High Tech Policy Thoughts and Opinions on Government Affairs

San Jose Mercury News on Stock Options

Check out today's editorial in the San Jose Mercury News. It calls on regulators at the Securities and Exchange Commission (SEC) to stop the expensing of stock options. If they cannot do that, it calls for Congress to step in and take action. HR 913 was introduced on February 17th by Congressman Dreier (R-CA) and Congresswoman Eshoo ( D-CA) and calls for an economic study of the impact of expensing options as well as a delay in expensing while the study is taking place. Check out the editorial at the San Jose Mercury News (free registration is required).

Posted by John Earnhardt at 11:08PM PST

Why people don’t report intrusions…

Interesting piece in ComputerWorld about why companies don’t report security breaches—the piece says it might hurt their reputation, and their business.  The inverse of this is that security matters and that companies have incentives to get secure (this on the theory that eventually, most everything becomes public….). 

The piece cites the 2004 CSI/FBI (see upper right of page) 9th Annual Computer Crime and Security Survey, which I find to be about the best set of statistics on security incidents.  It has been tracking data consistently for years and shows trends over 5-6 years.  Other interesting stats in the FBI study include: the other big reason people didn’t report is because ‘competitors would use to their advantage’ (Figure 21); 82% of companies preform security audits (Figure 17); the biggest $ losses are from targeted events - DDoS, theft of IPR, and insiders (Figure 15); expenditure varies widely by sector—of course the risk varies widely by sector—one size does not fit all (Figure 7); and most firms use Return on Investment (ROI), Net Present Value (NPV), or Internal Rate of Return (IRR) calculations to determine investments, with 55% using ROI (Figure 8).  This survey is worth a look.

The ComputerWorld piece ends asking about whether mandatory disclosures of breaches provides disincentives to look for them…  Interesting area…..  Will look at this more later…  Cheers.

Posted by Adam Golodner at 09:05PM PST

Getting Some Things Off My Chest…Stock Options…

Please read this blog’s disclaimer before reading this one. : )

After the FASB decided to treat stock options as an expense last December, the chairman of that august board was quoted in a Bloomberg story as follows: “Stock options have been a ‘free good’ because their cost was omitted, Herz said today. “Once you have the accounting costs, you get a much more robust debate on the appropriate way of compensating executives.”

So, that definitely confused me, as I thought that the FASB was the Financial Accounting Standards Board and not the Financial Executive Compensation Board. I was under the impression that the FASB wanted to expense options because, to them, it made accounting sense, but all along, it appears they wanted to work on the executive compensation issue. I don’t remember voting for any of the FASB members in the last election. Do you? I’m not an apologist for executive compensation, but in reading the FASB mission statement, I don’t see anything in there about being the judge and jury on corporate compensation. (See statement below).

“The mission of the Financial Accounting Standards Board is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors, and users of financial information.”

Help me understand their role in executive compensation. Or their role on the economy - and the potential impact that expensing stock options would have. Yes, the House passed legislation last session on this (by a 3 to 1 margin) and 53 Senators sent their concerns to the SEC on this, but the June 15 date still looms (expensing of stock options is to begin at the first interim or annual reporting period that begins after June 15, 2005).

So, clearly I’m venting, but I think that some questions still need answered…and we’re still working on this. For more information on stock options, please visit the stock options coalition website at www.savestockoptions.org.

Posted by John Earnhardt at 09:00PM PST

More RSA…

Earlier I said I was looking forward to hearing the law enforcement vision of the USSS to stamp-out cyber crime….  Didn’t get to (although I hear it was meaningfully robust). Instead I spent time on spyware.

Spyware was discussed a lot at RSA.  We announced that as part of our Adaptive Threat Defense next phase of the Self Defending Network,  anti-spyware is covered (part of our Anti-X initiative, where X is spyware, DDoS, malware, other things you want to stop), Microsoft announced that it was providing anti-spyware (from their Giant acquire) on the desk top at no additional charge, and pretty much all the AV vendors had booths at the show explaining what they assured us were their very effective new anti-spyware technologies.  This lines-up with AOL and other ISPs adding anti-spyware into their service for no or little additional fee.  Lots of market action here.

