US lobby group the Cyber Security Industry Alliance (CSIA) is in the process of establishing a presence in Europe.

Following its success in the US – where it is backed by chief executives of leading security firms including McAfee, RSA Security and Symantec – the CSIA has now appointed an agency to lobby European government decision-makers in Brussels.

Computing spoke with CSIA executive director Paul Kurtz, previously special assistant to the US President and senior director for critical infrastructure protection on the White House’s Homeland Security Council.

Q. In the US the CSIA has played a role in advising and lobbying government on IT security issues. Why are you now looking to move into Europe?

A. When I look at Europe, much like in the US, there isn’t an industry organisation focused on information security public policy issues.

There is the 2010 Lisbon Agenda initiative in the European Union (EU) and we need to build security around that infrastructure. The EU has been drafting that for a while and it should be coming out shortly.

Our effort is to highlight the importance to government of retaining data, but we are also saying do not forget to understand that you need to secure it and that there are privacy issues.

When we came to Europe last year we were scouting out the landscape. Since then we have a firm representing us in Brussels and we are hiring people to represent us full-time.

Q. Will you be focusing on the Council of Europe’s cyber crime convention, which is trying to establish a common international approach to prosecuting hackers and extortionists?

A. So far our activities have been limited to the US. The Senate hasn’t taken action on the convention yet, but we are encouraging them to ratify it. It is an excellent vehicle that can aid how we investigate and prosecute internet criminals internationally. There are competing priorities very limited time in the Senate.

But cyber crime is getting worse, and the cyber criminals are becoming more sophisticated.

Q. Is cyber crime more of a problem to consumers or businesses?

A. It is a problem at all levels. There is a risk for consumers to their own personal information and privacy, then there is a risk to small businesses, as criminals are trying to find the weakest link in electronic supply chains. Larger organisations are doing a better job with security, but criminals are getting that much more sophisticated and are focused on fraud.

One of the issues we are going to face is economic espionage. Criminals are trespassing on people’s computers, and that is going all the way up to the nation state. We are not saying that the sky is falling in, but we are saying that information security needs to be taken more seriously.

Government is becoming increasingly involved in information security and is beginning to regulate.

Q. Should the IT security industry be regulated?

A The free-market approach is the best way to go, but we need to get the building blocks in place to secure critical infrastructure. The financial services sector is heavily regulated, and that is because we must maintain trust in the global economy. If it is not secured properly then we have significant problems.

With sensitive personal information that may be collected or sold, that is also part of the fundamental building blocks. It doesn’t matter what industry or sector you are in. If you are a data broker, a healthcare company or an educational facility that holds the crown jewels of personal information, then you need to protect it.

Q. Before heading the CSIA you were a special adviser to President Bush on IT security threats and terrorism. Do you think that this is still a major issue?

A. If we look at the critical information infrastructure and the possibility of terrorism then there are several facets to that. I think there is still a significant lack of understanding in the US towards cyber security. Since The National Strategy to Secure Cyberspace was issued in 2003, it has dropped down the totem pole of importance.

When I think about terrorism against the information infrastructure, then we need to understand that these people are getting more sophisticated. We also have to assume that crime and phishing are, to some extent, being used to finance terrorism.

I am very concerned about the problem and we need to constantly update what we do so that we are not fighting yesterday’s war.

Q. The CSIA is represented by chief executives of security companies, such as Symantec’s John Thompson and RSA Security’s Art Coviello. Why is this important?

A. It is critically important that we are a chief executive-level organisation. After a recent board meeting in Washington we went to Capitol Hill and met with Congress.

It is important that the leaders of the information security market talk to the lawmakers about the impacts that laws could bring.

Paul Kurtz, Cyber Security Industry Alliance

Paul Kurtz is executive director of the Cyber Security Industry Alliance (CSIA), established in February 2004 by a group of chief executives from security companies.

Kurtz joined the CSIA after serving as special assistant to the US President, and senior director for critical infrastructure protection on the Homeland Security Council, where he was responsible for both physical and cyber security.

He has also served on the White House’s National Security Council (NSC) as senior director for national security at the Office of Cyberspace Security, and was a member of the President’s Critical Infrastructure Protection Board, where he was responsible for developing the international component of the National Strategy to Secure Cyberspace. Previously, he served as a director for counter-terrorism in the NSC’s Office of Transnational Threats.