"The overriding goal is to protect ourselves from cyber-hazards, whether they be deliberate attempts or accidental events," said Guy Copeland of Computer Sciences Corp. (csc), a board member of the new center, the Information Technology Information Sharing and Analysis Center. "We've known that each of us have a little bit of the picture. ... By sharing the information, we can be that much smarter."
Nineteen companies -- including AT&T (T), Cisco (csco), IBM (ibm) and HP (hwp) -- contributed a total of $750,000 to launch the nonprofit center, known as IT-ISAC. Atlanta's Internet Security Systems Inc. will run the center's operations. Other technology firms will be able to join the alliance for $5,000 a year.
President Clinton had urged the industry to create this members-only organization after hackers last year shut down traffic to some of the Internet's biggest e-commerce sites. The emphasis on finding ways to keep computer networks secure reflects the growing dependence on technology across the nation's most important industries.
"This is so basic to everything else that gets done," said Commerce Secretary Norman Mineta, who will serve as Transportation Secretary in the Bush administration. He said the new group, being formally announced Tuesday in Washington, "enables the industry and the government to share state-of-the-art Internet security measures, and it will spot potential threats to the Internet more quickly."
Members that discover a new cyber-threat -- a new strain of virus or a break-in method that foils existing electronic defenses -- will be able to send detailed warnings to the rest of the group via e-mail, telephone, fax and pagers. The 19 board members, scheduled to meet Tuesday for the first time, eventually will determine how much of that information to share with other industries or the U.S. government.
"The idea is not getting this out in the front pages of the newspapers so every hacker in the world starts to exploit the vulnerability," said Harris Miller, head of the Information Technology Association of America, which helped set up the group. "The hope here is to catch these problems earlier and try to stop things before they happen rather than mitigate them."
Three similar private alliances to detect hackers and cyber-vulnerabilities already exist, covering the banking, telephone and electrical industries, and others are planned soon for oil and gas companies and the transportation sector. It is unlikely the public will ever learn of the most serious threats uncovered by these industry alliances, since the groups tend to favor strict promises of confidentiality. The alliance protecting U.S. banks, for example, declines to say even how many financial institutions participate.
Complex questions about sharing sensitive threat information with the government, which can include regulators, and with other industries still aren't resolved. U.S. intelligence and law-enforcement agencies want to hear warnings early and have promised to share confidential information they collect, but there remains some level of distrust on all sides.
Companies typically are motivated simply to prevent business disruptions, not to arrest hackers or terrorists or to provide evidence for a criminal trial that might prove embarrassing.
"We let industries organize themselves," said John Tritak, head of the Commerce Department's U.S. Critical Infrastructure Assurance Office, which acts as a go-between for these groups. "They'll say, 'Heads up, we just saw a virus. You may be next.' We want to urge cross-sector cooperation [but] we want to really perfect the information-sharing regime we establish."
Other founding members include Computer Associates International Inc. (ca), Electronic Data Systems Corp., Entrust Technologies Inc., Intel (intc), KPMG International U.S. member firm KPMG LLP, Nortel Networks (nt), RSA Security Inc., Securify Inc., Symantec (symc), Titan Systems Corp., Veridian Inc. and VeriSign Inc.
The 19 founders represent some of the industry's largest firms, but they come with historic rivalries. Cisco and Nortel Networks compete bitterly in sales of computer-networking hardware. Microsoft (msft) was found to have violated antitrust laws to influence contracts with AT&T and IBM; Oracle (orcl) has admitted to hiring private investigators to dig through the trash of groups supportive of Microsoft. Can these companies, in an industry known for unusually aggressive executives, ever trust each other?
"We have to put down our differences and our competitiveness and share more if we're going to prosper together," Copeland said. "If you're going to wall yourself off and not share, then you're going to be hurting. This will be a venue and a forum where we can start to build a level of trust."