Proposed spyware bills try aim to stop bad actors from doing devious things with spyware.  The challenge has been how to define and stop the problem without chilling innovation.  I previously have talked about our position on spyware on a VOD The problem is of course difficult in part because bad actors may be overseas, do spoof their identity, and may be unlikely to stop.  Law enforcement here is key. Unintended consequences can have non-trivial effects, and we need to make sure that as people look for legislative approaches, we don’t inadvertently chill current and future innovations in things like network management, maintenance, security, and other areas that make the Internet and enterprise networks efficient, productive, global, safe, secure, and robust.  Networks are becoming fully interactive, passing instructions and information constantly to maximize utility, quality of service, and function.  These are good things…. Not spyware….  The work on these issues needs to continue….

Even though I didn’t get to hear the USSS tell us about the next Elliot Ness, earlier I did hear a raucous discussion about regulation and security—the RSA company wanted to have people with very different views - and they were there.  I have previously talked about security policy, both in text and VOD. My view is the the answer lies in market-driven innovation.  Panel members at RSA who were open to some (undefined) kind of security requirements on ‘critical infrastructure sectors,’ like electricity, seemed to be under the impression that these sectors had few incentives to get secure.  I’ve never subscribed to that. They talked about the Internet as if it were a public good, and were afraid of a ‘tragedy of the commons,’ in the traditional economic sense. My view is that it is not.  Every piece of the network is owned by somebody—somebody with an incentive to get and stay secure.  In electricity, for example, (where the Northeast blackout was used as an example of what could happen - which was caused by a power line sagging into a tree), someone said companies in the electric industry have little incentive to get secure because security was only a cost - again my view is different, first, going down does not go unnoticed, and second, the state electricity regulators at NARUC have said security is a positive thing and of course you can recover your investment, and in fact NARUC provided a road map for cost recovery through the rate-base, see the second report referenced on NARUC’s site.  Certainly work needs to, and is, going-on regarding hardening SCADA systems, but it strikes me that the incentive issue is pretty clear. One panelist seemed to want ISPs to provide security, and in any case the market has driven AOL to roll-in AV to all its customers at no additional fee—which was followed by Earthlink, and then Net Zero to stay competitive with AOL.  That has to have rolled-in about 30 million users in just the last 5 months. On the enterprise side, the Wall Street Journal reported in November that ATT/MCI/Sprint were competing against each other in the enterprise market based on security. Customers are asking for it, and ISPs are responding. Enough on that for now.

The big take away from RSA is the intensity of innovation.  Someone who was there (and should know) said the vibe was like networking was 15 years ago.  Fast, complex, fun and the place to be. That hit me as right. So long for now…..

Posted by Adam Golodner at 06:28PM PST

RSA Conference

The RSA conference is quite a show.  There are hundreds of exhibitors in this huge hall.  Lots of very cool stuff.  The major themes seem to be moving from passive to active defense, baking security into the network, and automatic application of security policy management withing networks. All good things.  It’s also easy to see that the engine of VC investment, investments in well over 300 companies since 1998, is in full swing here. You have to like the vibe.

There’s been a lot of talk of spam, spyware, phishing and carding. These are serious issues. But it’s always struck me that part of this story is ‘there’s nothing new under the sun.’ We’ve been dealing with illegal activity since the beginning of time.  In the off-line world we call this theft, fraud, deceptive trade practices and extortion (and way back when - ‘boosting on trains’ and ‘piracy on the high-seas’).  The use of the net is a new tool to be sure, but I really think the underlying legal and moral principles here are the same. We really need to stamp this out.  We’re going to hear from the head of the US Secret Service later today and I’m looking forward to seeing his plan. I hope it is fully robust. Let’s bring back Elliot Ness.  This is global, a lot of the activity is coming from organized crime overseas, so I hope he’s got the Mutual Legal Assistance Treaty game down cold.

I was excited yesterday when John Chambers talked dynamically, broadly and deeply about the vision of self defending networks, adaptive threat defenses and infusing security into networks, including the application layer. He put it in both a broad and specific context, and I think people got it and were thrilled.  Really worth a look at the presentation, link in post yesterday post by John Earnhardt.

