Whenever you speak to a reporter, you are always at risk that what will be published isn’t quite what you meant or that the context of your statement within the article will distort your meaning. Knowing this, you usually have to choose between the importance of what you have to say (in your opinion) and the potential downside of any alteration of your message.
With this in mind, I spoke to Ben Worthen, a reporter from The Wall Street Journal, and was quoted in the January 19, 2010 issue. The title of the specific article was “Private Sector Keeps Mum on Cyber Attacks” and the subtitle “Companies Are Loath to Disclose or Share Information on Breaches for Fear of Bad Publicity and Loss of Business to Rivals.” My particular statement was that the organized sharing of incident information among companies had not really advanced since the late 1990s.
My statement was sandwiched between one by Scott Algeier of the IT-ISAC (Information Technology Information Sharing and Analysis Center) and another by Bob Carr, the CEO of Heartland Payment Systems, which has suffered a major privacy data breach. Mr. Algeier asserted that considerable progress had been made in the past decade in public-private sector collaboration, and Bob Carr claimed that up to 300 companies had also been “targeted by similar attacks” but had not “come forward.” How might one resolve such apparent inconsistencies in our three views?
For the record, I was a co-founder and two-term Board member of the FS-ISAC (the Financial Services ISAC), which was launched by Treasury Secretary Lawrence Summers in October 1999, purposely in advance of Y2K. The IT-ISAC was founded more than a year later, in January 2001. The FS-ISAC was the first of the ISACs to be formed in accordance with president Clinton’s May 1998 Presidential Decision Directive (PDD) 63, alluded to in the WSJ article. The FS-ISAC became the model for many subsequent ISACs both in the US and abroad.