Security net becomes tougher sell

The value of the ISACs as an early warning system increases as more industry and government players get involved. The idea to create the ISACs stemmed from the Presidential Decision Directive 63 of May 1998, which set up a framework for critical infrastructure protection.

The federal government has encouraged the creation of ISACs, but participation has always been voluntary. The ISACs report physical as well as cybersecurity threats to the National Infrastructure Protection Center, which is currently housed at the FBI but is moving to the new Homeland Security Department. Twelve ISACs have been formed so far, with varying levels of support for each. Several more are in the works.

Given the soft economy and uncertainty about federal ISAC funding levels, officials at the centers are under more pressure than ever to build a solid business case for ISAC participation. A related problem is that top officials at corporations, public utilities — and even state governments — want more evidence of the returns they can expect from the costs to join forces with one or more ISACs.

In virtually all the ISACs, there is now an emphasis on the potential dollar value of having access to threat analysis and security trend information as a way to detect and forestall attacks. For the center serving the information technology industry, this ISAC business case has become the cornerstone of a more aggressive drive for new members.

"There have not always been clear answers to support investments or to help companies understand the value proposition," said Cisco Systems Inc.'s Greg Akers, president of the IT ISAC. Better answers are now due, however, since competition for homeland security dollars has heated up. Further, businesses have become more accustomed to operating in a post-Sept. 11, 2001, environment and will not always lend resources simply out of a sense of patriotic duty.

Specifically, new legislation has allayed many of the fears that sensitive corporate data could be made public through the Freedom of Information Act. Lingering on the ISAC plate of issues, however, are fears among participating companies that sharing information on attacks they've suffered risks a competitive advantage or even litigation (see related story on FOIA and liability).

But it is the need to build a better business case for participating in ISACs that is mostly absorbing the ISAC leaders' energy. And the quest for tangible return on investment is not limited to private-sector firms fixated on the bottom line.

"State budgets are tight, no doubt about that. That's why we've made our initial pitch for federal funding early on," said Harry Lanphear, chief information officer of Maine and the National Association of State Chief Information Officers' Cybersecurity Committee chairman, speaking about efforts to build an Interstate ISAC.

Lanphear also has made the pitch to leaders of his own state. For example, he drove home the need for added security funding and resources to participate in the Interstate ISAC in a fall briefing with Maine Gov. John Elias Baldacci and state cabinet members.

"There is a real dollar impact when these things happen," Lanphear said. "So in the briefing, I quoted figures that talked about exactly that." For instance, Lanphear floated an FBI finding that $456 million had recently been lost to computer crime among only a fraction of the nation's top corporations and government agencies.

The governor and his staff were receptive. "It's getting easier to make this case," Lanphear said. The same goes for his state's participation in the proposed Interstate ISAC. "Security officers for each state could be talking with their peers in other states, saying, 'I've noticed this, have you?' That sharing is very valuable. It could save us a lot of money," he said.

However, ISAC leaders such as Akers are pointing to more than just the immediate benefit and potential dollar value of swapping threat data. "Sharing information is not the panacea we thought it was," he said. "We need to be more proactive in terms of the other analytical work of the ISAC."

The IT ISAC illustrates how one center is fine-tuning its operation and increasing the value it provides to members. For example, the center is coordinating weekly teleconferences during which members share anecdotal evidence of incidents. It also has a project to document ISAC best practices that give member companies advice on how to create a more secure online environment.

Such pragmatic benefits of joining an ISAC have never been more critical. "On the forefront of the minds of participating companies is...that they have a business to run," said industry watcher Lee Zeichner, president of LegalNetworks Inc., who has worked around ISAC issues in several capacities since 1996. "Are these ISACs viable as a business? Because if they are not, that raises all sorts of issues."

Among these concerns would be the amount of money federal homeland security officials can contribute to keep ISACs alive, as well as what the feds would expect in return. Those questions will likely remain unanswered for some time, since the details on ISAC spending figures are stalled by federal decision makers' distraction with the task of building the Homeland Security Department.

Hence, it is up to ISAC leaders to push for funds needed to sustain the centers — not easy in a tough economy. "Given this is not a revenue-producing effort for companies, the fact that it takes time for corporations to agree is fairly understandable," said Phil Lacombe, board secretary for the IT ISAC and president of Veridian Inc.'s security solutions sector.

The IT ISAC is now asking members to pay $5,000 annually to cover the center's operation — a figure that pales in comparison to the $50,000 or $60,000 in seed money that founding members were asked to contribute, Lacombe said.

"The dues companies pay are relatively minor," he said.

The staff and back-end costs are potentially much higher. Specifically, participants must dedicate much of their precious security staffs' time to the ISACs and devise a data-reporting infrastructure necessary to feed into the centers.

"The company has got to put in place a mechanism to extract data," Lacombe said. "That may be as simple as running a report or more complicated."

While the staff costs are often second to the data infrastructure costs, the decision to lend human capital to federal information- sharing efforts is not always easy. Indeed, for many private sector companies, the decision to join an ISAC became a large factor in whether to appoint a high-level chief security officer.

"There was the growing realization that information security should be [separate] from the CIO responsibility," said Guy Copeland, a Computer Sciences Corp. vice president who sits on the IT ISAC's board of directors. "There is a natural conflict of interest, since there is almost always a trade off with added security because you get degradation in performance."

The private-sector chief security appointments — sometimes forced by the question of whether to join an ISAC — ironically may lead back to the need for a strong business case for ISAC participation.

"By separating the two responsibilities you avoid the conflict of interest," Copeland said. "By the same token, there is now a greater need for lessons learned that the security staff can take to senior management and urge them to take responsibility."

Though this may sound like a vicious circle, to Copeland the bottom line is simple: "The business manager has got to understand the dollar value of risks," he said.

Jones is a freelance writer based in Vienna, Va.