Cisco Blogs

Cisco Blog > High Tech Policy

Privacy and Security

Over the last few weeks, we have all been concerned with the reported loss of data from ChoicePoint and the Bank of America. Properly maintaining, holding and safeguarding private data is important to each of us as individuals, to the reputations and businesses of those holding data, and to the continued trust in electronic-based services. From a policy perspective, we need to continue to drive these cases to fact.

As I understand it, ChoicePoint was defrauded into selling or giving data to bad actors. The Bank of America is reported to have lost some of its tapes. These were not hacks, breach of computer systems, the result of spyware, or other ‘cyber security’ events. Notwithstanding this, in many of the policy discussions surrounding the events, it seems that people are treating them as breaches of ‘cyber security.’ From what I can glean from the factual reporting, this is not the case.

They are important cases, however, and we need to know more. Were these crimes? The principles animating what defines criminal activity are centuries old. I suspect the principles and words of existing law can be applied to these facts. But we do need to examine these facts, and think about these issues, both from a privacy and criminal law perspective. These issues will continue to play out over the next few months, and we all should inform the process as policy makers understand what happened, what it means, and react.

Have a great Friday…..

Business Blogs…Are you ready?

March 1, 2005 at 12:00 pm PST

Riva Richmond of The Wall Street Journal today writes about blogs and how they are being used by businesses. Her article states that there are now 8 million US bloggers and 32 million blog readers. By my cursory math, that means that there are approximately 4 people reading this posting.

We are still trying to find our voice on this nascent public policy blog and I’m sure we’ll go through several iterations before we fully understand what type of information our readers are looking for. It was created to extend our reach and get some of our “unofficial” thoughts down on “paper” for the purpose of discussion, information and interaction. A recent question we received was regarding how we got the blog up in the first place…the logistics, the approvals, etc. We definitely followed regular order: we made a plan, researched the technology, got the appropriate leadership and IT approvals and then got the blog up as soon as we could before anybody could change their mind!! : ) By the way, we chose blojsom ( as our technology.

So, let us know what you want and check out the Journal article and see what you think about business blogs. You have to have a subscription to read the story, but access to blogs is free, free, free. The story:,,SB110963746474866537,00.html OR, of course you can stop by your local coffee shop or library and check out the article on page B1.

San Jose Mercury News on Stock Options

February 25, 2005 at 12:00 pm PST

Check out today’s editorial in the San Jose Mercury News. It calls on regulators at the Securities and Exchange Commission (SEC) to stop the expensing of stock options. If they cannot do that, it calls for Congress to step in and take action. HR 913 was introduced on February 17th by Congressman Dreier (R-CA) and Congresswoman Eshoo ( D-CA) and calls for an economic study of the impact of expensing options as well as a delay in expensing while the study is taking place. Check out the editorial at the San Jose Mercury News (free registration is required).

Getting Some Things Off My Chest…Stock Options…

February 24, 2005 at 12:00 pm PST

Please read this blog’s disclaimer before reading this one. : )

After the FASB decided to treat stock options as an expense last December, the chairman of that august board was quoted in a Bloomberg story as follows: “Stock options have been a ‘free good’ because their cost was omitted, Herz said today. “Once you have the accounting costs, you get a much more robust debate on the appropriate way of compensating executives.”

So, that definitely confused me, as I thought that the FASB was the Financial Accounting Standards Board and not the Financial Executive Compensation Board. I was under the impression that the FASB wanted to expense options because, to them, it made accounting sense, but all along, it appears they wanted to work on the executive compensation issue. I don’t remember voting for any of the FASB members in the last election. Do you? I’m not an apologist for executive compensation, but in reading the FASB mission statement, I don’t see anything in there about being the judge and jury on corporate compensation. (See statement below).

“The mission of the Financial Accounting Standards Board is to establish and improve standards of financial accounting and reporting for the guidance and education of the public, including issuers, auditors, and users of financial information.”

Help me understand their role in executive compensation. Or their role on the economy -- and the potential impact that expensing stock options would have. Yes, the House passed legislation last session on this (by a 3 to 1 margin) and 53 Senators sent their concerns to the SEC on this, but the June 15 date still looms (expensing of stock options is to begin at the first interim or annual reporting period that begins after June 15, 2005).

So, clearly I’m venting, but I think that some questions still need answered…and we’re still working on this. For more information on stock options, please visit the stock options coalition website at

Why people don’t report intrusions…

Interesting piece in ComputerWorld about why companies don’t report security breaches-- the piece says it might hurt their reputation, and their business. The inverse of this is that security matters and that companies have incentives to get secure (this on the theory that eventually, most everything becomes public….).

The piece cites the 2004 CSI/FBI (see upper right of page) 9th Annual Computer Crime and Security Survey, which I find to be about the best set of statistics on security incidents. It has been tracking data consistently for years and shows trends over 5-6 years. Other interesting stats in the FBI study include: the other big reason people didn’t report is because ‘competitors would use to their advantage’ (Figure 21); 82% of companies preform security audits (Figure 17); the biggest $ losses are from targeted events -- DDoS, theft of IPR, and insiders (Figure 15); expenditure varies widely by sector — of course the risk varies widely by sector-- one size does not fit all (Figure 7); and most firms use Return on Investment (ROI), Net Present Value (NPV), or Internal Rate of Return (IRR) calculations to determine investments, with 55% using ROI (Figure 8). This survey is worth a look.

The ComputerWorld piece ends asking about whether mandatory disclosures of breaches provides disincentives to look for them… Interesting area….. Will look at this more later… Cheers.