Yesterday's announcement that another coalition of private-sector companies has joined the battle to beef up security on the Internet is raising concerns about the coordination of those activities and possible duplication of effort.
The latest initiative is a joint effort between the CERT Coordination Center (CERT/CC) at Pittsburgh's Carnegie Mellon University and the Arlington, Va.-based Electronic Industries Alliance (EIA) to form a fee-based service that will offer companies advance warnings on Internet security threats, as well as education, training and help in developing security best practices.
Sponsor members of the joint venture, known as the Internet Security Alliance (ISA) and also based in Arlington, will pay $70,000 annually for the full range of services, including access to CERT/CC's security knowledge base. Users who don't want everything the ISA has to offer can opt to pay for just the early-warning service, which will cost from $2,500 to $50,000 depending on the size of the company.
While observers generally agree that any attempt to rally businesses around the idea of improving Internet security is a good thing, some analysts said they don't see a critical need for another industry group and questioned the involvement of the government-funded CERT/CC in the ISA's fee-based service. "Was there a crying need for this? No," said John Pescatore, an analyst at Gartner Inc. in Stamford, Conn.
At a press conference here yesterday, Dave McCurdy, president of the EIA and the newly appointed executive director of the ISA, said the ISA isn't a duplicate of other public/private information-sharing groups that are already in existence.
"What we are offering is a multisector, global organization," said McCurdy. Unlike other groups, the ISA is "fully operational and on the Web," he added. "We're not just a group of security vendors saying, 'Let's just talk to ourselves.' We're really looking to be developing best practices ... and real solutions."
CERT/CC, formerly called the Computer Emergency Response Team, receives $3.5 million per year from the federal government to study and report on Internet security threats, while the EIA is a global trade group of more than 2,100 telecommunications and electronics companies. The ISA initially has more than a dozen corporate members, including Nasdaq Stock Market Inc., Mellon Financial Corp. and American International Group Inc., the largest U.S.-based global insurance firm.
But McCurdy was questioned yesterday about the appearance that the ISA is duplicating work being done by the Partnership for Critical Infrastructure Security, a private-sector group that has spearheaded the formation of four information-sharing and analysis centers (ISACs) in different sectors of the economy. Related efforts also are already being run by the Information Technology Association of America, the FBI's Infraguard program and the Internet Software Consortium (ISC), among others.
McCurdy downplayed the information-sharing aspects of the security difficulties facing companies, calling it "not even half the problem." He also criticized the government's efforts by showing a slide depicting a disorganized multitude of agencies currently involved in Internet security. The security battle "needs to be business-led," he said. "It should not be led by government."
Further clouding the picture, though, is the fact that at least two of the ISA's charter members, Washington-based Nasdaq and Pittsburgh-based Mellon Financial, are also members of the financial services sector ISAC set up through the Partnership for Critical Infrastructure Security.
Larry Bickner, vice president of information security at Nasdaq, said he isn't concerned about the number of groups that now exist and doesn't think they will hamper one another's information-sharing initiatives. And CERT/CC Director Rich Pethia said the ISA gives his organization "a channel to get information out to the private sector that we've never had before."
But Steven Aftergood, an analyst at the Federation of American Scientists in Washington, said the participation of the federally funded CERT/CC in the ISA initiative also raises questions about the use of government money.
"I'm less offended by duplication of effort than by the appearance of misappropriation of taxpayer dollars," said Aftergood. "On its face, it seems inequitable to the taxpayer," he said, questioning whether or not a government-funded entity should be giving preferential treatment to paying customers.
According to McCurdy, though, "the government is a customer [of CERT/CC], and businesses that join will be customers." The government will continue to receive the same level of support it always has from CERT/CC, McCurdy said. And, he noted, additional personnel will be hired to support the added corporate customers.