Tuesday, January 16, 2001
WASHINGTON - Commerce Secretary Norman Mineta joined by executives of 19 companies from the Information Technology (IT) industry today announced the creation of the Information Technology (IT) Information Sharing and Analysis Center (ISAC). The announcement is the fulfillment of an industry pledge made at the February 14, 2000, White House meeting of the Information Technology Association of America (ITAA) and a group of leading IT companies and organizations with President Clinton and other top Administration officials. The meeting took place to discuss Internet and information security issues in light of the denial of service attacks that occurred early in the year.
At the meeting almost a year ago, industry representatives presented an information security statement acknowledging government and industry's shared interest in preserving a free and open Internet, and stated their willingness to continue "reporting, responding to, and exchanging non-proprietary information concerning threats, attacks and protective measures." The group also stated its intention to establish a mechanism for "systematic and protected sharing and coordination of information regarding cyber attacks, vulnerabilities, countermeasures, and best information security practices." That mechanism has become the IT-ISAC announced today.
Richard Clarke, National Coordinator for Security, Infrastructure Protection and Counter-Terrorism, National Security Council, and Gregory L. Rohde, Assistant Secretary for Communications and Information and NTIA administrator, also participated in the kick-off event. Secretary Mineta hailed the creation of the IT-ISAC as a major step to make the Internet more secure. "The IT-ISAC will enable the high-tech industry to take the lead in spotting potential threats to the Internet and information infrastructures more quickly, sharing state-of-the-art Internet and information infrastructure security measures, and responding in a more coordinated way when incidents occur," the Secretary stated. "Ultimately, we anticipate that there will be industry and government sharing of information among the ISACs that have been created. The industry-only ISACs are a first step in that direction."
The IT-ISAC is the third ISAC that has been created following Presidential Decision Directive 63, which was issued May 22, 1998. Other ISACS include the Financial Services ISAC, an industry-only ISAC, and the Telecommunications ISAC, which includes both government and industry members and operates within the National Coordinating Center (NCC). The transportation sector plans to meet in early February to discuss the creation of an ISAC.
"In order for these ISACs to succeed, there must be specific approaches identified for the systematic and protected sharing of information, said Richard Clarke. "In the long run, a basic prerequisite for cooperation among industry, government, and law enforcement officials is a clear legal and public framework for action, which we will have to work together to create."
The stated mission of the IT-ISAC is: To report and exchange information among its industry members concerning electronic incidents, threats, attacks, vulnerabilities, solutions and countermeasures, best security practices and other protective measures; to establish a mechanism for systematic and protected exchange and coordination of such information; and to take other appropriate action commensurate with these goals. The Information Technology Association of America (ITAA), which serves as one of NTIA's three Sector Coordinators, was responsible for coordinating the development of the IT-ISAC.
Company participation in the IT-ISAC is voluntary, and currently includes AT&T, Cisco Systems, Computer Associates, CSC, EDS, Entrust Technologies, Hewlett-Packard Co., IBM, Intel Corporation, KPMG Consulting, Microsoft, Nortel Networks, Oracle Corporation, RSA Security, Securify, Inc., Symantec Corporation, Titan Systems Corp, Veridian, and VeriSign Global Registry Services. The initial IT-ISAC Board of Directors will be made up of these 19 "Founding Members."
With the recognition that the IT-ISAC is industry led and financed, NTIA as the principal government agency for the protection of the Information and Communications (I&C) sector has responsibility to work in partnership with the I&C sector to facilitate the establishment and operation of sectoral ISACs, and to assist the sector in eliminating/mitigating sectoral vulnerabilities. Assistant Secretary Rohde commented, "The nation's dependence on the information and communications sector cannot be overstated. The country's economic, cultural, social, and political health and security hinge directly on the efficient and continuous operation of the I&C infrastructure. The formation of the IT-ISAC is a big step forward in developing and improving strategies and mechanisms for both protecting against hostile actions and facilitating continuity of operations and rapid recovery from failures that may occur."
The Department of Commerce envisions the industry-government partnership for critical infrastructure protection as a long-term effort which is now well underway. The Nation's critical infrastructures are owned and operated by companies that generally manage their business risks according to the measure of impact upon their own enterprises. The creation of the IT-ISAC and other ISACs is a frank acknowledgment that risk management must be expanded to take into account the potential for devastating effects on a national scale that are far beyond the responsibilities of individual enterprises and infrastructures. It is clear that reducing the risks will require increasing work to coordinate efforts within and between the private and public sectors in all critical infrastructures.