So, will Oracle openly share its security vulnerabilities with IBM? How about Cisco Systems telling Nortel Networks...
about a hacker attack? Think EDS will ask for Computer Sciences' help with a security hole?
Such questions arose when the aforementioned companies and 13 others two weeks ago announced the formation of the Information Technology Information Sharing and Analysis Center (IT-ISAC). The group will use a central depository to store and distribute information about security vulnerabilities and attacks. Member companies will benefit from such information, but it's still unclear how much information will be shared with the public.
The ISAC effort began in May 1998 when President Clinton asked vital U.S. industries such as financial services, IT and telecommunications to form industry groups to share information about technology attacks and vulnerabilities.
Observers speculate about the viability of information sharing within IT-ISAC, while a similar group is already doing just that. The Financial Services-ISAC was formed in October 1999 for security-information sharing among financial industry companies. Security is something companies cannot ignore as the FBI estimates the average attack results in $400,000 in lost revenue.
In fact, the FS-ISAC saved its members from denial-of-service attacks last February that crippled Yahoo and Amazon, among others, said Eugene Spafford, a computer science professor at Purdue University and director of the school's Center for Education and Research in Information and Assurance Security.
"I think there is a trust issue among the companies. It needs to be built up before they start sharing information. If too much is being leaked, then they will cut off their sharing," Spafford said.
To address that, IT-ISAC is modeling itself after FS-ISAC. Information about any security holes or vulnerabilities would be distributed anonymously to the members to inform them or to solicit assistance in resolving it, said Peter Allor, who heads IT-ISAC for Internet Security Systems (ISS), the company contracted to organize and run the group.
"We want to make sure our market sector has fixes in place before it is generally known there is a problem," Allor said. "To use a military term, we want to turn inside their decision cycle."
By mid-March, companies should be able to start reporting information to IT-ISAC. Everything from finding a new vulnerability or solution to a problem can be submitted anonymously. The information is then distributed to members, who in turn, reply with solutions they have found to certain vulnerabilities, Allor said.
With 19 members, it may be possible to guess which company was reporting, Allor admits. "But we do expect membership to ramp up quickly, so it will be very, very hard to tell who is having the problem." Allor adds that membership will be open to specific IT companies, but adds that the criteria is still being hammered out.
The FS-ISAC had to blaze its own trail when figuring out its structure. The founding companies talked to several organizations about how they handled incident reporting, including the Center for Disease Control. Building trust among the member companies does take time, said Stanley Jarocki, a FS-ISAC board member and chief information security officer at Depository Trust & Clearing Corporation.
The key to effective sharing is anonymity, Jarocki said. The FS-ISAC has developed a database, open only to members, of proposed solutions, resolutions and vulnerabilities. Additionally, the group has more than 100 information feeds warning of incidents and vulnerabilities. "We offer them one-stop shopping for companies. This is too big a problem, they need analytic and timely information fast," he said.
While some may bristle at the secrecy of the sharing, the actual exchange of information does benefit the public in a few ways. "Such information sharing will help the public, at least indirectly. If nothing else, it would probably end up saving them money. Also, sharing information may help catch invaders," Spafford said.
Financial service companies compete for everything from credit cards to mortgages, but they do have common interests as well. The relationship among the Chase Manhattans and Citicorps can be described as "coopeition (a new buzzword for the state of cooperation and competition)," Jarocki said.
Though IT companies may compete more than cooperate, that is not to say they don't have common interests. IT-ISAC will shape some "rules of the road" for the Internet and raise the water level of security practices, said Frank Prince, a senior analyst with Forrester Research of Cambridge, Mass. "Raising the level of security has to be community effort."
However, Prince rejects any suggestions that IT companies are inherently more secure than those in other industry. "It's disingenuous to say that since Microsoft can't keep its system secure, that I won't be able to," he said.
"Say you train all members of your family as master martial artists, get three Rottweilers and a noisy Chihuahua and get the biggest and best locks for your doors and windows. Your neighbor can still drive his motor home into your house and kill your family," Prince said. "There is no such thing as being totally secure. It's feeling comfortable at a certain level of risk. It's all probability."
FOR MORE INFORMATION: