Microsoft, Oracle and 16 other companies have put aside their differences and agreed to work together against cyberattacks.
One year after the Clinton administration released a plan to protect the United States' critical industries from electronic attack, 19 technology companies have banded together to share data on system vulnerabilities and Internet threats.
Called the Information Technology Information Sharing and Analysis Center (IT-ISAC), the group will work with the US government to head off future cyberattacks in the high-tech industry.
"Today we are faced with a problem of a proportion that we have never faced before," said Gregory Akers, vice president of networking-equipment maker Cisco Systems.
"It is important that we now come together and combat the threat that comes before us."
In addition to Cisco, founding members of the IT-ISAC include Microsoft, Oracle, Veridian, CSC, IBM and Hewlett-Packard.
The IT-ISAC is the fourth such information sharing and analysis centre. Already, such centres exist for the financial services industry, the telecommunications industry and the power industry.
Noting that the last thing any company wants to do is share information with the competition, outgoing Secretary of Commerce Norm Mineta said that the formation of the IT-ISAC shows the industry's commitment.
'We are united'
"We are sending a message today to attackers that they are not going to be able to get away with cyberterrorism," he said. "We are united."
The IT-ISAC's founding members gathered a total of US$750,000 to launch the non-profit group, and future members will be able to join for a US$5,000 fee. Security group Internet Security Systems, one of the founding members, will administer the centre by collecting and disseminating vulnerability information.
Members intend to share vulnerability information about critical Internet and computer systems between themselves and determine a set of best practices for the industry.
A number of giant companies, including Microsoft, have recently seen their corporate networks hacked. In such attacks, aimed at organizations large and small, some hackers may deface a Web site with graffiti or more pointed messages. Others toy with private information such as customer data and personal profiles.
Billions lost to electronic theft
Many companies have increased security measures to safeguard valuable intellectual property, but a number of reports indicate that most continue to be vulnerable.
"Our biggest focus is threats rather than vulnerabilities," said Howard Schmidt, Chief Security Officer for Microsoft. "We at Microsoft have some pretty healthy resources to find out whose hammering my network."
By sharing that information with other members - and eventually with the technology community at large - Schmidt hope the centre will make the Internet more secure.
Tech companies fall prey
Tech companies reported the majority of those hacking incidents. The average tech company reported nearly 67 individual attacks, with the average theft resulting in about US$15 million in lost business.
Following a string of attacks on federal systems, President Clinton last year launched a US$2 billion plan for combating cyberterrorism that included an educational initiative to recruit and train IT workers.
The plan also included analyzing the vulnerability of federal agencies and developing infrastructure protection plans. Some questioned the closed nature of IT-ISAC, however.
"I think one of the hurdles that a group like this faces is dividing the security industry between the people in the group and the people outside the group," said "Weld Pond," manager of research and development for security service provider @Stake, who asked to be identified by his hacker pseudonym.
"Industry cooperation on security is a good thing, but only the big guys are cooperating in this new group."
To tell or not?
The debate between freely disclosing the vulnerabilities in products and allowing companies to keep such vulnerabilities secret until fixed has long raged in the security industry.
While it is natural for the group to keep such information to itself, Weld Pond believes they will have a hard time hushing such information up.
"If they detect something before anything else does, it won't be shared outside the group," he said. "However, the vast majority of vulnerabilities out there are found by other experts who tend to share it with the company and then go public."
Unless the IT-ISAC can somehow contain such technical experts, the holes in their system will continue to be an open book.
Peter Allor, who will act as Internet Security Systems' program director for the IT-ISAC, disagrees, saying that the centre plans to share information with everyone, eventually.
"The IT-ISAC formed to share the best practices among themselves," he said. "In addition, we are sharing information with other organizations, as we do that, the information security realm will benefit."
"The strength of the Net is in our ability to protect everyone. If there is one hole, then the whole thing falls apart."
