A group of 19 tech heavyweights seemed to put aside their differences Tuesday to form an initiative aimed at juicing up Internet security by sharing information about vulnerabilities in their software and hardware products with each other.
Even arch-rivals like Microsoft Corp. and Oracle Corp., and Cisco Systems and Nortel Networks, agreed to sit at the same table to form IT-ISAC (Information Technology Sharing and Analysis Center), which met for the first time Tuesday morning. Atlanta-based Internet Security Systems (ISS) was selected by the 19-member group to maintain the center.
Similar private alliances already exist to protect against Internet security vulnerabilities in the banking, telephone and electrical industries, and plans are in the works for alliances to protect oil and gas companies as well as the transportation sector.
U.S. Secretary of Commerce Norman Minetta — who has also been nominated for the transportation secretary position in the next administration — introduced IT-ISAC at a press conference Tuesday morning.
“I think that it is a giant step forward in making certain that the nation’s information networks are as secure from cyber-attackers as we can make it,” he said. “We cannot site idly by and let this valuable asset be a target for hackers and terrorists. What we are doing today is sending a strong signal to would-be attackers that we are not going to let you get away with cyber-terrorism. We stand united.”
The push to create the alliance got rolling after last year’s high-profile denial-of-service attacks on some of the Internet’s most well-known e-commerce and brokerage sites. In May 1998, President Clinton, himself, told government agencies to form alliances with various industries to create ISACs. Even further back, the Federal Bureau of Investigation formed the Computer Investigations and Infrastructure Assessment Center in July 1996 to “coordinate and program manage investigations involving computer crimes, national security and terrorist cyber threats to the national infrastructure.” Part of that initiative involved the 1999 creation of InfraGard, an effort to exchange information between the business community, academic institutions, the Bureau and other government agencies.
InfraGard has managed to gain the support of about 518 companies in all 50 states, and William Yang, a network security specialist at the Ohio Supercomputer Center and one of the founding trustees of InfraGard, said he doesn’t think IT-ISAC will undermine InfraGard’s work.
“If they find that this is a better way for them to share information and to get better at dealing with incidents that occur, more power to them,” Yang said. “They have problems that are very specific to their sectors. First of all, they’re the targets; they’re the guys with the big red circles on their chests. They have different issues — in terms of how small a bug can be, how small an issue can be before they’re affected — than most of the Net. It may be the case that they need a special group that helps them to do that. I don’t see this as being in competition with InfraGard. I see it as being something that would work well in conjunction with InfraGard.”
IT-ISAC will be sharing information with its members, not law enforcement agencies — at least at first. Members that discover a new security threat, whether a virus or other vulnerability, will send detailed warnings to the rest of the group. Eventually the group will determine how much of that information it will share with the government or other industries.
Minetta praised the companies participating in IT-ISAC — many of which are competitors — for their willingness to share confidential information with each other. But that doesn’t necessarily mean the companies will disclose their security data to the public, government regulators or law enforcement. Like the other ISACs already in existence, IT-ISAC’s members are sworn to strict c
onfidentiality agreements.
Weld Pond, manager of research and development at Internet security consulting firm @Stake Inc., said IT-ISAC’s desire to keep a lid on the problems it discusses is at odds with the full-disclosure philosophy embraced by many security professionals.
“What do these groups see that’s wrong with this process that they need to come up with something else, which to me sor of goes outside the vendor process that has been set up over the last couple of years as a workable solution,” Pond asked. “The vast majority of people who find new vulnerabilities or detect attacks in the wild are not part of this group. The people who are a part of the group don’t necessarily have any greater insight into security vulnerabilities in the wild than the full-disclosure lists out there. They don’t necessarily have any extra information.”
Other founding members of the group — which collectively put up $750,000 to launch the center — include AT&T, IBM, Hewlett-Packard, Computer Associates International Inc., Electronic Data Systems Corp., Entrust Technologies Inc., Intel, KPMG International U.S. member firm KPMG LLP, RSA Security Inc., Securify Inc., Symantec, Titan Systems Corp., Veridian Inc and VeriSign Inc. Other companies will be given the option of joining the alliance for $5,000 a year.