Council to draw up cyberattack response

Setting up a national IT disaster response apparatus is one possible topic to be addressed by the IT Sector Coordinating Council as it drafts a sector-specific plan for protecting the nation's computer networks against a terrorist attack or other disaster, according to the group's chairman.

The goal is for private sector IT companies and government to work together to prevent and to respond to cyberattacks. But creating an IT disaster response framework raises many questions.

"What kind of technology is appropriate? Who owns it? Who makes the investment? Who pays for it?" asked Guy Copeland, IT sector coordinating council chairman and vice president of information infrastructure at Computer Sciences Corp.

The council wants ideas from the IT industry and from the Homeland Security Department as it begins work on the sector-specific critical infrastructure protection plan at its April 4 meeting, Copeland said in an interview. The council expects to complete the plan by September.

The 33-member council was organized in November 2005 as one of 17 sector councils ? representing water, energy, financial services, food and other areas ? recommended to be established under the National Infrastructure Protection Plan base plan.

In a meeting Jan. 27, representatives of major IT companies, systems integrators and associates established the IT sector council's 12-member executive committee. Copeland was named chairman and Michael Aisenberg, director of government relations for VeriSign Inc., was named vice-chairman.

The group expects to add more members from companies that are owners and operators of IT infrastructure, Copeland said.

"We are wide open to building membership as rapidly as possible among owners and operators of IT infrastructure that helps the network exist," Copeland said. "It's a broad definition and a broad scope."

Copeland also is president emeritus of the IT-Information Sharing and Analysis Center (IT-ISAC), and represents the center within the sector council. The intention is for the sector coordinating council to develop policy, while the IT-ISAC handles operations, he said.

One of the key goals during the drafting of the plan is to reach out to involve government officials early in the process, Copeland said. In the past, IT companies have complained that they have not been consulted on infrastructure protection by federal agencies until very late in the game, and they want to reverse that trend, Copeland said.

To avoid such complaints and practice what they preach, the council is making a special effort to invite federal representatives early in the process, Copeland said: "We're going to eat our own dog food."

Major policy questions affecting the IT council include whether and how IT companies ought to share sensitive information about their cyber vulnerabilities with the government; how that information will be protected and used; protocols for sharing information with other sectors; and how to assess the vulnerability of IT assets, according to Copeland and Aisenberg.

On assessing IT assets, the sector council disagrees with the national plan's approach that focuses mostly on counting physical assets. "The bottoms-up vulnerability approach is intractable for our sector," Aisenberg said. IT assets are virtual with many pieces; IT assets are not fixed and they are very distributed, he added.

Instead, IT assets should be assessed in view of the role they play in meeting critical public missions, such as in maintaining power plants or operating hospital lifesaving equipment, Aisenberg said: "It would look for the missions and functions that are extremely important to society."