18 January 2001
Source:


US Department of State
International Information Programs

Washington File
_________________________________

18 January 2001

Commerce Dept. Release on Information Technology Security

(Industry, government create security center) (1070)

The U.S. Department of Commerce and a consortium of information
technology (IT) companies announced January 16 the creation of the
Information Technology Information Sharing and Analysis Center (ISAC).
The initiative is designed to heighten security for the nation's
information infrastructure, and is formed in response to the
widespread computer viruses and "denial of service attacks" that
occurred in February, 2000.

"The IT-ISAC will enable the high-tech industry to take the lead in
spotting potential threats to the Internet and information
infrastructures more quickly, sharing state-of-the-art Internet and
information infrastructure security measures, and responding in a more
coordinated way when incidents occur," Commerce Secretary Norman
Mineta said in a press release.

Similar centers already exist for specific economic sectors --
financial, manufacturing, telecommunications and electrical power.

Assistant Secretary of Commerce for Communications and Information
Gregory L. Rohde said "The nation's dependence on the information and
communications sector cannot be overstated. The country's economic,
cultural, social, and political health and security hinge directly on
the efficient and continuous operation of the I and C (information and
communications) infrastructure."

Following is the text of the Commerce Department press release

(begin text)

U.S. DEPARTMENT OF COMMERCE

Tuesday, January 16, 2001 

COMMERCE SECRETARY MINETA ANNOUNCES NEW INFORMATION 
TECHNOLOGY INFORMATION SHARING AND ANALYSIS CENTER (ISAC)

Washington, D.C. -- Commerce Secretary Norman Mineta joined by
executives of 19 companies from the Information Technology (IT)
industry today announced the creation of the Information Technology
(IT) Information Sharing and Analysis Center (ISAC). The announcement
is the fulfillment of an industry pledge made at the February 14,
2000, White House meeting of the Information Technology Association of
America (ITAA) and a group of leading IT companies and organizations
with President Clinton and other top Administration officials. The
meeting took place to discuss Internet and information security issues
in light of the denial of service attacks that occurred early in the
year.

At the meeting almost a year ago, industry representatives presented
an information security statement acknowledging government and
industry's shared interest in preserving a free and open Internet, and
stated their willingness to continue "reporting, responding to, and
exchanging non-proprietary information concerning threats, attacks and
protective measures." The group also stated its intention to establish
a mechanism for "systematic and protected sharing and coordination of
information regarding cyber attacks, vulnerabilities, countermeasures,
and best information security practices." That mechanism has become
the IT-ISAC announced today.

Richard Clarke, National Coordinator for Security, Infrastructure
Protection and Counter-Terrorism, National Security Council, and
Gregory L. Rohde, Assistant Secretary of Commerce for Communications
and Information and NTIA administrator, also participated in the
kick-off event. Secretary Mineta hailed the creation of the IT-ISAC as
a major step to make the Internet more secure. "The IT-ISAC will
enable the high-tech industry to take the lead in spotting potential
threats to the Internet and information infrastructures more quickly,
sharing state-of-the-art Internet and information infrastructure
security measures, and responding in a more coordinated way when
incidents occur," the Secretary stated. "Ultimately, we anticipate
that there will be industry and government sharing of information
among the ISACs that have been created. The industry-only ISACs are a
first step in that direction."

The IT-ISAC is the fourth ISAC that has been created following
Presidential Decision Directive 63, which was issued May 22, 1998.
Other ISACs include the Financial Services ISAC, an industry-only
ISAC, the Telecommunications ISAC, which includes both government and
industry members and operates within the National Coordinating Center
(NCC), and the Electric Power ISAC. The transportation sector plans to
meet in early February to discuss the creation of an ISAC.

In order for these ISACs to succeed, there must be specific approaches
identified for the systematic and protected sharing of information,
said Richard Clarke. "In the long run, a basic prerequisite for
cooperation among industry, government, and law enforcement officials
is a clear legal and public framework for action, which we will have
to work together to create."

The stated mission of the IT-ISAC is: To report and exchange
information among its industry members concerning electronic
incidents, threats, attacks, vulnerabilities, solutions and
countermeasures, best security practices and other protective
measures; to establish a mechanism for systematic and protected
exchange and coordination of such information; and to take other
appropriate action commensurate with these goals. The Information
Technology Association of America (ITAA), which serves as one of
NTIA's three Sector Coordinators, was responsible for coordinating the
development of the IT-ISAC.

Company participation in the IT-ISAC is voluntary, and currently
includes AT&T, Cisco Systems, Computer Associates, CSC, EDS, Entrust
Technologies, Hewlett-Packard Co., IBM, Intel Corporation, KPMG
Consulting, Microsoft, Nortel Networks, Oracle Corporation, RSA
Security, Securify, Inc., Symantec Corporation, Titan Systems Corp,
Veridian, and VeriSign Global Registry Services. The initial IT-ISAC
Board of Directors will be made up of these 19 "Founding Members."

With the recognition that the IT-ISAC is industry led and financed,
NTIA as the principal government agency for the protection of the
Information and Communications (I&C) sector has responsibility to work
in partnership with the I&C sector to facilitate the establishment and
operation of sectoral ISACs, and to assist the sector in
eliminating/mitigating sectoral vulnerabilities. Assistant Secretary
Rohde commented, "The nation's dependence on the information and
communications sector cannot be overstated. The country's economic,
cultural, social, and political health and security hinge directly on
the efficient and continuous operation of the I&C infrastructure. The
formation of the IT-ISAC is a big step forward in developing and
improving strategies and mechanisms for both protecting against
hostile actions and facilitating continuity of operations and rapid
recovery from failures that may occur."

The Department of Commerce envisions the industry-government
partnership for critical infrastructure protection as a long-term
effort which is now well underway. The Nation's critical
infrastructures are owned and operated by companies that generally
manage their business risks according to the measure of impact upon
their own enterprises. The creation of the IT-ISAC and other ISACs is
a frank acknowledgment that risk management must be expanded to take
into account the potential for devastating effects on a national scale
that are far beyond the responsibilities of individual enterprises and
infrastructures. It is clear that reducing the risks will require
increasing work to coordinate efforts within and between the private
and public sectors in all critical infrastructures.

(end text)

(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)