2500 Wilson Boulevard
Arlington, Virginia 22201-3834
Electronic Industries Alliance and Executive Director of the Internet
House Select Committee on Homeland Security’s Subcommittee
on Cybersecurity, Science, and Research & Development and Subcommittee
on Infrastructure and Border Security
U.S. House of Representatives
The DHS Infrastructure Protection Division: Public-Private Partnerships
to Secure Critical Infrastructures
April 21, 2004
Thank You Mr. Chairman.
My name is Dave McCurdy. I am President of the Electronic Industries
Alliance and Executive Director of the Internet Security Alliance
I am delighted to be here today to discuss how the federal government
can improve its coordination with the private sector and thus,
improve worldwide information security.
As a cross-sector, international organization, which integrates
many different security services into one coherent model, the Internet
Security Alliance, is structured in a fundamentally different way
than traditional Information Sharing and Analysis Centers (ISACs).
We believe this model has much to recommend, not as a substitute
for the ISACs, but as a complement to them. I am concerned, however,
that we are not yet seeing this potential realized. Greater involvement
and coordination with the ISACs and the Department of Homeland
Security (DHS) would be extremely helpful to organizations like
the ISAlliance, and the companies they represent and I believe
would be in the best interests of our own national security.
Today I would l like to cover three main points.
1. I would like to outline the model the Internet Security Alliance
operates under and suggest some fundamental differences from the
traditional ISAC model.
2. I want to discuss how this model facilitates the development
of an integrated, comprehensive, and coherent approach to cyber
security, and I want to offer a couple of examples of how this
approach can enhance our efforts to promote cyber security.
3. I want to raise some organizational issues regarding DHS coordination
with models such as ours. I believe that organizations such as
our need to be fully integrated into the public private partnership
between DHS and the private sector either as an inter-sectoral
ISAC or with equivalent status within the tier one partnership
with the ISACs.
Before I begin
I want to make our posture with respect to the ISACs very clear.
a quarter of our membership also participates
in ISACs. Some of our Board members also serve on the Boards of
various ISACs. We regard the ISACs as “comrades in arms.”
It is surely
true that there are some issues unique to industry sectors that
effectively dealt with by a sector specific
domestic entity. However, the ISAlliance also concurs with the
National Strategy to Secure Cyber Space that found that “some
cyber security problems have national implications and cannot be
solved by individual enterprises and sectors alone.”
We do not seek to displace the ISACs; we seek to work more closely
with them, and DHS.
THE INTERNET SECURITY ALLIANCE MODEL
INFORMATION SHARING & ANALYSIS AVAILABLE TO ALL
The ISAlliance was created in April of 2001, five months before
the attacks on the Pentagon and the World Trade Center. We created
it because, even then, we saw the need for a new approach to the
growing cyber threat.
In contrast to the ISACs, which are generally structured along
traditional industry specific silos, the ISAlliance has members
from many different sectors. We designed the organization this
way because the Internet is organized this way. Essentially, we
are all using the same Internet. So, from the cyber security perspective
the threats and attacks may be very similar regardless if you are
Coca-Cola, Sony, Visa or VeriSign (all members of ours). As a result,
there is much to learn from, and help can be offered to, your brother
companies regardless of industry sector.
As a member of the Board of Advisors of the Software Engineering
Institute at Carnegie Mellon University, I have had substantial
contact with the experts at the CERT/cc at Carnegie Mellon who
educated me on this growing problem in 2000. We decided then that
the private sector needed to not only contribute to, but to demonstrate
leadership in making this critical infrastructure more secure.
We devised a creative public private partnership, which integrated
and maximized the complementary assets of CERT, the federal government
and private industry.
CERT/cc, which was funded primarily by the U.S. federal government,
had long been recognized as the premier center for Internet threat
and vulnerability information. But it lacked a practical channel
to get this information to the private sector, or stimulate interest
in the necessary education, training, policy development and incentive
programs that would be required to fully achieve the goal of information
EIA has been involved in physical security through the Telecommunications
Industry Association (TIA) which is both a sector of EIA and an
ISAC sector coordinator. Since we understood that physical and
cyber security are most effectively dealt with in an integrated
fashion, we sought a mechanism to bring these entities together.
