Commercial Forces Unite to Combat Cyberthreats
Industry giants engage in information operations.
The military is not the only entity that knows information is a powerful weapon. Companies that both develop and depend on communications technologies now recognize that strength increases with numbers and cooperation benefits individual firms and protects overall economic growth. Despite the competitive nature of commerce, information operations have moved from the public to the private sector.
While the armed forces pursue the best ways to gather and share data in support of traditional missions, the private sector finds itself on the front lines of the cyberbattlefield. Distributed denial of service attacks, which continue to increase, pose a major threat to e-commerce and e-government information infrastructures, U.S. government and commercial experts agree. The government, recognizing that economic growth depends on information technology, is calling on industry to muster its troops to protect and defend its own systems, consequently safeguarding the economy as a whole.
President Bill Clinton’s Presidential Decision Directive 63 (PDD-63), issued in May 1998, provided the impetus for much of the securing infrastructure work underway today. The directive details concerns about vulnerabilities of the critical infrastructures that support both the U.S. military and economy. It outlines the formation of several groups, both public and private, to address these concerns.
The creation of an information sharing and analysis center (ISAC) was among the initiatives detailed in PDD-63. Since the directive’s release, four such centers have been formed to gather, analyze, sanitize and disseminate information about cyberthreats, network vulnerabilities and system attacks. The first ISACs created focused on threats to financial services, telecommunications and electric power providers.
Early this year, 19 of the largest firms specializing in information technology established the information technology ISAC (IT–ISAC) as an industry-only operation. AT&T, Cisco Systems, Computer Associates International, Computer Sciences Corporation, EDS, Entrust Technologies, Hewlett-Packard, IBM, Intel Corporation, KPMG Consulting, Microsoft, Nortel Networks, Oracle Corporation, RSA Security, Securify Incorporated, Symantec Corporation, Titan Systems Corporation, Veridian and VeriSign Global Registry Service are the founding member companies.
According to its members, the IT–ISAC is still in the formative stage. Although all of the details have yet to be worked out, representatives from the member companies agree: Cooperating and sharing information is a major step toward protecting everyone’s systems.
The group will report and exchange information among its industry members concerning electronic incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures. Through the IT–ISAC, a mechanism will be established for the systematic and protected exchange and coordination of this information.
The organization receives no government monies; it is funded through membership dues. Because it currently does not share information with the government, it is not subject to the Freedom of Information Act. This is a critical point, as sharing information about attacks and vulnerabilities could be a destructive move. However, in the future the IT–ISAC could choose to share cleansed data with a government agency to support initiatives that would assess the severity of cyberthreats.
The IT–ISAC was coordinated by the Information Technology Association of America (ITAA), Arlington, Virginia, a private trade organization that acts as an advocate for information technology firms on legislative and regulatory issues.
Harris N. Miller, ITAA president, believes that the increased number of threats to the Internet and e-commerce during the past few years makes all of the ISACs important; however, an information technology group is especially critical, he adds. “There is an added difference in the IT [information technology] industry. The IT industry is not only vertical. Like Y2K [year 2000], it underlies all other industries. There is a lot of interrelationship because much of the infrastructure of other industries is IT. So, there is a vertical industry called IT, and IT is horizontal because information technology is used by other sectors,” he explains.
Miller points out that the creation of the IT–ISAC should not imply that these companies have not communicated about information security issues in the past. Informal dialogues have been taking place for some time. However, this initiative formalizes the activity and strengthens the level of trust between the firms as well as with the U.S. government, he offers.
Todd F. Gordon, vice president, IBM Business Continuity and Recovery Services, Somers, New York, agrees with Miller’s assessment of the value of the IT–ISAC. Although the participants are competitors, he says in this venue, they are functioning more like teachers and professors whose goal is to seek the truth—not ways to gain an advantage. “In order for everyone to protect their systems better, more information must be gathered. We’re talking about data mining here. In a sense, it benefits everyone to have 19, 20, 50 times more information than they have themselves,” Gordon, one of the founding members of the group, offers. “It is the law of the commons. If we all share well, we all improve. If we’re reluctant in what we share, one company may be better than others, but the whole is not as good as it could be. If we don’t recognize that, if we don’t manage this well, then it will fail. Everyone in the IT–ISAC shares this view,” he states.
John T. Sabo, business manager for security, privacy and trust initiatives at Computer Associates International Incorporated, Islandia, New York, concurs. “One analogy is the medical field. Medical professionals are competitors as well, but they are fighting a common adversary,” he says.
And like the viruses that cause the common cold, the activities that threaten information systems continue to change, multiply and grow. According to Allan L. Schoenberg, corporate affairs strategist, Internet Security Systems (ISS), a year ago his firm was receiving reports from clients of approximately 10 attacks on systems each month. Today, the Atlanta-based firm, which the IT–ISAC has hired to run its virtual communications, has seen this increase to 110 attacks per month.
ISS will facilitate interaction between IT–ISAC members in two primary areas. First, it will collect vulnerability data by working with its clients and IT–ISAC members. Second, it will disseminate this information among members through encrypted e-mail and a secured World Wide Web site. Although the site will feature a public area, a members-only section will provide access to private information. Because the group has not yet worked out all of the logistical details, specific procedures have not been determined; however, they are scheduled to be in place in the next six months. Schoenberg relates that the approach to sharing vulnerability or attack information must be both anonymous and confidential to build trust within the organization.
