For members of the multistate information sharing and analysis center (ISAC), the golden rule is quid pro quo. More than 30 states now use the multistate ISAC as a centrally coordinated clearing-house to exchange and receive information about the status of other states' critical cyber and physical infrastructures.

The fast-growing ISAC quickly built a working model for sharing information among state governments about critical infrastructure vulnerabilities -- both physical and cyber. But the group now must define its relationship with an existing NASCIO information-sharing effort, and perhaps confront how it will sustain current activities at no cost to member states.

Focal Point

The multistate ISAC's goal is to provide a focal point for gathering information on electronic and/or physical threats to states' critical infrastructures, said William Pelgrin, director of the New York State Office of Cyber Security & Critical Infrastructure Coordination (CSCIC). Pelgrin said he first floated the idea for a multistate ISAC at a meeting of the Northeast State Homeland Security Directors' Consortium.

"Our homeland security director brought the 10 northeast states together from a homeland security perspective, and asked me to speak on the cyber and critical infrastructure side," Pelgrin said. "At that meeting I said, 'Why don't we start sharing information? Why don't we tear down the walls and start doing something instead of just talking about it?'"

As with many other collaborative IT projects, getting the multistate ISAC to fly was not about the technology -- it was about management and cultural changes relative to that management. It helps that government is now far more willing to consider information sharing after 9-11, and states have realized a new approach is needed.

Pelgrin said one response his state had after 9-11 was creating the New York State CSCIC, which is responsible for leading and coordinating the state's efforts to protect various state infrastructures, both physical and cyber, from natural disasters or terrorist attacks. The CSCIC coordinates the process through which critical infrastructure data is collected and maintained, and also monitors the state's networks for malicious cyber activities.

As part of its responsibilities, the CSCIC oversees the Public/Private Sector Cyber Security Workgroup, Pelgrin said, which collects and maintains information about various physical and cyber critical infrastructures in the state. The workgroup -- comprised of representatives of private-sector industries and government agencies -- meets regularly to exchange information about threats and risks to the state's critical infrastructures. That information is then funneled back to the CSCIC.

One goal was to cross sector lines to make sure the information collected didn't stay in silos, he said, because the state recognized something that affected the financial sector might have significant relevance to the telecommunications or utilities sectors.

"One thing we wanted to do in the multistate ISAC was take that private-sector model and use our relationship we're developing with the companies as part of our New York state-centric information and say, 'If you're a national company, you can be part of that multistate perspective, so that 50 states won't have to come bang on your door,'" he said. "Hopefully we can collectively use the input from the private sector to reduce the amount of impact we have on the private sector if each of us went to them individually."

Building the Plane in the Sky

Pelgrin's office has been coordinating the multistate ISAC since January -- when the initial member states held their kick-off meeting. The one thing Pelgrin said he wanted to avoid was excessive attention to planning, adding that his initial research on other private-sector ISACs found quite a lot of time was spent worrying about the who, what, when and where. Instead, Pelgrin decided to "build this plane in the sky," an approach that has allowed the organization to make

Shane Peterson  |  Associate Editor