We decided on collaboration between CERT/cc and EIA called the
ISAlliance. Using the EIA member companies as a marketing base
we recruited corporations to join the ISAlliance. They paid dues,
and in return, operating under strict non-disclosure agreements
would receive access to prime CERT/cc information. They would share
this information with each other and the CERT/cc to identify and
analyze looming threats and collectively work on solutions.
Since the ISAlliance
members were receiving more from CERT/cc than the general public
they agreed to pay a fee for this benefit.
It was seen as a user fee similar to that paid by patrons at National
Parks. While some companies using other, non-CERT, the ISAlliance
services paid substantial dues, we never wanted money to be a barrier
to entry into the ISAlliance. Dues entitling companies to the same
CERT/cc information (albeit fewer copies) were set as low as $3,000
a year--affordable for virtually any private firm. And, though
we don’t like to publicize it for obvious reasons, we have
made financial adjustments for companies who had difficulty making
the specified dues payment.
The ISAlliance is also focused internationally, where ISACs tend
to be U.S. - centric. The ISAlliance has members on four continents.
Our current Chairman of the Board. Dr. Bill Hancock, is from a
British company and we have four other non-U.S. based companies
on our Board along with eleven U.S. based companies. The international
aspect of our efforts is important because cyber security is inherently
an international issue. Many attacks originate offshore and implementing
a truly effective means of securing cyber space must include finding
and working with trusted offshore partners.
As the U.S.
National Strategy to Secure Cyber Space states, in part; “America’s cyberspace is linked to the rest of
the world…. Securing global cyber space will require international
cooperation to raise awareness, increase information sharing, promote
security standards…The United States will seek the participation
of U.S. industry to engage foreign counterparts in peer-to-peer
dialogue with the twin objectives of making an effective business
case for cyber security and explaining successful means for partnering
with government on cyber security.”
I’d like to offer a quick example of our efforts. After
making a presentation to the Organization of American States (OAS)
first broad conference on cyber security last August, OAS staff
requested that the ISAlliance construct a specific program to integrate
the private sector in the OAS region into the state-to-state programs
for cyber security that were being developed. We came up with what
we call our “Security Anchor” program.
is built on the “Transition Partner” program
developed at Carnegie Mellon University. Under the Security Anchor
Program private sector entities would obtain a special membership
with the ISAlliance, which will allow them to essentially become “branch
offices” within their regions. The Security Anchor for the
region would distribute appropriate information about threats and
vulnerabilities and hold meetings and conferences, but on local
time providing translation as necessary for materials. The Anchor “tenant” would
also be required to send personnel to Carnegie Mellon where they
would be trained as trainers. The Anchor would then provide this
training in their region, for which they could receive payment.
We believe providing a market incentive to our Anchor partner is
the most efficient and effective way to accomplish the goals set
forth in our National Strategy.
In this way
we hope to make international cyber security “home
grown.” We believe this is the only way that we can hope
to succeed in reaching the international goals as set forth in
the National Strategy. The U.S. can’t expect to “export” security.
AN INTERGRATED COMPREHENSIVE AND COHERENT APPROACH TO CYBER SECURITY
USING MARKET FORCES AS INCENTIVES
The ISAlliance attempts to provide its members with a comprehensive,
coherent and integrated approach to cyber security that uses market
forces to drive on-going improvements in cyber hygiene.
INFORMATION DISSEMINATION AND ANALYSIS
Like many ISACs, we begin with information dissemination and sharing
about emerging threats, vulnerabilities and attacks on the Internet.
We have historically done this though a contractual relationship
with the CERT/cc as a founding partner in the ISAlliance.
In our three years of operations we have sent out literally thousands
of these notices. We just released our first quarter technical
report to the membership, which showed that in 2004 alone we have
already sent out through our e-mail channel hundreds of reports,
which have been followed by scores of analytical conferences between
the members and CERT/cc.
