Information Sharing - Reactions Are Mixed to Government Overtures
While the Federal government pushes companies to share information on security practices and incidents, some in the private sector are unsure of the benefits and nervous about disclosure requirements.
Information Sharing - Reactions Are Mixed
In the aftermath of 9/11, some government officials and business leaders are giving a lot of play to the concept of "information sharing" around IT security. Reaction by security administrators in the private sector, though, is mixed.
Actually, the phrase "information sharing" has more than one connotation these days. On the one hand, the term is being used to refer to technology transfer between private industry and government. Political leaders, however, are also issuing calls for more collaboration on security among companies working in the same industries.
"We need you to share information," said U.S. Rep Jim Nolan (D-VA), during the recent 2002 Networked Economy Summit, held in Reston, VA, just outside of Washington, DC. The subtitle for the three-day conference was "Meeting Security Challenges with Technology."
"Protecting our information system will require business and government to act together," said Richard Clarke, special advisor to the President on cyberspace security.
"Depending on government to be prescient is not going to work," according to Clarke. "We have built this IT (infrastructure) without building security into hardware, software, (and) networks. We need you all to be a nudge, so when the cyberwar comes, the good guys will win."
"Collaboration (in) communications is critical. Information domination is all important. We didn't have the information we needed, when we needed it. We didn't know what we knew. That's not to say, though, that 9/11 was preventable," said Jack London, chairman and CEO of CACI International.
"If we want to solve the problem, we need to turn to you, because you guys have the expertise," echoed Phil Bond, undersecretary for technology administration in the US Commerce Department.
On the technology transfer side, one idea now being weighed in the US Congress is to create an "exchange program" between mid-level IT staff in government and industry.
Already passed by the US House of Representatives, the Digital Cyber Corps Act of 2002 is aimed at helping the federal government do a better job of managing complex IT projects, including security.
According to US Representative Tom Davis (R-VA), the legislation will let interested IT professionals in the private sector pitch in on the "war on terrorism," while also improving the skills of federal IT managers by exposing them to administration technologies in the private sector.
If the bill goes through as currently written, participants will take part in the exchange program for six-month to two-year periods. Employees will continue to receive pay and benefits from their respective employers.
Meanwhile, at a recent meeting sponsored by the New York E-Comm Association, high-ranking security managers from two large IT companies said they haven't been getting direct communications from federal law enforcement agencies. However, local police from various jurisdictions received high marks from panelists for passing along relevant security info.
"The traditional attitude is, 'Why should I help the government, when it doesn't help me?" noted Guy Copeland, VP, Federal Sector, for Computer Sciences Corporation (CSC), during the Networked Economy conference in Virginia.
Enterprises also worry that if they admit to security breaches, they'll look bad. "That's really the biggest concern in corporate America. When Citibank went public with the news that they'd been hacked, they lost business," said Richard Pethia, director of the FBI's National Infrastructure Protection Center (NIPC)..
Businesses are concerned, too, that information shared with the government might then by accessed by the wrong people under the Freedom of Information Act, with unintended consequences.
U.S. Representative Jim Nolan (D-VA) has proposed a bill in the House to exempt companies from both the Freedom of Information Act and federal antitrust laws "when sharing information related to cyberattacks."
One information sharing program already established is the IT ISAC (Information Sharing and Analysis Center). as a result of federal recommendations to create information sharing entities within various "functional sectors" of the national economy.
Supporters see the IT ISAC and other "functional ISACs" as letting nongovernmental organizations share security information about common vulnerabilities, threats, and incidents "outside the burdens of open-record laws."
When it comes to sharing information with others in their industries, though, security managers often cite competitive drawbacks. "People worry that there won't be two-way information flow. They're also very unwilling to say, 'Hack me,'" according to Copeland.
Some observers, however, think that cooperation is on the upswing. CACI's London, for one, attributes the change in mood to "growing patriotism."
Others point in the direction of enlightened self-interest. "If the hackers are sharing information with each other, why shouldn't we?" Copeland asked.
"Although the natural reaction is to try to hide things - to paper things over - that's fading. People are finding that one of the best ways to come up with a fix is to share information," according to Clarke.
"We are not islands. The world is not our best friend, nor is it our confidant. We have to face the future. We are all networked, whether we like it or not," observed Sean Ballington, systems and technology assurance solutions leader, Price Waterhouse Coopers.