IT firms join to share security information

Presidential Decision Directive 63

Another piece of President Clinton's National Plan for Information Systems Protection fell into place last week with the creation of the fourth industry center to help protect the information systems that support the United States' critical infrastructure.

At the same time, members of Congress are moving forward with legislation to make industry more comfortable with the idea of sharing sensitive, often proprietary, information with each other and with the government.

Nineteen information technology companies came together to form an information sharing and analysis center, as called for under Presidential Decision Directive 63. Issued by Clinton in May 1998, PDD 63 set the requirements for critical infrastructure protection.

The centers, or ISACs, are intended to provide a mechanism for companies within the eight infrastructure sectors to share information about cyberthreats, vulnerabilities and solutions.

In addition to the new IT-ISAC, the three sectors that have formed ISACs are banking and finance, telecommunications and electric power.

The arrangements create "a trusted path," said Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism at the National Security Council. Such trust will enable federal organizations such as the National Infrastructure Protection Center and agency computer emergency response teams to share security information, he said.

The ISACs also are supposed to eventually reciprocate sharing with the government, but many companies have expressed concerns that any sensitive information given to agencies might be available to the public through the Freedom of Information Act.

Reps. Tom Davis (R-Va.) and Jim Moran (D-Va.) introduced the Cyber Security Information Act last year to address those and other concerns, including the fear that sharing information with competitors would leave companies open to anti-trust litigation. The bill did not clear Congress before the end of the session, but Davis plans to reintroduce it soon, according to spokesman David Marin.

"It'll be one of his top technology priorities," Marin said.

Although there are still four sectors to go, the creation of the IT-ISAC keeps the effort moving in the right direction, said Norman Mineta, secretary of the Commerce Department, the agency that serves as sector liaison for the IT industry.

"I think that it is a giant step forward in making sure that the nation's networks are as secure as we can make [them]," Mineta said. It is important that all sectors create centers, but the IT sector "is absolutely critical because it permeates the economy so completely," he said.

The IT-ISAC will recruit more IT companies to join. The technical work will be done by Internet Security Systems Inc., a security company that offers intrusion detection, vulnerability analysis,and other products and services.

The information sharing will enable members of the IT sector to better understand threats, collect and develop best practices, and collaborate on potential solutions. That will lead to improved products and services for customers, including federal agencies, said Philip Lacombe, president of the information and infrastructure protection sector at Veridian.

The founding members of the IT-ISAC are Computer Sciences Corp., Veridian, Cisco Systems Inc., Hewlett-Packard Co., IBM Corp., Oracle Corp., Microsoft Corp., AT&T, Computer Associates International Inc., Electronic Data Systems Corp., Entrust Technologies Inc., Intel Corp., KPMG Consulting LLC, Nortel Networks Ltd., RSA Security Inc., Securify Inc., Symantec Corp., Titan Systems Corp. and VeriSign Inc.