When we, started several years ago, our prime activity was information
sharing, mostly through e-mail notices. However, experience has
taught us that simply disseminating information is by no means
enough. In fact, our members have told us that at times there is
too much information being circulated and the real need is to be
able to separate out what is important and what is simply noise.
Information analysis is critical if threat and vulnerability data
is to be used effectively. We facilitate the analytical process
with regularly scheduled, as well as specially scheduled, meetings
where in our members discuss the state of the network with the
CERT/cc professionals. We have found the regularity of this process
creates, over time, a sense of trust and confidence that we think
is vital for effective information sharing.
DEVELOPING BROADLY ENDORSED BEST PRACTICES
While information sharing and analysis is a critical first step
on the road to cyber security, is not sufficient to secure cyber
space. Virtually every recent major attack we have experienced
such as Blaster, Slammer, or MyDoom, resulted from a vulnerability,
which was already well known, in the community.
At the ISAlliance we took the collaborative process of sharing
information and built from it a systematic program of best practices.
The process of developing the best practices is lead by the experts
at Carnegie Mellon and CERT/cc and is consistent with the years
of grounded research they have done and the theory of security
that has evolved from their experience and analysis.
However, we also involve the full membership in our processes,
so that the perspectives of actual businesses from multiple sectors
and counties are folded into the final product. One advantage of
this inclusive process has been that our practices have received
an impressive level of support and endorsement from a wide breadth
of the user community.
our first publication, “The Common Sense Guide
for Senior Managers” was endorsed by the National Association
of Manufacturers (NAM) which represents 12,000 of the most traditional
of industries, as well TechNet which primarily represents the high-tech
companies in Silicon Valley. Internationally it has been translated
into Spanish and Japanese and was endorsed by the U.S. India Business
Council and distributed by the Organization of American States.
CREATING MARKET INCENTIVES TO ENCOURAGE ADOPTION OF BEST PRACTICES--THE
QUALIFIED MEMBER PROGRAM
best practices is also not enough. CEOs are overwhelmed with
information. To succeed with them on this subject,
which has traditionally been viewed as a “cost center,” you
have to do more than just tell them it’s the right thing
to do. We have to talk about issues they care about, like profitability,
liability protection and marketing. We need to develop market incentives
to increase the Return on Investment (ROI) for cyber security.
has taken the lead on this issue. In the final quarter of 2003
an agreement with AIG, which is the world’s
market leader in cyber insurance. Under this new agreement AIG
will provide insurance premium credits of up to 15% for companies
that will join the ISAlliance and subscribe to our best practices.
We believe this is the first operating program which specifically
ties a widely, and independently endorsed set of cyber security
best practices directly to lower business costs.
We are working through AIG and the Global Security Consortium
(GSC), comprised of the big auditing and accounting firms, on empirical
standards with which we will be able to use to measure compliance
with these practices. Not only will this tool enable us to more
reliably determine who qualifies for the credits, but also it opens
up another potential market incentive for improved security. We
want to interest firms in marketing cyber security.
achieve a specified score will be deemed a “Qualified
Member” allowing them to use that designation as a market
differentiator. Through this mechanism we hope to make cyber security
a useful marketing tool for good actor companies, much like the
Baldrige Award has been used for high quality companies. GSC hopes
to have their tool completed shortly and then this phase of the
program can begin.
DISCOUNTED EDUCATION AND TRAINING COMPLETE THE LOOP
Finally, for firms who don’t yet score at an appropriate
level to qualify for our discounts, we offer access to a wide
range of training programs through Carnegie Mellon University.
In keeping with the market orientation of our program, the more
active a company is in the ISAlliance, the greater the discount
they can receive on their training. Our interest is to accurately
inform organizations where they stand in relation to the widely
endorsed best practices, and help them reach an appropriate level
if they are not already there. Most importantly, the people doing
the training are operating on the same assumptions and best practices
that we started with in the first place thus creating a truly
BEST PRACTICES FOR SMALLER BUSINESSES
This program is just one example of our activities. In fact, this
afternoon we will be testifying before another Committee on a similar
program, this time specifically targeted to the unique needs of
smaller businesses. The National Cyber Summit, recognizing the
value of programs such as I have just described, and realizing
that there was not nearly enough being done to reach out to smaller
businesses, asked us to undertake this new effort this past December.
