Technology vendors detail plans to share security information

A group of 19 technology vendors today took a long overdue step aimed at improving data security procedures by announcing the formation of an alliance that's supposed to provide a conduit for sharing information about viruses and other potential threats to corporate and government computer networks.

Plans for the IT Information Sharing and Analysis Center (IT-ISAC) were detailed at the U.S. Department of Commerce in Washington by government officials and representatives from participating vendors such as Cisco Systems Inc., Computer Sciences Corp., IBM, Hewlett-Packard Co., Microsoft Corp. and Oracle Corp., as expected (see story).

Their goal is to set up a secure mechanism that companies can use to exchange information about security vulnerabilities with each other and with government agencies. Internet Security Systems Inc., an Atlanta-based vendor of security management software, will operate the new virtual data-sharing center under the oversight of a board of directors drawn from many of the founding members. Other companies will be able to join the IT-ISAC initiative for $5,000 a year.

Secretary of Commerce Norman Mineta said sharing information about network intrusions, security vulnerabilities and measures that companies can take to better protect their systems is one of the best ways to safeguard IT infrastructures and help businesses and government officials to respond more rapidly when attacks do take place.

The formation of the IT-ISAC is "a giant step forward in making certain that the nation's information networks are as secure from cyberattackers as we can make [them]," Mineta said. "Companies from the very biggest to the very smallest are using the Internet. So we cannot sit idly by and let this valuable asset be a target for hackers and terrorists."

The IT-ISAC is the fourth such private-sector alliance to be formed, joining similar initiatives in the banking, electricity and telecommunications industries. However, the establishment of the technology industry alliance comes more than two years after the Clinton administration issued a directive that urged companies to join the federal government in efforts to protect critical infrastructure in the U.S. from both physical and cyber attacks.

Part of the reason it took so long to set up the IT-ISAC was the traditional reluctance of many companies to share information with the government on attacks by malicious hackers and other security breaches out of fear that their competitors will get access to proprietary data. U.S. Attorney General Janet Reno and other government officials have been pleading for more cooperation from companies on security matters since last spring (see story).

Mineta, a former CEO of Bethesda, Md.-based Lockheed Martin Corp. who has been nominated by George W. Bush to take over as the next Secretary of Transportation, called the commitment to information sharing "a very courageous thing to do" on the part of the 19 founding member companies. "It's a very competitive world out there," Mineta said. "The last thing that a corporate executive wants to do is share information about his own company with the competition."

In addition to legislation that has been introduced in Congress that would make proprietary data shared by companies with the government exempt from the Freedom of Information Act, the national security community is also working hard to develop "trusted paths" for exchanging sensitive and classified information.

Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism on the National Security Council, said there's no reason that the government can't share classified information on cybersecurity with the IT-ISAC. The initiative is "a key element of the government's cooperation with industry," he said, adding that the formation of the alliance was "a patriotic move" by the technology vendors.

"There have been many calls to action in the past," said Howard Schmidt, chief security officer at Microsoft. "The calls have been heard." Statements about the creation of the IT-ISAC from Microsoft and the other involved vendors were posted on the Web site of the Information Technology Association of America, a trade group based in Arlington, Va.

Tim Atkin, a security consultant at SRA International Inc. in Fairfax, Va., and a member of the federally organized National Partnership for Critical Infrastructure Protection, described the IT-ISAC as "the first step to real change" in sharing security-related information more widely. But, he added, the initiative's success will be measured by the number of companies that agree to participate.

Future ISACs are planned for other industries, such as the energy business. However, the progress of those plans will depend largely on the direction taken by the Bush administration after it assumes office this Saturday.

Jeffrey Hunker, the senior director for critical infrastructure protection under Clarke, said Vice President-elect Dick Cheney was very involved in such efforts while head of Dallas-based Halliburton Co., the world's largest oil services company. "I'm very optimistic that this issue is not going to get lost in the new administration," Hunker said.

Related links:

  • For more security coverage, visit our Security Watch page.
  • Have opinions on security issues? Head to the forums. (Note: Registration required to post messages; anyone may read them. To register, click here).

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon