The Council would like to work in true partnership with the Department of Homeland Security in developing risked based, private sector driven critical infrastructure protection (CIP) initiatives. Specifically, the IT SCC is working with the National Cyber Security Division of the Department of Homeland Security to develop a new understanding of IT assets that is function based, as opposed to the traditional physical structure conception of assets. The IT SCC has developed a Plans Working Group to coordinate the IT SCC's input to the government's National Infrastructure Protection Plan (NIPP)and co-development of the IT Sector Specific Plan (SSP).

Additionally, the IT SCC is looking to build more robust information sharing between DHS and the private sector. As such, the IT SCC has asked DHS to use the powers granted to it in Section 871 of the Homeland Security Act and develop a FACA exempt structure to more easily share information. The April 2006 announcement by DHS of the formation of the Critical Infrastructure Protection Advisory Committee (CIPAC) responds to that need, and the IT SCC is working with DHS to refine architecture and operation of that committee. Additionally, the IT-ISAC continues to engage DHS on operational information sharing.

The IT SCC asks that all Members participate in operating committees (Working Groups). Working Groups will be formed and disbanded according to a dynamic program for accomplishing the sector priorities. Currently there are three (3) Working Groups in operation.

• Communications, Nominations, and Membership Working Group - This group is responsible for the administration of policies and procedures for the IT SCC, including membership, inter and intra SCC communications, the nomination process for IT SCC leadership, and membership outreach and awareness.
• Plans Working Group - This group is responsible for the development of sector policy with respect to its partnership with Department of Homeland Security, including support for the continued development and refinement of the Sector Specific Plan and other documents associated with the National Infrastructure Partnership Plan and critical Infrastructure protection. Currently, this group is composed of two subgroups in cooperation with the Agency representatives on the Government Coordinating Council focused on the Sector Specific Plan. These subgroups include a Critical Functions and Information Sharing group as well as a Protective Programs and Research and Development group.
• Strategy Working Group - This work group is responsible for addressing the internal strategic issues of the IT Sector as they apply to the IT SCC Including those associated with the governance and partnerships of the IT SCC.

The value proposition is one of synergy: sharing best practices for protecting critical assets and functions; access to early warning about threats; collaborating in incident mitigation; and enhanced capability for business restoration and continuity. These all need to be foremost in any business and critical infrastructure protection strategy. The public-private partnership is the underlying foundation of successful critical infrastructure protection. Both government and industry partners possess unique core competencies that add value to the partnership. Successful prevention, response, mitigation, and recovery efforts are severely degraded without the full participation of government and industry partners.

The success of the partnership is dependent upon a mutual benefit to both partners. For government industry provides the following capabilities, outside of government core competencies:

• Ownership and management of almost all critical infrastructures;
• Visibility into critical infrastructure assets, networks, facilities, and other capabilities, and the ability to take actions as first responders to incidents;
• Ability to innovate to provide products, services, and technologies to quickly focus on requirements and needs; and
• Existing, robust information-sharing mechanisms useful for sharing and protecting sensitive information on threats, vulnerabilities, countermeasures, and best practices.

For industry, beyond the clear national security and homeland security interest in ensuring the protection of the nation and its critical infrastructures, participation in the IT SCC -- and partnership with the government -- provides members access to business-critical activities such as:

• Providing owners and operators information on threats to critical infrastructures that is timely, analytical, and useful to the recipients;
• Developing the resources to engage in cross-sector interdependency studies, through exercises and computer modeling, that result in guided decision support for business continuity planning;
• Awareness of availability of needed spectrum, fuel, and other resources on a priority basis during times of stress;
• Facilitating enhanced physical protection for assets and personnel during and after a significant event;
• Contributing to the development of a policy environment that provides a legal framework and incentives for companies to voluntarily adopt widely accepted sound security practices;
• Providing policy and resource support for research needed to enhance future critical infrastructure protection efforts;
• Ensuring industry is engaged, as early in the process as possible, in the development of initiatives and policies related to the implementation and, as needed, revision of the NIPP, the development and revision of the SSPs and other infrastructure protection issues; and, in general
• Articulating to corporate leaders, through the use of public platforms and private communications, both the business and national security benefits of investing in security measures that exceed fiduciary responsibility to shareholders.