Although smaller businesses have not until now been our prime
market interest we agreed to take up the challenge. Working with
the U.S. Chamber of Commerce, the National Federation of Independent
Business (NFIB) and NAM we followed the same integrated, market
centered model we described above. We held ten focus groups involving
nearly 100 small businesses to find out what needed to be done
to improve their cyber security.
What we learned
was that smaller institutions are indeed different from larger
In fact, we found that organizations across a
wide spectrum of business types had remarkably similar problems
from a cyber perspective. The similarities for these businesses
were not the type of business they were in, but the size of their
business and the extent of the technology available to them. As
a result, the “Common Sense Guide to Cyber security for Small
and Medium Sized Businesses” looks quite different from the
Guide for Senior Corporate Managers.
We are happy to report that what was not very different is the
response, which has been extremely positive. Already the Cyber
Security Partnership that grew out of the National Cyber Summit
as well as on the web sites for the ISAlliance, the Electronic
Industries Alliance and the National Association of Manufacturers
is distributing the Small Business Guide. The U.S. Chamber of Commerce
has informed us they expect to endorse the document at their next
Board of Directors meeting and the Financial Services Sector Coordinating
Council, an alliance of 28 financial services trade associations
will be making it available to their members and holding a series
of meetings with thousands of its members where the Guide will
Given the fact that this project is only a couple of months old
we are naturally very encouraged. When mature, we fully expect
this program will be coherent, measurable and market driven just
as was the case with the Senior Managers program.
CYBER AND PHYSICAL SECURITY--REACHING OUT TO RISK MANAGERS
we are working on is the integration of cyber and physical security.
We believe, as Secretary Ridge has said, that
you can’t have cyber security without physical security and
you can’t have physical security without cyber security.
However, in corporate America there remains a misconception that
cyber security is an “IT problem.” While obviously
there are many IT aspects to cyber security it is not properly
classified only as an “IT problem.”
Cyber security is a management problem. It is an economic problem.
It is an employee training, compliance and retention problem. Most
of all, cyber security is a risk management problem. However, most
corporate structures still relegate the discussion of cyber security
to the IT department rather than fully integrating it into the
discussions with physical security and risk management. We have
heard a good deal of talk recently about structures within the
federal security bureaucracy which may have limited information
sharing and proper threat management. Private industry is not immune
to these same types of organizational problems.
we have recently undertaken a pilot study reaching out to the
risk managers in
industry in an attempt to find out
how we can better involve them in the cyber security discussion.
We believe that it’s critical to better integrate physical
and cyber security issues within the overall corporate risk management
structure. We are trying to find out how we can do that, from the
people who are actually making the organizational, budgeting, and
resource allocation decisions.
Although we have initiated this study, it is too early to report
results. We do expect however, that, as was the case with our other
projects, we will learn from this effort and we can make further
impact in securing cyber space. We look forward to sharing these
approaches both with industry, and to the federal government.
NOT JUST SERVICES; A COHERENT INTEGRATED PROGRAM
We believe the comprehensiveness of the ISAlliance program is
making a positive contribution to the cause of information security.
of technical notices about Internet threats and vulnerabilities
each year to our members from the best source available
to private industry.
• Scores of analytical conferences to discuss the data and what to
do about it
• Development of best practices that are widely endorsed and disseminated
both domestically and abroad.
• Development of independent, auditable third-party evaluation tools
• A program of market-based incentives to improve the ROI for cyber
• Education, training and public policy programs.
• Initiating new programs to push the envelope into heretofore underserved
But the key
aspect is that it is a coherent program. We start with the
hard data we
get from CERT and we blend into that the
real world needs and experiences of industry and develop programs,
practices and policies which can drive pragmatic improvements.
