Tech rivals join security tag team

One year after the Clinton administration released a plan to protect the nation's critical industries from electronic attack, 19 technology companies have banded together to share data on system vulnerabilities and Internet threats.

One year after the Clinton administration released a plan to protect the nation's critical industries from electronic attack, 19 technology companies announced on Tuesday they had banded together to share data on system vulnerabilities and Internet threats.

Called the Information Technology Information Sharing and Analysis Center (IT-ISAC), the group will work with the government to head off future cyberattacks on the group's members and other sectors of the high-tech industry.

"Today we are faced with a problem of a proportion that we have never faced before," said Gregory Akers, vice president of networking-equipment maker Cisco Systems. "It is important that we now come together and combat the threat that comes before us."

In addition to Cisco, founding members of the IT-ISAC include Microsoft Corp., Oracle Corp., Veridian, CSC, IBM Corp.and Hewlett-Packard Co.

The IT-ISAC is the fourth such information sharing and analysis center. Already, such centers exist for the financial services industry, the telecommunications industry and the power industry.

Noting that the last thing any company wants to do is share information with the competition, outgoing Secretary of Commerce Norm Mineta said that the formation of the IT-ISAC shows the industry's commitment.

'We are united'
"We are sending a message today to attackers that they are not going to be able to get away with cyberterrorism," he said. "We are united."

Mineta is awaiting Senate confirmation of his appointment as Secretary of Transportation in the Bush administration.

The IT-ISAC's founding members ponied up a total of $750,000 to launch the nonprofit group, and future members will be able to join for a $5,000 fee. Security group Internet Security Systems, one of the founding members, will administer the center by collecting and disseminating vulnerability information.

The center's members intend to share vulnerability information about critical Internet and computer systems between themselves and determine a set of best practices for the industry. Such centers were a key part of the initial National Plan for Critical Infrastructure Protection released by the Clinton administration a year ago.

A number of giant companies, including Microsoft, have recently seen their corporate networks hacked. In such attacks, aimed at organizations large and small, some hackers may deface a Web site with graffiti or more pointed messages. Others toy with private information such as customer data and personal profiles.

Billions lost to electronic theft
Many companies have increased security measures to safeguard valuable intellectual property, but a number of reports indicate that most continue to be vulnerable.

"Our biggest focus is threats rather than vulnerabilities," said Howard Schmidt, Chief Security Officer for Microsoft. "We at Microsoft have some pretty healthy resources to find out whose hammering my network."

By sharing that information with other members--and eventually with the technology community at large--Schmidt hopes the center will make the Internet more secure.

According to a study by the American Society for Industrial Security (ASIS) and consulting firm PricewaterhouseCoopers, Fortune 1,000 companies sustained losses of more than $45 billion in 1999 from the theft of proprietary information--up from mid-1990s estimates by the FBI that pegged the cost at roughly $24 billion a year.

Tech companies fall prey
Tech companies reported the majority of those hacking incidents. The average tech company reported nearly 67 individual attacks, with the average theft resulting in about $15 million in lost business.

Following a string of attacks on federal systems, President Clinton last year launched a $2 billion plan for combating cyberterrorism that included an educational initiative to recruit and train IT workers. The plan also included analyzing the vulnerability of federal agencies and developing infrastructure protection plans.

Some questioned the closed nature of IT-ISAC, however.

"I think one of the hurdles that a group like this faces is dividing the security industry between the people in the group and the people outside the group," said "Weld Pond," manager of research and development for security service provider @Stake, who asked to be identified by his hacker pseudonym. "Industry cooperation on security is a good thing, but only the big guys are cooperating in this new group."

To tell or not?
The debate between freely disclosing the vulnerabilities in products and allowing companies to keep such vulnerabilities secret until fixed has long raged in the security industry.

While it is natural for the group to keep such information to itself, Weld Pond believes they will have a hard time hushing such information up.

"If they detect something before anything else does, it won't be shared outside the group," he said. "However, the vast majority of vulnerabilities out there are found by other experts who tend to share it with the company and then go public."

Unless the IT-ISAC can somehow contain such technical experts, the holes in their system will continue to be an open book.

Peter Allor, who will act as Internet Security Systems' program director for the IT-ISAC, disagrees, saying that the center plans to share information with everyone, eventually.

"The IT-ISAC formed to share the best practices among themselves," he said. "In addition, we are sharing information with other organizations, as we do that, the information security realm will benefit."

"The strength of the Net is in our ability to protect everyone. If there is one hole, then the whole thing falls apart."

Melanie Austria Farmer contributed to this report.