Rival industry groups are bickering over access to cybersecurity briefings conducted by the Department of Homeland Security (DHS). The DHS's Infrastructure Coordination Division (ICD) uses 14 information sharing and analysis centers (ISACs) as its exclusive conduits for downloading intelligence to industry groups relating to critical infrastructure protection.
At hearings in the House Select Committee on Homeland Security last month, Dave McCurdy, executive director of the Internet Security Alliance (ISAlliance), expressed concern that companies affiliated with the ISAlliance are being denied access to US-CERT intelligence. The ICD recently established the U.S. Computer Emergency Readiness Team based on a partnership with the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. On Jan. 28, 2004, the US-CERT gave birth to the National Cyber Alert System, an operational system developed to deliver targeted, timely and actionable information to Americans to secure their computer systems.
Such a system is paramount to the fight against cyberterrorism since alerts help security administrators and managers better arm their networks against intrusions. But over the past few years, a decentralized network of alerts -- some tailored to general IT and some to specific verticals -- has arisen.
The ISAlliance was established in 2001, five months prior to 9/11, as a way of plugging members of the Electronic Industries Association into information generated by the CERT/CC. ISAlliance members, who include foreign companies, pay annual dues which start at $3,000 a year. Membership crosses industries and includes CocaCola, Sony, Visa and VeriSign, for example.
"It would be problematic if suddenly the ISAlliance members who have relied on this information to build their corporate security plans and policies, are now denied access to that data," McCurdy said. The ISAlliance is composed of about 60 companies, about a quarter of whom are represented on the 14 ISACs and organized around industries such as chemical, energy, emergency management and response, and financial services.
Robert Liscouski, assistant secretary for infrastructure protection at DHS, explained ICD "works with ISACs, sharing information on threats, recommending protective actions and issuing warnings. ISACs serve as a gateway between DHS and the industry for two-way information sharing and provide the industry with an information clearinghouse for each sector."
Robert Dacey, director of information security issues at the General Accounting Office, substantiated McCurdy's concerns about the exclusive nature of the ISAC "clubs" to some extent. He summarized a new GAO report on the operations and composition of the ISACs, many of whom, like the ISAlliance, charge annual dues -- sometimes substantial amounts.
On the ISACs, the GAO report concluded that "a number of challenges to their successful establishment, operation and partnership with DHS and other federal agencies remain." One of those challenges is to broaden the membership of ISACs." According to the ISAC Council, its membership consists of approximately 65% of the U.S. private critical infrastructure.
But industry representation varies widely within each ISAC. For example, the banking and finance sector has estimated that there are more than 25,000 financial services firms in the United States. Of those, according to the Financial Services ISAC Board, roughly 33% receive "urgent" and "crisis" alerts through license agreements with sector associations. Those financial services firms account for the vast majority of total commercial bank assets and the majority of securities/investment bank transactions that are handled by the sector, but less than half the sector's insurance assets.
While the ISAlliance wants to break the ISACs' exclusive hold on US-CERT intelligence briefings, the GAO report noted that "officials at two of the ISACs we contacted considered it important that the federal government voice its support for the ISACs as the principal tool for communicating threats."