9-11 commissioner calls for end to ISACs

Centers lack funding and organization to be effective, Jamie Gorelick says

SAN FRANCISCO - The U.S. government’s policy of relying on voluntary, industry-led information sharing and analysis centers, or ISACs, is not working and should be discontinued or reformed, according to Jamie Gorelick, a member of the 9-11 Commission.

ISACs lack the organization and funding to work effectively and pass on vital security intelligence to the U.S. federal government about threats to the nation's critical infrastructure. Their failure poses a threat to national security, Gorelick said during a panel discussion at the RSA Conference in San Francisco on Wednesday.

However, the head of at least one ISAC says the organizations are working well, despite continued skepticism of government demands for information on security breaches.

The ISAC system was created by Presidential Decision Directive 63 (PDD 63), which was issued by President Bill Clinton in 1998. PDD 63 called for the creation of ISACs to encourage private sector cooperation and information sharing with the federal government on issues related to the nation's critical infrastructure.

Today there are ISACs for the food, water and energy sectors, as well as the information technology, telecommunications, chemical and financial services industries.

However, more than six years after the government called for the creation of ISACs, the system isn't doing what it was set out to do, Gorelick said.

"I don’t think the model of ISACs works," Gorelick said. "Asking industries to fund their own ISACs as they wish and in a disorganized fashion will not get us where we need to go."

In particular, Gorelick objected to the requirement that critical industries fund and operate their own ISACs without government oversight. The U.S. government should provide funding and a reliable communications system for each ISAC, rather than requiring them to "pass the hat" to raise operating funds, she said.

"You need personnel who have their job from year to year, and don't need to beg for their salary from constituent members," Gorelick said

The government should also provide a single point of contact for ISACs that can be a "quarterback" for the various industry groups and win the support of senior executives within different industry sectors, she said.

"It's a small investment for a very large payoff," Gorelick said.

With more guidance and support from the federal government, ISAC members might be more willing to share information with the federal government about security incidents and vulnerabilities that could affect domestic security, she said.

As an example, Gorelick cited the National Coordinating Center for Telecommunications, a government-industry joint operation that coordinates responses to telecommunications emergencies, which also is the Telecom ISAC. The U.S. government provides a facility and equipment for that group and works closely with it, she said.

However, the president of one prominent ISAC thinks Gorelick is mistaken in her notion that the groups are not working.

"(Gorelick) is unfortunately mistaken in her perception," said Guy Copeland, vice president of Information Infrastructure Advisory Programs at Computer Sciences Corp. and president of the Information Technology ISAC (IT-ISAC). "We've never received any funding from the government, and we're stronger because of it."

The groups may not be doing exactly what President Clinton envisioned when he issued PDD 63, but they are encouraging information sharing within industries, he said.

In the information technology industry, for example, the IT-ISAC runs morning phone conferences between members and with other ISACs and has improved coordination in areas like responding to worm and virus outbreaks, threat detection, containment and cleanup and patching, Copeland said.

The IT-ISAC can focus more on issues that matter to its members without government funding and involvement. However, the group does not share much with the federal government. IT-ISAC members are dubious of government requests for information, because the federal government can't say exactly how the information that is submitted will be handled or used, and why it will benefit the company to share it, Copeland said.

"ISACs are okay. But they're still getting started. They're version 1.0," said former Senior White House aide Richard Clarke, who shared the stage with Gorelick at RSA.

It is understandable for companies to be wary of letting the government in on security matters, but the government has backed off industry too much in pursuing information, such as details of computer security vulnerabilities and threats, Clarke said.

"We need a synoptic view of cyberspace that shows us where and when attacks are happening," he said. "There could be a systematic attack on infrastructure verticals and we wouldn't know it because we don't share information."