The CSIA formed in February to promote standards, education and awareness in internet security, and to act as a focal point for the industry to interact with the US government whenever it tries to regulate security with new legislation.

Unlike the related National Cyber Security Partnership, the CSIA wants to be an international concern. A major priority for me is to find a couple or a few global companies as members, Kurtz said in an interview.

The founding members of CSIA were: BindView, Check Point, CA, Entrust, ISS, NAI, NetScreen, RSA, Secure Computing, PGP Corp, Qualys and Symantec. The CEOs of each firm sit on the group’s board of directors.

Kurtz would not be drawn on possible new members. Notable omissions on the current CSIA membership roster include Trend Micro Inc, which has its roots in Japan, and fellow anti-virus vendor F-Secure Corp, which operates out of Finland.

Kurtz also said the CSIA will lobby the US Senate to ratify the Council of Europe’s Convention on Cyber Crime, a three-year-old agreement that calls for its signatories to cooperate on matters such as fraud, hacking and child pornography.

The US, which is an Observer to the Council, signed the Convention in 2001. President Bush submitted the document to the Senate for ratification last November, but so far there has been little movement, Kurtz said.

I’m not optimistic it will happen this year, but I’m hoping we’ll be able to push it through next year. The US would probably not require any new laws, said Kurtz. The CSIA is not trying to achieve security through more regulations.

According to Kurtz, companies are having a hard enough time dealing with existing regulations. Healthcare related firms have to deal with HIPAA, and public companies have to understand Sarbanes-Oxley.

There needs to be some kind of uniformity to what Sarbanes-Oxley means, he said. We do need some clarity there, I’m hearing from our vendors that there’s some confusion out there about what needs to be done.

Sarbanes-Oxley is a financial regulation that, among other things, will require CFOs and CEOs to certify the veracity of their accounting. If they cannot verify their control systems are secure, this becomes problematic.

Generally, CSIA will be anti-regulation. It was formed, along with other alliances and public-private partnerships, following moves by Congressman Adam Putnam to create legislation that would force security disclosures in regulatory filings.

Putnam shelved his plans after the private sector expressed concern, and instead formed some working groups to look at the problem. That work, along with the National Strategy to Secure Cyberspace and subsequent documents, are what the CSIA will work with.

There’s been very little movement executing these recommendations, Kurtz said. Meanwhile, we have billions of dollars hemorrhaging from our economy.

That said, CSIA is not about hype and, despite Kurtz’s background in the US Department of Homeland Security, not about approaching it from a homeland security perspective. If you look at these viruses, these worms, it’s not terrorists writing them, he said.

The CSIA does have other intentions too. It wants to help coordinate industry agreement on responsible vulnerability disclosure practices, although it has no firm policy here yet. It also wants to see internet ethics introduced to American classrooms.

This article is based on material originally published by ComputerWire