First there were computer viruses to deal with, then contagious reports that a group of banks had advance warning of the denial-of-service attacks that disrupted several leading Web sites, but failed to forewarn them. So "Stash" Jarocki, a board member of the banking group claimed to have inside information regarding February's attacks, was not a happy man when BTN caught up with him last month.
The trouble was sparked by a February Associated Press report that said Jarocki's group, the financial services Information Sharing and Analysis Center, or FS-ISAC LLC, was privy to advance details of high-profile attacks that crippled sites including Yahoo!, Amazon.com and e-Bay Inc. Jarocki, treasurer of one of eight so-called ISACs that protect different industry sectors from cyber attacks, summarily dismisses the report as "jackass" and "infuriating."
The financial services industry was first with an operational ISAC, for banks, brokers and insurance companies, in March 1999. The next center up was in telecommunications, about six weeks ago. The ISACs stem from a presidential directive to protect critical infrastructure, but they don't receive government funding.
Jarocki makes clear that FS-ISAC had no idea what commercial sites were being targeted by hackers dispatching viruses to disrupt e-commerce. Warnings that such viruses were circulating had been issued during the six months preceding the recently publicized problems, Jarocki notes, adding, "We didn't have anything that anybody else couldn't have had." FS-ISAC keeps a database of information on cyber attacks along with software to combat them, and it disseminates alerts by pager and email. Financial institutions were neither victims of the February attacks nor carriers of the viruses that caused them, he says.
Financial institutions contribute information to FS-ISAC on a voluntary and anonymous basis, and they pay between $13,000 and $125,000 to be part of it. Nonetheless, Jarocki says, "At no time did we ever say we wouldn't share information." U.S. Department of Commerce was leading discussions on information sharing for months before the recent brouhaha.
Besides consumer privacy concerns, corporate security and the group's reputation, "We have to get the agreement of the membership," Jarocki says. FS-ISAC has 17 corporate members and-prompted by the recent publicity- another 30 are considering joining. Board members include Bank of America Corp., Citigroup, J.P. Morgan & Co., Morgan Stanley Dean Witter & Co. and Wells Fargo & Co.
By law, ISAC members are required individually to report any criminal activity they observe, but it's not clear whether the recent Web stoppages count as crimes under existing statutes. Moreover, government agencies, including the Federal Bureau of Investigations, were well aware of the recent increase in threats. "The FBI had been giving us alerts," Jarocki says.
Tom Patterson, a managing director in KPMG's e-commerce practice, says that "The banks should be congratulated." Even though FS-ISAC can strip out member institutions' identifying details, it's hard to disguise the victim of a security attack, Patterson says. As such, "It's a huge deal for banks to share information with competitors." But he adds, "You can't trust everybody. Do you give information to Fred's Porn Shop, too? Where do you draw the line?"
Jarocki says, "The financial services sector is concerned, and we want to do something." Good has come from the recent attacks in that they have stimulated interest in FS-ISAC, he adds. Jarocki also hopes Internet Service Providers and others whose inadequate security made them unwitting perpetrators of the nuisance viruses will be pressured into improving.
FS-ISAC's network is operated by Global Integrity Corp., a Reston, VA, security consultancy owned by SAIC Corp., San Diego. Although some have confused FS-ISAC as an initiative of the Bank Industry Technology Secretariat, a spokesperson for BITS says that is because FS-ISAC and BITS' security laboratory have overlapping members.
Patterson, who is based in the same town as Global Integrity and is friends with the company's executive vice president William Marlow, jokingly tells how "You'll be out with him and his beeper goes off, and he says, 'gotta go,' and he's gone. Afterwards, you never know if something really serious happened or he just didn't like the fish."