And then, if individual entities can’t make the grade they
are offered training based on the same theories and practices
that were used to develop the best practices.
COORDINATING WITH THE ISACS AND DHS
As proud of these accomplishments as we are, we have some concerns
for the future.
We supported, and continue to support, the creation of the Department
of Homeland Security. We in no way wish to be critical of the effort
and sincerity of the people who are working at DHS. They are working
very hard to accomplish an enormous task virtually immediately.
We sincerely hope that our testimony at this point will be taken
in the spirit it is given, constructive suggestions that we believe
will assist all of us who are working in this space to be more
In fact the ideas we offer the Committee today have been previously
raised with staff and principals and we are continuing to work
on them. We anticipate that in the due course of time they will
be satisfactorily resolved. We believe, however, that there are
very important issues, which must be appropriately addressed.
COORDINATE WITH ALL INFORMATION SHARING ORGANIZATIONS--NOT JUST
We suggest DHS broaden its systematic communication to include
organizations, such as the ISAlliance, who are providing important
services, although they are not ISACs.
In the interdependent
cyber world the “critical infrastructures” may
be dependent on the “non-critical” organizations that
service them. In addition to the IT, telecom and financial institutions
we represent we count the National Association of Manufacturers
among our sponsors. These are the people who manufacture the parts
used to construct our defense products and operate the supply chains
upon which many “critical” businesses rely. These organizations
also need to be systematically included in the on-going public
private partnership with DHS.
we are focused on cyber security today from a national security
most Internet attacks have nothing
to do with international terrorism. Cyber security is also a critical
business issue and from a business perspective the “non-critical” portions
of the economy deserve as much protection as the rest of the economy.
The Department of Homeland Security seems to have decided upon
the ISACs and the ISAC Council as the primary linkage to the private
sector. Since we are not formally an ISAC, we are not part of the
ISAC Council and hence we are not in many of the meetings and discussions
from which DHS appears to be receiving their primary input. We
would like to work with DHS and the ISAC Council to integrate our
broad membership into this forum.
Two years ago
Congress passed legislation, which attempted to facilitate the
of information between private industry
and the government. In the initial drafts of that bill the adjustments
to FOIA, etc. were confined to ISACs. It was correctly pointed
out to the drafters that there is in fact information sharing outside
of the formal ISAC structure and the legislation was redrafted
to read “information sharing organizations.” We believe
DHS should follow this precedent in developing their public private
COMPANIES NEED THE CERT/CC DATA THEY HAVE COME TO RELY ON
Over the past several years the nearly 60 companies who are members
of the ISAlliance have come to rely on our working relationship
with CERT/cc. Last year, DHS announced that they would be launching
USCERT utilizing in main the facilities formerly known as CERT/cc
at Carnegie Mellon.
We have no objection to DHS creating USCERT. Indeed, we see it
as following and extending the model we created over three years
ago for how to disseminate CERT/cc data to the private sector.
However, it would be problematic if suddenly the ISAlliance members
who have relied on this information to build their corporate security
plans and policies, are now denied access to that data.
Indeed, such an outcome could result in a substantial reduction
in corporate cyber security as companies scramble to find alternative
ways to receive this information. Moreover, the fact that this
data might now be available though an ISAC is not an answer since
the majority of the ISAlliance members, do not participate in ISACs
We would like to work with DHS to assure that the transfer from
CERT/cc to USCERT and their new partners does not ironically result
in less information being available to some worthy companies.
I want to conclude by noting that DHS has been open to meeting
with and discussing ways to coordination with us. Just a few
weeks ago I met privately with Assistant Secretary Liscouski
who was most gracious and cooperative. I also want to single
out Director Yoran, who has been especially helpful and has directed
that at least for the short term the ISAlliance not be denied
access to the data its membership has come to rely on. We are
now hoping to finalize an appropriate long-term solution. Moreover,
DHS staff have attended meetings with our membership and been
very supportive. We want to thank and congratulate the whole
team at DHS for their commitment and efforts.
And finally I want to thank you, Mr. Chairman and the joint Committee
for all your work and for holding this hearing this morning.