Individual incidents will likely be reported; however, Schoenberg believes the bigger benefit will be in trend analysis. “We need to determine how we can better act as a proactive organization and not always be reactionary. For example, if we see that [Windows] NT servers are always being hit at the end of the month, or a group in Eastern Europe, for instance, always seems to hit in this certain way, and we share this information, we can be proactive,” he offers.
Sabo and Gordon agree that, while companies are not coming into the arrangement looking for intelligence information for product enhancements or sales, gathered data may identify new vulnerabilities and this can lead to firms offering better tools and services. All of the participants recognize the value of information operations, Sabo says. “When we were watching the interaction between these companies, it really was clear that information security and sharing was being taken very seriously. That’s another reason we are carefully working through how this center should be organized,” he relates.
Ross G. Pickus, vice president, business development, Computer Associates International, and IT–ISAC board member, was instrumental in bringing together the founding members of the group. Although the current participants represent large information technology firms, once the foundation is in place, Pickus believes smaller firms will begin to join. “Right from the beginning, everyone realized that this was absolutely an important thing to do. Companies came to the conclusion that there are more important things to worry about than competition, and one of those is information security,” he offers.
Because Computer Associates is an international firm, the company can often identify information security threat events that occur in locations outside the United States before U.S. government organizations detect them, Pickus adds.
Sabo agrees and points out that the company has a major interest in e-business. “Security relates to the core of business. If information technology systems were to collapse because we didn’t take the steps to make sure we were doing all we can, IT companies would be responsible,” he offers.
The formation of ISACs in other sectors supports this viewpoint. Many of the same information technology firms that are part of the IT–ISAC are also members of the National Coordinating Center (NCC) ISAC, which focuses on telecommunications. The NCC was created in 1984 and is the precursor to today’s ISACs. Dual-membership firms include AT&T, Cisco Systems, Computer Sciences Corporation and EDS. The telecommunications ISAC includes government participants from the departments of State, Defense and Commerce; the General Services Administration; the Federal Communications Commission; and the Federal Emergency Management Agency.
The group’s goal is to analyze the data it collects from its members about vulnerabilities, threats, intrusions and anomalies to avert or mitigate their impact on the telecommunications infrastructure.
Similarly, the electric utility sector has taken steps to help protect the infrastructures from disruption from coordinated intrusions and attacks. The North American Electric Reliability Council, Princeton, New Jersey, is the electricity sector’s ISAC. It receives incident data, performs analysis to determine potential malicious intent, shares findings with other ISACs and disseminates warnings. The group works with the National Infrastructure Protection Center (NIPC) during incident analysis to determine threat trends and vulnerabilities and assists NIPC personnel with analysis on a cross private- and federal-sector basis.
The financial services ISAC focuses only on cybervulnerabilities, threats and attacks. The membership roster of the year-old industry-only organization is not published.
Gregory N. Akers, vice president of information technology, Cisco Systems, San Jose, California, points out that IT–ISAC participants have a vested interest in their own projects, but they also have a vested interest in ensuring that the space they all share is well managed and well prepared. “They all are doing well with their products in their own right. But the IT–ISAC makes us stronger collectively than we have been independently.” The scope of work that must be done to protect infrastructures requires a great deal of experience that exists only in certain areas of the world. The organization provides a venue for experts in a multitude of specialties to gather and share their knowledge, he adds.
Although individual hackers trouble him, organized groups that could wreak havoc on information systems cause Akers greater concern. Affluent organizations that work quietly could use information warfare to enhance their position in the world. “We will continue to have to deal with viruses, but the biggest concern in my mind are the people who are well educated and well funded. We have an infrastructure that is not well protected, and society is very reliant on this infrastructure. It’s not only e-business, but also transportation and communications. It’s important that we’re prepared to do what we can. Part of this ISAC’s responsibility is to protect the infrastructure that we rely on,” he says.
Howard Schmidt, chief security officer, Microsoft Corporation, Redmond, Washington, points out other issues that the industry will face as new technologies are introduced into the marketplace. The convenience of ubiquitous connections that cable modems and digital subscriber lines offer and the mobility of wireless communications capabilities bring with them added vulnerabilities. “We need to create items so you don’t need a CIO [chief information officer] for your home. That’s the generation we’re all moving to. We’re sort of there, but that’s where the IT–ISAC can be involved,” he relates. In particular, the organization can examine how to create individual offerings and environments in which people can operate securely without being an engineer or programmer, he adds.
Schmidt, who is president of the IT–ISAC, believes that formalizing the information sharing that has taken place on an ad hoc basis accomplishes two goals. First, company owners and operators will receive information about attacks, threats and vulnerabilities in a consistent manner. In the past, much of the collaboration in this arena has occurred at the security department level in firms; the IT–ISAC will bring collected information to higher levels in an organization. Second, although today the IT–ISAC is made of large companies, as information is collected and disseminated smaller firms will have access to the data. This will support the group’s mission of being proactive in information protection, he states.
While groups like the IT–ISAC work toward preventing or slowing down the damage an attack can cause, Schoenberg points out that information security is a journey, not a destination.