Companies reluctant to share cybersecurity info with feds

While Richard Clarke, the nation's chief cybersecurity adviser, is on a mission to foster a partnership between government and the private sector to prevent cyberattacks, Peter Tippett, the vice chairman and chief technologist with TruSecure, is skeptical that a meaningful partnership will develop soon.

Tippett, whose company helped the FBI track the origins of the "Love Bug" virus in 2000, said the main obstacle to such a relationship is the strong reluctance within the computer-security industry to share information with the government.

TruSecure runs an e-mail list that includes more than 100 computer-security firms as subscribers. Everyone on that list knows each other, and they meet in person at quarterly meetings. Members trust each other enough to share current information about computer break-ins, denial-of-service attacks and viruses so they can quickly let their clients know of imminent attacks. Government officials from the FBI and the White House have tried to join the list, but members have rebuffed the requests because they are uneasy about the government accessing their conversations.

"The government asks, 'Can we be in on those discussions?' " Tippett said in a recent interview with National Journal's Technology Daily. "And we say, 'No. We trust each other, and we don't trust you ... to keep it confidential.' " Tippett said he has offered instead to designate someone to communicate with the FBI about imminent attacks.

"Each of these vendors trusts us, so I've said we'd be happy to provide a liaison who will translate what is going on, with a one- or two-minute delay," Tippett said. "I made the offer four times to the FBI, and they haven't taken that up."

Not all experts share Tippett's view. Ken Watson, the manager of critical infrastructure protection at Cisco Systems and head of the Information Technology Information Sharing and Analysis Center (IT-ISAC), perceives a growing partnership between the government and private sector.

The Clinton administration moved to create information-sharing centers for each economic sector that involves critical infrastructure The IT-ISAC was created in January.

"I think the IT-ISAC is working well," Watson said. "The advantages to companies who join are that they get early warning to threats and vulnerabilities, and get solutions they would not have otherwise."

Tippett, however, remains skeptical of the usefulness of the ISACs. Based on his experience at several ISAC meetings, he said most company officials still express reluctance to share up-to-the-minute information with the government.

"I gave a presentation to an ISAC meeting a few weeks ago, and there was a lot of discussion about how hard it is to share information," Tippett said. "No one wanted to share it because of concerns about privacy."

As to the potential for a coordinated cyberattack, Tippett said the Internet is under such intense attack already that a coordinated effort would not necessarily be any more significant than the existing random attacks.

"The attack rate is already so high, the frequency of malicious activity is so high, that an attack of a nation-state isn't necessarily" worse, he said.