Tech companies team up to fight cyberattacks

One year after the Clinton administration released a plan toprotect the nation's critical industries from electronic attack, 19technology companies announced on Tuesday that they have banded together to share data on system vulnerabilities and Internet threats.

Tech giants unite against hackers
Roberto Medrano, Hewlett-Packard general manager

Called the Information Technology Information Sharing and Analysis Center(IT-ISAC), the group will work with the government to head off futurecyberattacks on the group's members and other sectors of the high-techindustry.

"Today we are faced with a problem of a proportion that we have never facedbefore," said Gregory Akers, vice president of networking-equipment makerCisco Systems. "It is important that we now come together and combat thethreat that comes before us."

In addition to Cisco, founding members of the IT-ISAC include Microsoft,Oracle, Veridian, CSC, IBM and Hewlett-Packard.

The IT-ISAC is the fourth such information sharing and analysis center.Already, such centers exist for the financial services industry, thetelecommunications industry and the power industry.

Gartner analyst John Pescatore says companies that operate within a "vertical industry" or communitydo benefit when they share vulnerabilities and information about potentialIT hacker threats.

see commentary

Noting that the last thing any company wants to do is share informationwith the competition, outgoing Secretary of Commerce Norm Mineta said thatthe formation of the IT-ISAC shows the industry's commitment.

Sending a message
"We are sending a message today to attackers that they are not going to beable to get away with cyberterrorism," he said. "We are united."

Under the new Bush administration, Mineta will move over to become Secretary of Transportation, after Senate approval of his nomination.

The IT-ISAC's 19 founding members ponied up a total of $750,000 to launchthe nonprofit group, and future members will be able to join for a $5,000fee. Security group Internet Security Systems, one of the founding members,will administer the center by collecting and disseminating vulnerabilityinformation.

The center's members intend to share vulnerability information about criticalInternet and computer systems between themselves and determine a set of bestpractices for the industry. Such centers were a key part of the initialNational Plan for Critical Infrastructure Protection released by the Clintonadministration a year ago.

A number of giant companies, including Microsoft, have recently seen theircorporate networks hacked. In such attacks, aimed at organizations large andsmall, some hackers may deface a Web site with graffiti or more pointedmessages. Others toy with private information such as customer data andpersonal profiles.

Many companies have increased security measures to safeguard valuableintellectual property, but a number of reports indicate that most continueto be vulnerable.

"Our biggest focus is threats rather than vulnerabilities," said HowardSchmidt, Chief Security Officer for Microsoft. "We at Microsoft have somepretty healthy resources to find out who's hammering my network."

$45 billion lost to electronic theft
By sharing that information with other members, and eventually theinformation technology community at large, Schmidt hopes the center willmake the Internet more secure.

According to a study by the American Society for Industrial Security (ASIS)and consulting firm PricewaterhouseCoopers, Fortune 1,000 companiessustained losses of more than $45 billion in 1999 from the theft ofproprietary information--up from mid-1990s estimates by the FBI that peggedthe cost at roughly $24 billion a year.

Tech companies reported the majority of those hacking incidents. The averagetech company reported nearly 67 individual attacks, with the average theftresulting in about $15 million in lost business.

After a string of attacks on federal systems, President Clinton lastyear launched a $2 billion plan for combating cyberterrorism that includedan educational initiative to recruit and train IT workers. The plan alsoincluded analyzing the vulnerability of federal agencies and developinginfrastructure protection plans.

Some questioned the closed nature of IT-ISAC, however.

"I think one of the hurdles that a group like this faces is dividing thesecurity industry between the people in the group and the people outside thegroup," said "Weld Pond," manager of research and development for securityservice provider @Stake, who asked to be identified by his hacker pseudonym."Industry cooperation on security is a good thing, but only the big guys arecooperating in this new group."

To tell or not to tell?
The debate between freely disclosing the vulnerabilities in products andallowing companies to keep such vulnerabilities secret until fixed has longraged in the security industry.

While it is natural for the group to keep such information to itself, WeldPond believes they will have a hard time hushing such information up.

"If they detect something before anything else does, it won't be sharedoutside the group," he said. "However, the vast majority of vulnerabilitiesout there are found by other experts who tend to share it with the companyand then go public."

Unless the IT-ISAC can somehow contain such technical experts, the holes intheir system will continue to be an open book.

Peter Allor, who will act as Internet Security Systems' program director forthe IT-ISAC, disagrees, saying that the center plans to share informationwith everyone, eventually.

"The IT-ISAC formed to share the best practices among themselves," hesaid. "In addition, we are sharing information with other organizations; aswe do that, the information security realm will benefit.

"The strength of the Net is in our ability to protect everyone. If there isone hole, then the whole thing falls apart."

News.com's Melanie Austria Farmer contributed to this report.