CERT group to sell cyber-threat warnings

The shift comes as the taxpayer-funded CERT Coordination Center, formerly known as the Computer Emergency Response Team, joins a prominent electronics trade association to form a new "Internet Security Alliance."

The effort, to be announced here Thursday, would distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and ultimately establish a seal program to certify the security of companies' computer networks. Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in exchange would receive warnings about new Internet threats generally 45 days before anyone else.

"This is a way to leverage the CERT,'' said Dave McCurdy of the Electronics Industries Alliance, which helped organize the new group. Organizers also acknowledge that the alliance, currently with 10 members, hopes to stem any new regulatory mandates to require U.S. companies to better protect their computers. Part of the money raised would be used for promoting that goal. The CERT was created in the late 1980s to protect private and government computer networks from hackers, terrorists and foreign governments. It traditionally has waited at least 45 days after it learns about new Internet threats to warn consumers, in order to give software companies time to repair problems. But CERT researchers immediately give those detailed warnings to U.S. government agencies, which fund the CERT at $3.5 million annually.

In recent years, though, the center has come under increasing pressure to commercialize its research to cover its rising costs. It is unclear how eager many companies will be to pay potentially tens of thousands of dollars for the early alerts as the technology industry suffers in the current economic slowdown.

Under its new agreement, CERT would continue to provide those early confidential warnings to the Defense Department and the General Services Administration, but also would offer them to alliance members. CERT would continue to issue its free, public alerts after 45 days -- a practice that has drawn criticism because of the imposed delay.

Critics of the new alliance also said it risks duplicating Internet-security efforts already under way, including organizations established under orders from President Clinton in 1998. Unlike the new alliance, which is open to any business, these existing groups are limited to specific industries, such as banks and power utilities, and share information more narrowly. McCurdy, a former Oklahoma congressman, believes the new alliance can peacefully co-exist with these groups, and some of the earliest alliance members -- Nasdaq Stock Market, Mellon Financial Corp. of Pittsburgh and American International Group Inc. of New York -- also are members of the industry-specific groups. WASHINGTON -- One of the U.S. government's front-line defenses against cyber-sabotage will begin selling its early warnings about the latest Internet threats, something it used to share only with federal agencies.

The shift comes as the taxpayer-funded CERT Coordination Center, formerly known as the Computer Emergency Response Team, joins a prominent electronics trade association to form a new "Internet Security Alliance."

The effort, to be announced here Thursday, would distribute up-to-the-minute warnings to international corporations about cyber-threats, offer security advice and ultimately establish a seal program to certify the security of companies' computer networks. Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in exchange would receive warnings about new Internet threats generally 45 days before anyone else.

"This is a way to leverage the CERT,'' said Dave McCurdy of the Electronics Industries Alliance, which helped organize the new group. Organizers also acknowledge that the alliance, currently with 10 members, hopes to stem any new regulatory mandates to require U.S. companies to better protect their computers. Part of the money raised would be used for promoting that goal. The CERT was created in the late 1980s to protect private and government computer networks from hackers, terrorists and foreign governments. It traditionally has waited at least 45 days after it learns about new Internet threats to warn consumers, in order to give software companies time to repair problems. But CERT researchers immediately give those detailed warnings to U.S. government agencies, which fund the CERT at $3.5 million annually.

In recent years, though, the center has come under increasing pressure to commercialize its research to cover its rising costs. It is unclear how eager many companies will be to pay potentially tens of thousands of dollars for the early alerts as the technology industry suffers in the current economic slowdown.

Under its new agreement, CERT would continue to provide those early confidential warnings to the Defense Department and the General Services Administration, but also would offer them to alliance members. CERT would continue to issue its free, public alerts after 45 days -- a practice that has drawn criticism because of the imposed delay.

Critics of the new alliance also said it risks duplicating Internet-security efforts already under way, including organizations established under orders from President Clinton in 1998. Unlike the new alliance, which is open to any business, these existing groups are limited to specific industries, such as banks and power utilities, and share information more narrowly. McCurdy, a former Oklahoma congressman, believes the new alliance can peacefully co-exist with these groups, and some of the earliest alliance members -- Nasdaq Stock Market, Mellon Financial Corp. of Pittsburgh and American International Group Inc. of New York -- also are members of the industry-specific groups.