23 April 2001

Text: New Private-Sector Internet Security Alliance Launched

A new effort has been launched to improve global Internet security and to insure the safe operation of electronic commerce. The Electronic Industries Alliance announced the newly formed Internet Security Alliance (ISA) in an April 19 news release.

The ISA will help member companies improve the security of their information systems, monitor the occurrence of online security problems such as viruses, and disseminate information about "best practices," potential threats, and risk management strategy, according to the press release from the trade group, representing more than 2,000 companies in the electronic and advanced technology industries.

The new alliance grows from a partnership that has formed between private industry, government agencies and academic researchers, all sharing a mutual concern to keep the Internet operative. In this new endeavor, the Electronic Industries Alliance teams with the CERT Coordination Center (CERT/CC) at the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania.

The U.S. Defense Advanced Research Projects Agency (DARPA) and the SEI set up the CERT/CC originally as a Computer Emergency Response Team in response to a 1988 incident that revealed the potential vulnerability of Internet communications. Since then CERT/CC has monitored and documented almost 48,000 incidents of potential and real computer security breaches.

A CERT/CC fact sheet describes the role it will play in the ISA.

Following are the texts of the Electronic Industries Alliance press release and CERT/CC fact sheet:

(Note: In the text "billion" equals 1,000 million.)

(begin press release text)

Electronic Industries Alliance

April 19, 2001

INTERNET SECURITY ALLIANCE LAUNCHED

New Alliance Aims To Raise Awareness of Information Security Risks

Washington, DC -- In the wake of an array of high-profile Internet security breaches, a new alliance was formally launched today. The Internet Security Alliance (ISA) is a response to the urgent economic security challenge posed by a growing dependence on e-commerce. ISA aims to enhance the information security of member companies and, ultimately, the greater Internet community worldwide.

ISA will be the most comprehensive, business-led organization providing up-to-the-minute threat reports, best practice standards, risk management strategies, certification and more. It is distinct from other organizations because its scope is international, cross-industry, non-profit, non-government and non-proprietary.

ISA is a collaborative effort between Carnegie Mellon University's Software Engineering Institute (SEI) and its CERT(r) Coordination Center (CERT/CC), and the Electronic Industries Alliance (EIA), a federation of trade associations.

The CERT/CC is a major reporting center for Internet security problems. Staff members provide technical assistance and coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to identify solutions to security problems and disseminate information to the broad community. The CERT/CC also analyzes product vulnerabilities, publishes technical documents, and presents training courses. The CERT/CC offers ISA not only an enormous store of data, but also unmatched analytical expertise.

EIA is a national trade organization with more than 2,300 member companies, representing the full spectrum of U.S. manufacturers representing more than 80 percent of the $550 billion electronics industry. The EIA mission is promoting the market development and competitiveness of the U.S. high tech industry through domestic and international policy efforts.

The need for an organization like ISA is clear. As little as seven years ago there was no commercial use of the Internet. Today, hundreds of millions of users have access to the Web, and Internet traffic volume is doubling approximately every 90 days.

Businesses are recognizing the power of e-commerce and its ability to provide better customer service, reduce costs, access information rapidly and improve internal communication.

"As the number of companies conducting business on the Internet continues to rise, so does the sophistication and number of cyber-attacks. Financial losses to business and government due to Internet vulnerabilities could exceed $100 billion per year by 2004," said Steve Cross, Director of the SEI and Deputy Executive Director of ISA. "The threat is real, and a proactive industry-led initiative is a must."

"The mission of ISA is to raise awareness among corporate leaders worldwide of the potential threats posed by an increase in e-commerce. ISA members will not only advocate Internet security, but also adopt the best practice standards necessary to reduce the risks associated with doing business on the Internet," said Dave McCurdy, Executive Director of ISA and President of EIA.

"ISA offers high-value information networks working toward common solutions. We hope businesses of all sizes, from around the globe, will see the enormous benefits of participating in ISA," McCurdy added.

The Founding Sponsors of the ISA as of April 19, 2000, are: American International Group (AIG), Enspherics, Exodus Communications, Guardent, Mellon Financial Corporation, NASDAQ, Redleaf Group, Inc., TATA Consultancy Services (TCS), TRW, and VeriSign.

The ISA's website is www.isalliance.org.

(end press release text)

(begin fact sheet text)

COLLABORATION BETWEEN THE CERT COORDINATION CENTER AND THE INTERNET SECURITY ALLIANCE

The collaboration between the CERT/CC and the ISA will enable the CERT/CC to better support the private sector by applying its experience and technical expertise at a level beyond what has been possible to date. The result of the collaboration with ISA will be that the CERT/CC will deliver a higher level of service to the Internet community and initiate new activities that lead to more effective long-term solutions to security problems, including

-- identification of root causes of security problems leading to higher leverage solutions. -- sophisticated data analysis and new forms of detecting intruder activity. -- predictive modeling and forecasts of emerging threats. -- development of standards and metrics.

Frequently Asked Questions

1. What will the CERT/CC provide to members of the ISA?

The CERT/CC will:

-- Provide a security information sharing service. This includes receiving reports from ISA members, sharing analysis reports with ISA members, and allowing ISA members to share information with one another.

-- ISA members will have access to the CERT/CC's database of information through secure distribution channels, thereby enabling the CERT/CC to provide more information to the private sector, in a responsible way. The data-sharing agreement will have three key provisions: (1) Members will be required to sign non-disclosure agreements that prohibit them from redistributing sensitive data; (2) Any member that violates the non-disclosure agreement will be dropped from membership; (3) Members agree to allow the CERT/CC to extract vulnerability and threat data from the member-provided information, share those extracts with the federal government, and use the extracts to generate public advisories and warnings.

-- Participate in research projects focused on improving Internet security. These will focus on security principles, security practices, and studies that lead to improved analysis techniques, predictive capabilities, and metrics.

-- Conduct Internet security workshops for ISA member organizations.

-- Participate in ISA meetings.

2. Does this agreement mean that the SEI is using taxpayer funds to generate additional revenue from industry by giving preferential treatment to paying customers?

The Software Engineering Institute is not a "government agency"; it is a research and development center that has contracts with both government and industry organizations. The CERT/CC currently receives funding from government agencies (DISA, GSA) to provide them with a set of services. These government customers will continue to receive that support from the CERT/CC. The CERT/CC, however, cannot use these funds to provide new services to the private sector.

The SEI is permitted by its charter to do work in support of the private sector, but not at the government's expense. Therefore, the SEI is recovering the development costs required to support the ISA through non-government funds. These funds will be used, in part, to hire additional personnel to support the new non-government customers.

The funds being collected by the Electronic Industries Alliance from member companies of the ISA cover an agenda that is broader than the CERT/CC's contributions. ISA represents an appropriate commitment by the private sector to share the burden of securing the Internet with government.

3. Does this agreement mean that the CERT/CC will now charge money for information that it used to provide for free?

No. The CERT/CC will continue to:

-- provide information at no cost to the community, including CERT advisories;

-- broadly distribute public information as quickly as possible for significant intruder activity (e.g., Melissa virus, LoveLetter Worm); and

-- adhere to its established 45-day policy for releasing vulnerability information (see http://www.cert.org/faq/vuldisclosurepolicy.html).

In fact, the CERT/CC's association with ISA, along with the new data streams and resources it provides, will enable the CERT/CC to provide even more public information than it has in the past.