security in general.
There were an unprecedented number of security incidents reported in 2005. Are the bad guys getting better, or is it simply that breach-disclosure laws are forcing more companies to admit to compromises? The California breach-disclosure law certainly helped. But I think it is clear that attacks on the Internet have evolved from viruses and worms. Those kind of attacks are broad-based and kind of affect everybody equally. But the latest attacks are for criminal gain. They are much more specific in terms of getting at people's information. So I think that's been the single biggest change -- organized crime and your average petty criminal looking at this as a growth opportunity.
What does RSA's recent purchase of Cyota mean for enterprise customers? We are basically responding to the market need that we see for customers. We have said right along that to solve this problem of identity theft, strong authentication is the best practice whose time has come. Obviously, we have been very successful with very active methods of authenticating people with our tokens and digital certificate technology. But increasingly, especially in the U.S. market, there is more and more of a requirement for passive methods of authentication. With the acquisition of Cyota, we've taken a layered approach that goes from the passive to the very active. It is great technology to fill out our authentication story and expand our consumer opportunity.
What do you mean by passive authentication? With active authentication, the user has to do something. In the case of Cyota, the authentication technology operates under the covers and works on a series of risk-based analytics. A profile is developed for each consumer, based on the computer they are logging on from or the device they are using, and then on a set of behaviors. So if we find that a computer user is coming from a different IP address and the IP address and the time zone is Moscow standard time and one of his behaviors is to transfer money into a bank in Latvia, I would say there's a 100% probability that that transaction would get kicked out and that the person would not get authenticated to do that kind of transaction. All this would happen under the covers without the active participation of the consumer.
Some security analysts believe that token-based authentication of the sort RSA sells is too cumbersome and expensive to be of much value. What do you think? I take exception to that. You enter a PIN, and you read a number off a token. I don't think that's particularly cumbersome. People do like it. People do understand that this is a device to authenticate them, and it gives them a high degree of confidence. As you go up the food chain of active authentication, you can verify things like wire transfers, more readily sign things to the extent that signatures are required. One of the things we have done is launch a service that will stand up side by side with the Cyota service and will allow people to register themselves through their tokens on multiple sites. And to the extent that consumer-facing organizations participate, these tokens can be used to verify consumers in multiple places.
What are the consumers' own responsibilities when it comes to securing their information? I think we vastly underestimate the consumer. What a lot of financial institutions have done is gone to them and ask them, "Would you like a token to authenticate yourself?" Absent any value statement, the consumer is likely to say, "No, I like things just the way they are." Contrast that with, "Are you worried about your ID getting stolen?" or "Would you consider using a device to protect your ID?" and the answer is "Yes." So it all depends on how you ask the question.