Alternative sharing alliance gains traction

As proponents of the Information Sharing and Analysis Centers (ISACs) hustle to make a business case for participation from more government and business players — an effort viewed as critical to attracting new members — the Internet Security Alliance (ISAlliance) is piping up with an ISAC alternative.

In this era of corporate belt tightening, money is an issue for companies thinking about joining an ISAC. And for a good many of these corporations — especially newer Internet or e-commerce companies — so is voluntarily handing over any kind of information to such an imposing government figure as the FBI, which currently houses the National Infrastructure Protection Center.

"Why did companies join ISACs in the first place? One factor was a great deal of pressure from government to do that," said Dave McCurdy, president of the Electronic Industries Alliance (EIA), and executive director and one of the founding members of ISAlliance, which is decidedly not as closely affiliated with government as are the ISACs.

EIA, along with Carnegie Mellon University's Software Engineering Institute and CERT Coordination Center, set up ISAlliance in April 2001 and bill the effort as single portal for threat reports, best security practices and risk management strategies.

Trying to be more proactive is a main difference ISAlliance executives tout in comparing their threat-warning model with the ISACs. Other differentiators include the breadth of information circulated to members, since the data is not limited by industry. The group also points to the historical software vulnerability and intrusion data kept on hand for members.

Now more than 50 members strong, ISAlliance last fall garnered endorsement from the World Bank, which issued a white paper titled "Electronic Security: Risk Mitigation in Financial Transactions." In it, the bank pointed to the ISAlliance as the best-suited public/private partnership for critical information sharing.

While McCurdy and others acknowledge ISAlliance's inherent competition with the ISACs — mostly because member funding and homeland security monies are so scarce — many do not negate the need for both information-sharing initiatives.

For instance, Guy Copeland, a Computer Sciences Corp. vice president who is on the board of directors for the information technology industry's ISAC, identified a key difference between ISAlliance and ISAC missions: ISAlliance is geared toward more technical IT security staffs, while the ISACs are aimed at business leaders. It should be noted, however, that CSC is an associate member of the ISAlliance.

"It may end up that in the end, there is room for both or a need to combine," Copeland said. "I certainly don't dismiss [ISAlliance's] efforts. They are doing a good job, especially with technical analysis."