9-11 commissioner calls for end to ISACs

SAN FRANCISCO - The U.S. government’s policy of relying on voluntary, industry-led information sharing and analysis centers, or ISACs, is not working and should be discontinued or reformed, according to Jamie Gorelick, a member of the 9-11 Commission.

ISACs lack the organization and funding to work effectively and pass on vital security intelligence to the U.S. federal government about threats to the nation's critical infrastructure. Their failure poses a threat to national security, Gorelick said during a panel discussion at the RSA Conference in San Francisco on Wednesday.

However, the head of at least one ISAC says the organizations are working well, despite continued skepticism of government demands for information on security breaches.

The ISAC system was created by Presidential Decision Directive 63 (PDD 63), which was issued by President Bill Clinton in 1998. PDD 63 called for the creation of ISACs to encourage private sector cooperation and information sharing with the federal government on issues related to the nation's critical infrastructure.

Today there are ISACs for the food, water and energy sectors, as well as the information technology, telecommunications, chemical and financial services industries.

However, more than six years after the government called for the creation of ISACs, the system isn't doing what it was set out to do, Gorelick said.

"I don’t think the model of ISACs works," Gorelick said. "Asking industries to fund their own ISACs as they wish and in a disorganized fashion will not get us where we need to go."

In particular, Gorelick objected to the requirement that critical industries fund and operate their own ISACs without government oversight. The U.S. government should provide funding and a reliable communications system for each ISAC, rather than requiring them to "pass the hat" to raise operating funds, she said.

"You need personnel who have their job from year to year, and don't need to beg for their salary from constituent members," Gorelick said

The government should also provide a single point of contact for ISACs that can be a "quarterback" for the various industry groups and win the support of senior executives within different industry sectors, she said.

"It's a small investment for a very large payoff," Gorelick said.

With more guidance and support from the federal government, ISAC members might be more willing to share information with the federal government about security incidents and vulnerabilities that could affect domestic security, she said.

As an example, Gorelick cited the National Coordinating Center for Telecommunications, a government-industry joint operation that coordinates responses to telecommunications emergencies, which also is the Telecom ISAC. The U.S. government provides a facility and equipment for that group and works closely with it, she said.

However, the president of one prominent ISAC thinks Gorelick is mistaken in her notion that the groups are not working.

"(Gorelick) is unfortunately mistaken in her perception," said Guy Copeland, vice president of Information Infrastructure Advisory Programs at Computer Sciences Corp. and president of the Information Technology ISAC (IT-ISAC). "We've never received any funding from the government, and we're stronger because of it."