Well, off to the conference….  More to come… Cheers…

Posted by Adam Golodner at 10:42AM PST

Cisco’s John Chambers Keynotes RSA Security Conference

Cisco President and CEO John Chambers this morning keynoted at the RSA Security Conference in San Francisco.  He talked about the need of networks to be “self-defending” and intelligent in order to operate effectively in the new communications environment.  He said that the network is a strategic business asset that has to be protected. SEE THE KEYNOTE HERE. (Free registration required).

News story on his keynote.

Cisco’s RSA Conference Online Press kit. 

Cisco’s new self-defending network strategy..

Posted by John Earnhardt at 02:25PM PST

Secure on Valentine’s Day

The RSA Security conference organizers are clearly secure in their own relationships.  The conference starts today (Valentine’s Day) in San Francisco and either a) attendees brought their significant others along to celebrate this most Hallmark holidays of Hallmark holidays; or b) attendees have an agreement just to celebrate anniversaries, birthdays and end of year holidays or c) attendees are “still looking to find that special someone” and prefer to have a conference to attend rather than face another Valentine’s day without a date.  I’m guessing it is a combination of the three. 

There will be plenty of Cisco participation (Cisco President and CEO John Chambers presents on Wednesday) and our own Adam Golodner will be blogging with some of his thoughts on the conference each day.  More information on the conference here.

Posted by John Earnhardt at 10:19PM PST

Security Research: EU prepares for the unexpected

Interesting article on what EU is doing on holistic security program(me), including “protection of networked systems, such as communication systems, utilities, transports systems against electronic or physical threats.”

Interesting comment in the article from Commission Vice-President G?Verheugen “The Preparatory Action is forging the way towards a comprehensive European Security Research Programme as the basis for all security-related research in support of EU policies. The objectives of security research are clearly to enhance the security of European citizens and at the same time increase competitiveness in the relevant industrial sectors.” Full article here.

Posted by John Earnhardt at 06:51PM PST

eWeek article on Chertoff for DHS Head

Thought you all might be interested in a former reporter’s take on Michael Chertoff for DSH Secretary and how he dealt with being asked to release confidential information. Article is in eWeek.

Posted by John Earnhardt at 05:08PM PST

Security Policy at Cisco - A starting place

I’m Adam Golodner, Director of Global Security Policy for Cisco.  I’m based in Washington, DC and work with our business leaders on security policy issues.  Security has been and continues to be a core issue for Cisco—we continue to build security into our own networks, help our customers protect theirs, and support efforts to strengthen critical public infrastructure.  The market is the most powerful driver of innovation and we are focused on meeting the security demands of our customers, and market-based solutions will provide the best results for them.  With this blog, I will attempt to let you know what I think is important that is going on in security policy.  I will report my thoughts from conferences, from news reports and whatever I think might be of interest to those following the security policy debate.  I welcome feedback.

Cisco’s official security policy can be viewed in full at http://www.cisco.com/en/US/about/gov/networks/security.html.

Posted by Adam Golodner at 06:23PM PST

Welcome

We’d like to welcome you Cisco’s first ever external web log (blog).  At Cisco, all employees and groups are tasked with using the Internet to better do our jobs, to increase our productivity and to serve our customers.  Fundamentally, Cisco’s mission is to shape the future of the Internet by creating unprecedented value and opportunity for our customers, employees, investors and ecosystem partners. 

WWGA’s vision is to use this blog to share our staff’s knowledge and opinions about government policy, legislation and regulation and the environment in which it is created.  WWGA team members globally will be participating in this forum.  We hope you find our blog useful and informative.

Our first blogger will be Adam Golodner, Director of Global Security Public Policy.  We invite you to post your feedback and questions.  Above all, we hope that we can, in some small way, help you better understand the technology policies that are being talked about, debated and voted upon - whether that is through our own postings or from discussions that are created on this site.

If you have questions on our blog policies or want more information about any of our bloggers, please contact John Earnhardt at john.earnhardt@cisco.com.

Best,

Laura Ipsen
Vice President
Cisco Worldwide Government Affairs

Posted by at 09:00PM PST