[ISN] Sharing key to combating threats

From: InfoSec News (isnat_private)
Date: Thu Oct 25 2001 - 01:37:48 PDT

  • Next message: InfoSec News: "[ISN] Call for Papers - FIRST 2002 - 2nd notice"

    By Diane Frank 
    Oct. 24, 2001
    As awareness about the importance of sharing information about cyber
    and physical threats grows following the Sept. 11 terrorist attacks,
    the General Accounting Office last week released a report on the best
    practices of leading organizations in the public and private sectors.
    The report is in response to a request in May from Sen. Robert Bennett
    (R-Utah), a key supporter of critical infrastructure protection issues
    and an advocate for sharing cybersecurity information between the
    government and private sector. Bennett and other members of Congress
    have introduced bills this year to promote such sharing.
    GAO reviewed 11 organizations, including the Centers for Disease
    Control and Prevention, the Federal Computer Incident Response Center
    (FedCIRC), the Joint Task Force-Computer Network Operations (JTF-CNO),
    and the North American Electric Reliability Council. FedCIRC serves as
    the central warning, analysis and response organization for civilian
    agencies, and the JTF-CNO provides that service for the Defense
    All of these organizations form relationships with members to collect
    information on security incidents, analyze potential future weaknesses
    and issue alerts on vulnerabilities and attacks.
    The GAO report, and past reviews in related areas, found that
    information sharing and coordination are "central to producing
    comprehensive and practical approaches and solutions to combating
    computer-based threats." But few agencies have formed such mechanisms,
    and those that have are still working to become entirely successful,
    according to GAO.
    From their experience, GAO outlined several key success factors:
    * Developing trust between participants over time through personal
    * Establishing effective and secure communications.
    * Getting the support of senior managers at member organizations on
      the importance of sharing such potentially sensitive information.
    * Ensuring continuity of leadership within the organization to
      maintain focus.
    * Providing identifiable benefits to keep members involved.
    The most difficult challenge is organizations' natural reluctance to
    share information on vulnerabilities, GAO reported.
    This challenge can be immediately addressed through the development of
    clear, written agreements on information usage and sharing, GAO wrote.
    And that reluctance is reduced over time as members become more
    familiar with one other and others' perspectives and pass on their
    positive experiences to new members, according to the report.
    GAO report: "Information Sharing: Practices That Can Benefit Critical
    Infrastructure Protection" (PDF)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 03:10:47 PDT