IT security group gears up

The newly formed ISAC promises to gather specialized security information from some of the world's biggest companies that may help prevent and foil Internet crimes--if it can get the companies to talk to one another.

Starting next month, some of the world's biggest information-technology companies will begin swapping stories about how computer vandals broke into their networks and compromised important data.

But the tales they tell won't have their names on them. That's because when members of the IT Information Sharing and Analysis Center report in, they will use an "anonymizing" service that removes all traces of their identity. Backers assert the new info-swap center will advance the art of computer security by spreading information about the latest hacks and defenses quickly.

"Our plan is to be very proactive on things," Microsoft Chief Security Officer Howard Schmidt said. "We find in most instances the problem is a failure of people or processes."

Computer Associates, Microsoft, Oracle and 16 other major technology companies have put up $650,000 for the center's first year. The center is an outgrowth of a four-year, federal effort to secure the nation's critical information infrastructure against criminals, terrorist and garden-variety hackers. Internet Security Systems of Atlanta will run the operation.

YES

Organizers concede there is something odd about, as one participant puts it, "Macy's sharing information with Gimble's." But industry may have no choice but to tell its tales: Police and government, after all, will never know as much about the systems as the people who build them.

Mark Rasch is vice president for cyberlaw at Predictive Systems, a computer security company that also runs a security center for the financial industry. Although the ISACs currently operating in the banking and energy industries are supposed to help government understand the threat of cybercrime better than they do now, Rasch said many companies still feel uneasy sharing information about the risks they face. As a result, the financial industry's ISAC hands over only generalized information to the federal government.

"Why should First Union or Hewlett-Packard report this stuff to the government?" he asked. Then again, "Why should Hewlett-Packard be able to become secure and the Defense Department not?"

Members of the new information-technology center say they will alert each other when they have major security problems. Members promise to keep each other apprised of successful attacks, of major vulnerabilities they discover in their own networks, and of suspicious behavior they notice in and outside their own networks.

Depending on how members wish to handle their problems, they may simply report what they see or ask for outside help.

The ISAC, in return, promises to keep members up to speed on what is happening across the membership, while sifting and analyzing data for patterns that could help further strengthen defenses.

Center operator ISS is also supposed to use intelligence gathered from other contracts to help with problems ISAC members have.

The company has also promised to keep members up to date on the latest techniques in effective network security.

Peter Harter is a vice president at Securify, a computer-security company that helped found the security center. Harter said he was hopeful members will gain expertise from the center. Still, it's by no means certain the ISACs will prove themselves better than security systems in place now.

The federally funded Computer Emergency Response Team at Carnegie-Mellon University, the SANS Institute and other security-minded groups, for instance, regularly swap information with industry insiders.

Furthermore, Harter said, many inside industry and government still view each other warily. That mutual unease, he said, could hamper the center's effectiveness.

If nothing else, the industry ISAC may add a sense of structure to a process that remains haphazard.

"I don't know what direction it's going to go in, but it's a tool to convene in," Harter said. "Maybe that's all it has to be."

Harris Miller, executive director of the Information Technology Association of America, acknowledges that many other groups already share information. Still, he said, groups like CERT and SANS address widely discovered vulnerabilities relevant to all industries. If done correctly, he said, the new ISACS should yield specialized information that could discover and foil criminals earlier in the process.

Still, he concedes, talking isn't always so easy.

"You've got companies that spend each day beating each other up in the marketplaces trying to land customers having tremendous sensitivity about intellectual property and having sensitivity about sharing vulnerabilities," Miller said.

"That's why it took some time. It's not simply a campfire where you all sit around singing 'Kumbaya.'"