Nineteen companies, including Internet Security Systems (ISS), Microsoft, Oracle, IBM, HP, Cisco Systems, Symantec, AT&T, and Veridian, joined together to form the Information Technology Information Sharing and Analysis Center (IT-ISAC). The new, non-profit organization will collect and disseminate vulnerability information among its members to share with the public. ISS will manage the new IT-ISAC center.
IT-ISAC founding members contributed $750,000 to begin funding; companies that join in the future will pay membership fees of $5,000. The founders modeled IT-ISAC after President Clinton's Information Sharing and Analysis Centers (ISAC) as outlined in his Policy on Critical Infrastructure Protection (May 1998). Other companies have formed similar information sharing centers for the energy, financial, and telecommunication industries.
According to Clinton's policy, a National Infrastructure Protection Center (NIPC) would be the center of attention for each ISAC. According to the policy, "Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing, and disseminating private sector information to both industry and the NIPC. The center could also gather, analyze, and disseminate information from the NIPC for further distribution to the private sector." The NIPC will include the FBI and Secret Service, and might serve as a resource for the Department of Defense (DOD) and Department of Justice (DOJ).
Critics have already complained about the potential for IT-ISAC to take advantage of information sanitation. Some see the new center as a way to disseminate information among private businesses, not the general public. However, private parties discover most computer-related security vulnerabilities and publish the information openly on the Internet, anyway.
IT-ISAC has yet to publish a Web site. However, IT-SAC has registered the domain names it-isac.org and itisac.org, and expects to make sites available online soon. The NIPC currently operates a public Web site that disseminates both security vulnerability information and information about groups that might pose threats to a given network.