The IT sector shares significant security, business, technology, and governance concerns with the Communications Sector. Leaders of the IT and Communications Sectors recognize value in creating shared coordination bodies to consider cross-sector issues with the possibility of merging their respective SCCs in the future.

Additionally, The IT SCC also serves as the base of IT sector representation to the Partnership for Critical Infrastructure Security (PCIS). PCIS is the formally recognized Cross-Sector Council through the National Infrastructure Protection Plan, which also recognized the individual Sector Coordinating Councils. PCIS serves as the coordinating body for each of the various Sector Coordinating Councils, and interacts with government at high levels to convey the opinions and perspectives of the private sector on a wide range of policy issues.

In acknowledgement of the increasing convergence between the IT Sector and the Communications sector, both have discussed the value of merging and recognize that an SCC encompassing both sectors would likely be optimal. Pending organizational changes within the DHS would support such a consolidation of efforts. At present, members of both sectors agree that there should be an explicit plan to closely integrate their work. To this end, the Communications SCC holds a non-voting positing on the Executive Committee of the IT SCC.

The IT SCC shares information with the other councils as needed. Due to the convergence of the IT and Communications Sectors, information sharing, especially on a policy basis, is quite strong between the two sectors. The IT SCC has a representative on the communications SCC and the Communications SCC has a representative on the IT SCC. Further, coordination between the Communications and IT SCC is increasing with the Electric sector, with the three sectors forming a mini "millisecond sector".

Additionally, the IT-ISAC participates in the ISAC Council, which is composed of leaders of major industry ISACs. The President of the IT-ISAC is currently also President of the ISAC Council. The ISAC Council enables cross sector information sharing focusing on operational policy issues. Finally, the IT-ISAC hosts daily cyber related calls with the operations centers of other ISACs and communicates with those operations centers on a routine basis.

The IT SCC was formed, in part, to support the "Sector Partnership Model" developed by DHS and endorsed by the NIAC. We will remain closely engaged with DHS, specifically the National Cyber Security Division as our lead Sector Agency, in CIP policy development and coordination. For operational information sharing issues, the IT-ISAC will take leadership, with the support of the IT SCC.

The National Cyber Security Division and the Assistant Secretary for Infrastructure Protection have both been very receptive to and supportive of the formation of the IT SCC. Moving forward, the IT SCC looks forward to being engaged earlier in the development stages of policy documents decisions. As owners and operators of the Internet infrastructure, we are best positioned to craft plans and policies that will be most effective in securing the sector. Therefore, instead of being put in a position where we simply respond to plans that were written by the federal government or its contractors, we would like to be active partners in the creation of original drafts. In the end, this will save everyone time and money by producing a better product earlier that the stakeholders can effectively implement.

Traditionally, the IT-ISAC has served as the main vehicle for communicating information about threats, vulnerabilities and incidents. With the advent of the IT SCC, the goal is not to reinvent that capability within the IT SCC, but to leverage the existing capability of the IT-ISAC and expand its reach. The IT-ISAC and the IT SCC are trying to determine exactly how to do this. The issue in "getting the word out" also is being evaluated, but the basic distinction is that in terms of policy, the IT SCC has the lead in getting the information out, and in terms of incidents or other operational issues, that responsibility falls to the IT-ISAC. The goal is to leverage the strengths of each to figure out ways to get the right information to the right people at the right time.

The IT-ISAC is the operational arm of the sector where the IT SCC is the policy arm. The IT SCC and the IT-ISAC are working to develop a MOU that will outline, in further detail, the roles and responsibilities of each. The IT ISAC will continue to exist under the draft NIPP framework. The IT-ISAC provides valuable technical analytical capability, sharing information related to the health of the Internet Infrastructure. The IT SCC is a policy organization. In areas of operational policy, the IT SCC and IT-ISAC will coordinate closely. There is significant overlap between the IT-ISAC and the IT SCC but not total, overlap between the two organizations. This is not surprising since both organizations are designed to be representative of the owners and operators of the Internet Infrastructure