Tech firms form alliance against hackers

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2674531,00.html

By Ted Bridis, WSJ Interactive Edition
January 16, 2001 4:57 AM PT

WASHINGTON -- Some of the biggest names in technology, including
bitter rivals Microsoft Corp. and Oracle Corp., are forming a private
alliance to share sensitive information about cyber-attacks and
vulnerabilities in their software and hardware products, which are
used by much of the world's businesses and governments.

"The overriding goal is to protect ourselves from cyber-hazards,
whether they be deliberate attempts or accidental events," said Guy
Copeland of Computer Sciences Corp., a board member of the new center,
the Information Technology Information Sharing and Analysis Center.
"We've known that each of us have a little bit of the picture. ... By
sharing the information, we can be that much smarter."

Nineteen companies -- including AT&T, Cisco, IBM and HP -- contributed
a total of $750,000 to launch the nonprofit center, known as IT-ISAC.
Atlanta's Internet Security Systems Inc. will run the center's
operations. Other technology firms will be able to join the alliance
for $5,000 a year.

Fighting e-commerce attacks

President Clinton had urged the industry to create this members-only
organization after hackers last year shut down traffic to some of the
Internet's biggest e-commerce sites. The emphasis on finding ways to
keep computer networks secure reflects the growing dependence on
technology across the nation's most important industries.

"This is so basic to everything else that gets done," said Commerce
Secretary Norman Mineta, who will serve as Transportation Secretary in
the Bush administration. He said the new group, being formally
announced Tuesday in Washington, "enables the industry and the
government to share state-of-the-art Internet security measures, and
it will spot potential threats to the Internet more quickly."

Members that discover a new cyber-threat -- a new strain of virus or a
break-in method that foils existing electronic defenses -- will be
able to send detailed warnings to the rest of the group via e-mail,
telephone, fax and pagers. The 19 board members, scheduled to meet
Tuesday for the first time, eventually will determine how much of that
information to share with other industries or the U.S. government.

"The idea is not getting this out in the front pages of the newspapers
so every hacker in the world starts to exploit the vulnerability,"
said Harris Miller, head of the Information Technology Association of
America, which helped set up the group. "The hope here is to catch
these problems earlier and try to stop things before they happen
rather than mitigate them."

Confidentiality and alliances

Three similar private alliances to detect hackers and
cyber-vulnerabilities already exist, covering the banking, telephone
and electrical industries, and others are planned soon for oil and gas
companies and the transportation sector. It is unlikely the public
will ever learn of the most serious threats uncovered by these
industry alliances, since the groups tend to favor strict promises of
confidentiality. The alliance protecting U.S. banks, for example,
declines to say even how many financial institutions participate.

Complex questions about sharing sensitive threat information with the
government, which can include regulators, and with other industries
still aren't resolved. U.S. intelligence and law-enforcement agencies
want to hear warnings early and have promised to share confidential
information they collect, but there remains some level of distrust on
all sides.

Companies typically are motivated simply to prevent business
disruptions, not to arrest hackers or terrorists or to provide
evidence for a criminal trial that might prove embarrassing.

"We let industries organize themselves," said John Tritak, head of the
Commerce Department's U.S. Critical Infrastructure Assurance Office,
which acts as a go-between for these groups. "They'll say, 'Heads up,
we just saw a virus. You may be next.' We want to urge cross-sector
cooperation [but] we want to really perfect the information-sharing
regime we establish."

Other founding members include Computer Associates International Inc.,
Electronic Data Systems Corp., Entrust Technologies Inc., Intel, KPMG
International U.S. member firm KPMG LLP, Nortel Networks, RSA Security
Inc., Securify Inc., Symantec, Titan Systems Corp., Veridian Inc. and
VeriSign Inc.

The 19 founders represent some of the industry's largest firms, but
they come with historic rivalries. Cisco and Nortel Networks compete
bitterly in sales of computer-networking hardware. Microsoft was found
to have violated antitrust laws to influence contracts with AT&T and
IBM; Oracle has admitted to hiring private investigators to dig
through the trash of groups supportive of Microsoft. Can these
companies, in an industry known for unusually aggressive executives,
ever trust each other?

"We have to put down our differences and our competitiveness and share
more if we're going to prosper together," Copeland said. "If you're
going to wall yourself off and not share, then you're going to be
hurting. This will be a venue and a forum where we can start to build
a level of trust."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".