FRAMINGHAM (10/17/2003) - One of the nation's largest insurers is throwing its weight behind a public/private partnership that claims it has a better answer to the challenge of sharing security-related information than the U.S. Department of Homeland Security does.
Though details haven't been agreed upon, American International Group Inc. will offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center. Philadelphia-based CIDDAC is a volunteer partnership of more than a dozen IT vendors, user companies and the FBI's InfraGard program.
Robert A. Parisi Jr., senior vice president and chief underwriting officer at AIG eBusiness Risk Solutions, said New York-based AIG would view the deployment of CIDDAC sensors "very positively" from an underwriting standpoint.
"We are prepared to offer lower rates to those companies that, in addition to other industry-standard security protocols, deploy the CIDDAC sensing technology," Parisi said. "We recognize that companies that add the additional layer of security provided by CIDDAC are at less risk of suffering costly network-security breaches."
The goal is to deploy what CIDDAC calls Real-time Cyber Attack Detection Sensors, or RCADS, throughout as many U.S. companies as possible -- and eventually the world -- and feed incident data to a centrally managed operations facility at the University of Pennsylvania in Philadelphia.
Although it has maintained a low profile to date, CIDDAC is the result of a volunteer effort by various private-sector IT companies and other firms, along with the Philadelphia InfraGard chapter. InfraGard is a U.S. Federal Bureau of Investigation-sponsored program designed to help companies in the private sector share security information with one another and the government.
The consortium has developed what it claims is a technical solution to the private sector's primary concern about information sharing: government access to proprietary data. "We have a way to gather the appropriate information on cyberattacks and security incidents without digging through production data," said Charles "Buck" Fleming, acting executive director of CIDDAC and CEO of AdminForce LLC in Boulder, Colo.
CIDDAC is operating a prototype monitoring and operations center at facilities owned by AdminForce.
"The RCADS sits outside of a company's production network and looks like another computer on the network," Fleming said. "It then identifies security incidents and profiles the attack signature without the company having to worry about the government looking inside their internal network."
The concern about government having access to data remains a serious impediment to information sharing between it and the private sector, which owns and operates more than 85 percent of the nation's critical infrastructures.
In fact, more than a dozen CIOs from the electric and natural gas industries who attended an executive conference this week in Tampa said their companies don't belong to a formal government-sponsored information-sharing and analysis center, primarily because of fears that proprietary data wouldn't be protected.
"There has to be private-sector control (of the data) if the answer to the information-sharing problem is going to be found," said Fleming.
Although the DHS recently announced plans to build its own Real-Time Cyber Situation Awareness System that would initially monitor government networks in real time, Fleming said it's based on a "faulty, weak legacy."
"The proposed DHS solution center will deal with production data initially generated by government activities," Fleming wrote in a letter to CIDDAC members. "The plan is to lead by government example and have the private sector join with their data contributing down the road. There is no chance of this happening. . . . The continuing failure of DHS to understand these basic (privacy) requirements is distressing."
The DHS didn't return calls seeking comment.
Alan Paller, director of research at the SANS Institute, said RCADS is a great idea, but he called Fleming's "attack" on the DHS proposal off-base. Rather than competing with each other, the DHS -- whose system will feed data to the CERT Coordination Center at Carnegie Mellon University -- and CIDDAC need to work together, he said.
Paller explained that both systems will be part of a much larger array of similar systems that will collect enough data to pick up early indications of massive worm outbreaks and possibly coordinated attacks on infrastructures.
"More of these networks means more watchfulness and more data," he said.
Special Agent John Chesson, the FBI's Philadelphia InfraGard coordinator, said CIDDAC addresses the private sector's need for a computer-intrusion and automated incident reporting system that manages data in a "privacy-sensitive" manner.
"The initial hope was that InfraGard would serve as a two-way communications (hub) between private industry and the government," said Chesson. However, "the information sharing has been mostly one way," in the form of DHS reports being sent to InfraGard chapters, Chesson said.