IT firms come clean on hacks, bugs and breaches

For the first time in the UK IT industry's history, leading vendors are planning to form an independent group to share information on security threats and vulnerabilities.

The move, still in the first tentative stages of planning, is intended to strengthen the reliability of products, boost user confidence in ecommerce and head-off any future government regulation.

The DTI has provided a £20,000 grant but founding group the Computer Software and Services Association (CSSA) estimates the organisation could cost up to £600,000 a year to run.

Tim Conway, director of industry affairs at the CSSA, said: "Aggressive competition has prevented companies from working closely together in the past. This will be a secure and trusted environment for members of the IT industry to work together."

The exact nature of the organisation, dubbed Saint (the Security Alliance for Internet and New Technologies), will be decided at the group's first operational meeting in February. But it's hoped it will be a forum at which companies will disclose details of bugs, hacking attempts, viruses and other security vulnerabilities.

John Harrison, business manager at smart241, claimed the IT industry is in a "wonderful position" to learn from operation experience and "raise the bar on security".

"If we all share information, especially the sensitive stuff that isn't available anywhere else, then we've got to move forward," Harrison said.

Baltimore, BT, EDS, Intel, Microsoft, SchlumbergerSema and Sun are all believed to be interested in becoming founder members.

The UK organisation will be closely modeled on its US counterpart, the Information Technology Sharing and Analysis Center (IT-ISAC), which launched earlier this year. IT-ISAC is still largely untested, but a joint press conference with the FBI to warn of the Code Red threat in July offered the first opportunity to demonstrate its capabilities.

Saint will share its discoveries with the user community by posting warnings and details of fixes on its website. But much of the information will have to be anonymised before it reaches the public domain.

Conway told silicon.com: "Everyone can be contractually engaged not to disclose information and there may be a requirement that certain types of information are sanitised before being released but it's very important that this isn't just seen as a closed shop for the IT industry."