Information Sharing – Reactions Are Mixed
In the aftermath of 9/11, some government officials and business leaders are
giving a lot of play to the concept of “information sharing” around IT
security. Reaction by security administrators in the private sector,
though, is mixed.
Actually, the phrase “information sharing” has more than one connotation
these days. On the one hand, the term is being used to refer to technology
transfer between private industry and government. Political leaders,
however, are also issuing calls for more collaboration on security among
companies working in the same industries.
“We need you to share information,” said U.S. Rep Jim Nolan (D-VA), during
the recent 2002 Networked Economy Summit, held in Reston, VA, just outside
of Washington, DC. The subtitle for the three-day conference was “Meeting
Security Challenges with Technology.”
“Protecting our information system will require business and government to
act together,” said Richard Clarke, special advisor to the President on
“Depending on government to be prescient is not going to work,” according
to Clarke. “We have built this IT (infrastructure) without building
security into hardware, software, (and) networks. We need you all to be a
nudge, so when the cyberwar comes, the good guys will win.”
“Collaboration (in) communications is critical. Information domination is
all important. We didn’t have the information we needed, when we needed it.
We didn’t know what we knew. That’s not to say, though, that 9/11 was
preventable,” said Jack London, chairman and CEO of CACI International.
“If we want to solve the problem, we need to turn to you, because you guys
have the expertise,” echoed Phil Bond, undersecretary for technology
administration in the US Commerce Department.
On the technology transfer side, one idea now being weighed in the US
Congress is to create an “exchange program” between mid-level IT staff in
government and industry.
Already passed by the US House of Representatives, the Digital Cyber Corps
Act of 2002 is aimed at helping the federal government do a better job of
managing complex IT projects, including security.
According to US Representative Tom Davis (R-VA), the legislation will let
interested IT professionals in the private sector pitch in on the “war on
terrorism,” while also improving the skills of federal IT managers by
exposing them to administration technologies in the private sector.
If the bill goes through as currently written, participants will take part
in the exchange program for six-month to two-year periods. Employees will
continue to receive pay and benefits from their respective employers.
Meanwhile, at a recent meeting sponsored by the New York E-Comm
Association, high-ranking security managers from two large IT companies
said they haven’t been getting direct communications from federal law
enforcement agencies. However, local police from various jurisdictions
received high marks from panelists for passing along relevant security
“The traditional attitude is, ‘Why should I help the government, when it
doesn’t help me?” noted Guy Copeland, VP, Federal Sector, for Computer
Sciences Corporation (CSC), during the Networked Economy conference in
Enterprises also worry that if they admit to security breaches, they’ll
look bad. “That’s really the biggest concern in corporate America. When
Citibank went public with the news that they’d been hacked, they lost
business,” said Richard Pethia, director of the FBI’s National
Infrastructure Protection Center (NIPC)..
Businesses are concerned, too, that information shared with the government
might then by accessed by the wrong people under the Freedom of Information
Act, with unintended consequences.
U.S. Representative Jim Nolan (D-VA) has proposed a bill in the House to
exempt companies from both the Freedom of Information Act and federal antitrust
laws “when sharing information related to cyberattacks.”
One information sharing program already established is the IT ISAC
(Information Sharing and Analysis Center). as a result of federal
recommendations to create information sharing entities within various
“functional sectors” of the national economy.
Supporters see the IT ISAC and other “functional ISACs” as letting nongovernmental
organizations share security information about common
vulnerabilities, threats, and incidents “outside the burdens of open-record
When it comes to sharing information with others in their industries,
though, security managers often cite competitive drawbacks. “People worry
that there won’t be two-way information flow. They’re also very unwilling
to say, ‘Hack me,'” according to Copeland.
Some observers, however, think that cooperation is on the upswing. CACI’s
London, for one, attributes the change in mood to “growing patriotism.”
Others point in the direction of enlightened self-interest. “If the hackers
are sharing information with each other, why shouldn’t we?” Copeland asked.
“Although the natural reaction is to try to hide things – to paper things
over – that’s fading. People are finding that one of the best ways to come
up with a fix is to share information,” according to Clarke.
“We are not islands. The world is not our best friend, nor is it our
confidant. We have to face the future. We are all networked, whether we
like it or not,” observed Sean Ballington, systems and technology assurance
solutions leader, Price Waterhouse Coopers.