WASHINGTON - In the wee hours of July 6, computer experts in Reston, Va., hired by the financial services industry to constantly monitor the Internet spotted a security threat.
With the click of a few buttons these cyber-sentinels alerted more than 300 chief information security officers and network administrators at the nation's largest banks, securities firms, and insurance companies by fax, pager, or e-mail. Some of the recipients instantly read the warning on their cell phone screens:
Tracking I.D. 2000-07-01 Vulnerability
Subject: Denial of Service Attack - NEW
This concise message was enough to get their attention.
The sender, "FS/ISAC," is the Financial Services Information Sharing and Analysis Center, which was established by industry officials a year ago as an early warning system against computer virus or hacker attacks. And the urgent notice of a "denial of service attack" evoked bad memories of the online assault that overwhelmed several corporate Web sites in February and shook consumer confidence in electronic commerce.
Logging into the center's highly secured Web site, the information officers got a full rundown of the problem - software on a hacker's site designed to electronically bombarding bank computer firewalls - and tips on how to gird their systems against attack.
As a result, nothing happened, and that is exactly the point. No Web site breakdown, no disruption of service, and - most importantly - no stories on the evening news.
"If we just stay out of the public eye and successfully manage the incidents that occur without an impact to our customers, that's a success," said Bruce W. Moulton, one of the center's directors and vice president for infrastructure risk management at Fidelity Investments.
Nearly 40 companies, which hold about 90% of the financial industry's assets, belong to the center. Membership fees range from $13,000 to $125,000 a year, depending on the size of the institution and types of services purchased.
Most of the members' names, and the identities of their representatives, are kept confidential. Only the identities of the center's nine directors are made public.
Besides Mr. Moulton, they include: Stephen R. Katz, chief information security officer of Citigroup; Stash Jarocki, chief information officer for Depository Trust Corp.; Roger Callahan, senior technology manager for systems and data security at Bank of America Corp.; and Susan Ladner, vice president for information security services at Wells Fargo & Co.
Mr. Moulton, who was recently elected the center's chairman, said it recommends a variety of solutions with technical and human elements, including setting a company's e-mail system to block out files with certain attachments that could carry a virus; updating firewall or other software to correct a weakness; or instructing employees that they could be punished for disabling their antiviral program to speed up their desktop computer.
Gregory A. Baer, the Treasury Department's assistant secretary for financial institutions and the federal government's liaison to the center, describes it as the Centers for Disease Control and Prevention for financial companies operating in the virtual world.
Just as CDC epidemiologists are on guard for the next killer flu strain that could arise in any corner of the globe, the center's online snoops are constantly combing the "wild," as they like to call the myriad hacker sites and other corners of cyberspace, for computer viruses.
The infamous "I Love You" virus, which infected computer systems nationwide this year, was very similar to a dangerous flu virus, Mr. Baer said. "It started in Asia and swept across the world - except it swept across the world in six hours."
Timely response is critical, officials at the information center said. Like health professionals who try to prevent a biological pandemic by sizing up a virus and developing and distributing the proper vaccine as soon as possible, the center's job is to develop a software fix and post on its Web site within hours for immediate downloading.
Regulators have proposed uniform security standards and expanded reporting requirements on computer intrusions in suspicious activity reports, but that will not prevent attacks that can happen with lightning speed, Mr. Baer said.
Only by working together can the industry protect itself, and that is why a 1998 presidential directive recommended that government agencies form partnerships with various industries to help secure banking, telephone, and other vital infrastructures for national security.
Federal rules would be unenforceable, Mr. Baer said. "It has to be voluntary. We have to encourage the private sector."
Though the financial services industry was one of the quickest to respond to the government initiative, it was not an easy sell. Banks and other financial players have plenty to gain from exchanging tips with each other, because they have significant funds at stake and face severe reputational risks from any computer glitches.
For the same reasons, however, financial firms are inclined to keep any vulnerabilities or failures a secret. "The first instinct of a company under a debilitating attack is not to highlight its problems to the public and help its competitors avoid the same fate," Mr. Baer testified at a Senate Banking subcommittee hearing in May on computer viruses.
"If you are going to have real-time information sharing, it is going to have to be through a mechanism that the financial industry trusts," he said in a recent interview.
As a result, the center's founders structured it as a limited liability company funded by the members. The center assures them of anonymity; any reports of hacker attacks or other problems are automatically stripped of identifying features before they are received.
Global Integrity, a subsidiary of the SAIC consulting firm based in the Washington suburbs, was hired to staff and operate the center.
"One of the largest concerns of the financial institutions was how the information would be distributed, and how it could be misconstrued," said William Marlow, executive vice president of Global Integrity. "It can't be traced or tracked back to the institution. We don't know who you are, and we operate the system. By the time it gets to us, we have no clue who it came from or what the path that it came from was."
Mr. Marlow and Dan Woolley, Global Integrity's president, project a reassuring image with their high-tech presentations about the center and exhaustive data on the future threats to e-commerce. Among other things, they noted that 21 U.S. corporations currently have their Web sites vandalized each day, up from 13 last year.
During an interview, Mr. Marlow, 45, who has worked as an information security expert for a variety of companies, sipped from a glossy, metallic mug labeled "Cyber Warrior" and laughed heartily while explaining jargon such as "exploit code" and "a new vulnerability against the Checkpoint Firewall."
He is serious, though, when discussing the center's security. The brains of the center's database are seven computer servers housed in the "bunker," a data facility owned by another company that is protected by cinder block walls coated with steel plates and Kevlar, the same synthetic substance used in bulletproof vests.
The building could sustain a hit by a 500-pound bomb, Mr. Marlow said.
Besides investigating the average of two to three reports per day from the center's members, Mr. Marlow's 28-member team scours cyberspace looking for software programs posted on hacker Web sites.
For instance, the center's "open source intelligence" discovered the software that July morning which any hacker could have used to launch a denial of service attack, Mr. Marlow said.
The center's cybersnoops "act like hackers out on hacker bulletin boards and discussion groups," he said. "They are kind of gray-hatted folks. They look like, smell like, taste like hackers, but they are gathering information that we are using."
The center draws from more than 60 information sources, including the National Security Agency, the Department of Defense, the Central Intelligence Agency, and Carnegie-Mellon University's Computer Emergency Response Team.
If a high-tech attack were based at a number of banks, the center has a plan in place to gather its board members together in an online meeting. If it were serious enough, like a concerted attack against the 10 largest banks, the center's board would notify regulators and probably the Defense Department as a matter of national security.
However, no such event has happened - yet.
Mr. Moulton said that, as a senior officer at Fidelity, he wears his pager around the clock (except when he's on vacation); he receives from the center an average of one urgent notice and as many as a dozen low-priority messages per week.
The peace of mind is worth some occasional rude awakenings, he said. "It goes off at 2 or 3 in the morning" sometimes, Mr. Moulton said. "If it does that, I go upstairs and log in."
Once center members are online, he said, they begin sharing news of problems with each other and possible solutions.
The center has had some growing pains.
When Yahoo and other sites were hit by the denial of service attack in February, a news report criticized the center for failing to notify other industries or regulators after detecting the threat. Mr. Marlow said that, while the center knew the software that would be used in the attacks was circulating, it had no idea when an attack would occur or who would be targeted.
The center released a press release about its discoveries a day before the attacks hit, he said, but to no avail.