The Internet Security Alliance is reaching out to all Net-based businesses in an effort to open up participation in security policy making.

by Alex Goldman ISP-Planet Associate Editor [January 10, 2002]

The Internet Security Alliance (ISA) was founded in April 2001, but rocketed into visibility toward the end of the year as the need for Internet security enhancements continues to rise. The ISA brings together government policy makers and industry money makers to talk about Internet security issues.

The U.S. government is represented by the Computer Emergency Response Team, currently run from the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. Business is represented by the Electronic Industries Association (EIA). The Alliance is a partnership of several electronic and high tech associations and companies who joined together to better lobby the U.S. government and international associations. Altogether, the EIA has over 2,300 members.

House credo
On November 15, 2001, the ISA executive director Dave McCurdy testified before the House Subcommittee on Commerce, Trade and Consumer Protection. He explained the role he foresees for the ISA:

"The security and survivability of the Internet depends on the cooperation between the private and public sectors. Congress should promote interaction between government and the private sector and should also address issues such as exemption from the Freedom of Information Act (FOIA) and anti-trust barriers. In addition, Congress can set a great example for the private sector by increasing the security of all government systems, which historically have been outdated and have not met minimal standards for security. The Internet Security Alliance is able to act as a bridge between the private sector and public sector by promoting best practices and appropriate data sharing mechanisms."

We obtained the details from Jerry Irvine, ISA director of communications. Just over a month ago, Irvine was an employee of iDefence, a provider of security information. Now he is explaining ISA's mission to the world.

"We do three things," Irvine said. "We provide early warning and in-depth information, much of it from CERT. We are in the process of defining best practice and standards for the industry. We hope to start by setting minimum guidelines for all industries. Finally, we provide a legislative voice for our members."

Metered sharing
The ISA is currently concerned about the Freedom of Information Act, which forces the FBI and CIA to disclose their actions after a fixed period of time. "We want assurance that information shared with the government concerning security breaches won't be distributed to competitors," explains Irvine.

Currently, the ISA supports the Davis/Moran Cyber Security Information Act (HR 2435). In a press release, the ISA said, "There are currently over 80 specific FOIA Exemptions throughout the body of U.S. law, so it is clear that exempting voluntarily shared information that could affect national security is consistent with the intent and application of FOIA."

The ISA is supported by CERT and the EIA, and also by membership fees. Sponsor-level membership costs $70,000 per year. General membership depends on the size of the business. Dues range from $2,500 to $50,000 per year.

Founding Sponsors, the highest level of participation, represent an intriguing list of companies including the massive insurance firm American International Group (AIG), the University of Texas at Austin, financial institutions like Mellon Corp., the NASDAQ, high-tech venture capital firm Redleaf, digital security firm GUARDENT, manufacturers like IBM, ITT Industries, Raytheon, SONY, TRW, Asian consultants TATA, a Norwegian company that appears to do Internet gambling called Norsk Tipping, and VeriSign. The list of Founding Sponsors also includes Exodus Communications which is now part of Cable & Wireless.

The diverse business lines of "Founding Sponsors" indicates that nearly every company in the world shares one global concern—Internet security. Companies see the need for industry standards for security. Webhosts would like to offer the security services that businesses need, insurance companies and accountants need to figure out how much security a specific business requires, manufacturers of equipment need to know how much security they should provide, especially if they do business with the U.S. military. Any business that handles money, from VeriSign to Norsk Tipping, would be well served by an industry definition describing what security that company needs.

Of course, there are risks that any definition will be too vague or too specific. The ISA is just starting to discuss the standards that it will implement, but the discussion process itself could be as valuable as consequential products. ISPs might not be eager to cough up membership fees to the ISA each year, but most ISP owners would be smart to keep an eye on what the ISA is doing, even if they choose not to join.

— End