The fast-growing ISAC quickly built a working model for sharing information among state governments about critical infrastructure vulnerabilities -- both physical and cyber. But the group now must define its relationship with an existing NASCIO information-sharing effort, and perhaps confront how it will sustain current activities at no cost to member states.
The multistate ISAC's goal is to provide a focal point for gathering information on electronic and/or physical threats to states' critical infrastructures, said William Pelgrin, director of the New York State Office of Cyber Security & Critical Infrastructure Coordination (CSCIC). Pelgrin said he first floated the idea for a multistate ISAC at a meeting of the Northeast State Homeland Security Directors' Consortium.
"Our homeland security director brought the 10 northeast states together from a homeland security perspective, and asked me to speak on the cyber and critical infrastructure side," Pelgrin said. "At that meeting I said, 'Why don't we start sharing information? Why don't we tear down the walls and start doing something instead of just talking about it?'"
As with many other collaborative IT projects, getting the multistate ISAC to fly was not about the technology -- it was about management and cultural changes relative to that management. It helps that government is now far more willing to consider information sharing after 9-11, and states have realized a new approach is needed.
As part of its responsibilities, the CSCIC oversees the Public/Private Sector Cyber Security Workgroup, Pelgrin said, which collects and maintains information about various physical and cyber critical infrastructures in the state. The workgroup -- comprised of representatives of private-sector industries and government agencies -- meets regularly to exchange information about threats and risks to the state's critical infrastructures. That information is then funneled back to the CSCIC.
One goal was to cross sector lines to make sure the information collected didn't stay in silos, he said, because the state recognized something that affected the financial sector might have significant relevance to the telecommunications or utilities sectors.
"One thing we wanted to do in the multistate ISAC was take that private-sector model and use our relationship we're developing with the companies as part of our New York state-centric information and say, 'If you're a national company, you can be part of that multistate perspective, so that 50 states won't have to come bang on your door,'" he said. "Hopefully we can collectively use the input from the private sector to reduce the amount of impact we have on the private sector if each of us went to them individually."
Building the Plane in the Sky
Pelgrin's office has been coordinating the multistate ISAC since January -- when the initial member states held their kick-off meeting. The one thing Pelgrin said he wanted to avoid was excessive attention to planning, adding that his initial research on other private-sector ISACs found quite a lot of time was spent worrying about the who, what, when and where. Instead, Pelgrin decided to "build this plane in the sky," an approach that has allowed the organization to make adjustments on the fly.
"As long as we're moving in a forward direction, we can modify it," he said. "The concept here is, 'Let's share information. Let's not hold it or be territorial about that information.' Everything we've done to date gets codified and cut to a CD. It then gets distributed to all the states participating. We have templates on vulnerability and risk assessments on both the physical and cyber. Any state can get that information and use it internally within their state."
Pelgrin said the multistate ISAC collects information from other states in several ways -- a state can submit a written warning about a vulnerability or threat in writing and identify itself as the source, submit an anonymous written warning, or simply pick up the phone and call Pelgrin at his office with a verbal warning.
Not having a "right" way to collect information is working well, he said.
"If we waited to build it all out -- let's say we all agree that we need a secure, automated ability to collect and disseminate this information -- we'd still be trying to get our arms around that," he said.
In addition, Pelgrin said he got word from the Department of Homeland Security in early June about an automated, secure communication system the multistate ISAC could potentially use to collect and disseminate information. No decision on that system's feasibility had been reached as of press time, however. Members of the multistate ISAC also are concentrating on establishing the next four or five milestones for the ISAC itself, he said.
"We are going to put up a multistate ISAC Web site, with both a public and a private side," he said, something the states want to get up and running as quickly as possible. "On the public side, it would be a place individuals would be able to see information that's available for citizens, businesses and other governmental entities. It will link to all the different states that want to have linkages to their sites."
The goal is to include all 50 states in the multistate ISAC, Pelgrin said, and Australia and New Zealand as well, since often they are the first to see viruses released onto the Internet.
"We understand there's a formality that will have to be built into this as we go forward, but we weren't going to hold up everything before that was done," he said. "We didn't need to have everything set in concrete and steps one through 20 delineated. We all agreed with the concepts of what we were trying to do."
Are Two Better than One?
This is not the first attempt at forming an ISAC among states -- NASCIO has been working on its Interstate ISAC since July 2002, when the association signed a formal, information-sharing agreement with the National Infrastructure Protection Center (NIPC).
When the Bush administration created the Department of Homeland Security (DHS), the NIPC was folded into the DHS' new Directorate of Information Analysis and Infrastructure Protection (IAIP).
NASCIO officials said their organization is committed to fulfilling the agreement.
"We have submitted a proposal for startup funding for a full-featured ISAC program to DHS and White House leadership," said Gerry Wethington, president of NASCIO and CIO of Missouri. "Once the new DHS leadership settles in, we expect to engage them further in this discussion. We have had all 50 states, plus Washington, D.C., and several territories involved in our effort since we signed the agreement with DHS, and are now working to formalize a two-way sharing commitment between the states and the NASCIO-DHS effort."
NASCIO officials also said NASCIO will work with DHS' analytical unit on a trailblazer project that will immediately allow some state chief information security officers -- with previous security clearance -- to work with the DHS and serve as an advisory group on immediate threats, and develop parameters for future Interstate ISAC reporting and sharing guidelines.
Part of the work on two-way information sharing involves crafting individual state agreements, NASCIO officials said. It could take several months and a couple of revisions to sort out all the legal implications for every state.
Larry Kettlewell, Kansas' chief information security officer and vice chair of NASCIO's Cybersecurity Committee, is NASCIO's liaison to the multistate ISAC, the DHS' IAIP, and all other ISAC-related organizations and efforts.
"NASCIO is committed to supporting any effort that will meet the needs of all the state CIOs to protect their state's critical information assets," Wethington said. "Our goal has always been to play an appropriate role in this area -- not to necessarily be the foremost or only player."
There is no official coordination between NASCIO's Interstate ISAC and Pelgrin's multistate ISAC efforts as of yet, according to NASCIO officials, though NASCIO does disseminate information it gets from the DHS to the multistate ISAC.
Wethington said it's possible the ISACs could play complementary roles.
"NASCIO's Interstate ISAC is devoted to cyber-security issues," he said. "We've got signed agreements with different offices in Washington, D.C., and we're very much engaged with them to try to pursue those agreements. The multistate ISAC has a broader focus because not only is it cyber-security, it has elements of physical security associated with it as well."
To avoid duplication of effort, Wethington said he sees discussions in the future between NASCIO and Pelgrin to determine which areas of responsibility each particular ISAC should assume.
"Our strategy, long term, is to make sure we've got collaborative efforts under way -- that the multistate ISAC has a presence in our environment and NASCIO has a presence in the multistate ISAC's environment -- and then we'll see how this fleshes out as we go downstream," Wethington said. "Both of these initiatives are new enough that we really don't have clear definitions as to what the specifics of either program will be. It's in no one's interest to have competing efforts, but it's in everyone's interest to have collaborative efforts."
What could ultimately force the two ISACs to clearly define roles and responsibilities are funding and support issues. NASCIO is working with the DHS to secure federal funding for the Interstate ISAC because states simply don't have the available resources to devote to it, Wethington said, citing the dire budgetary straits facing states.
"Will [Pelgrin] talks about his effort as being one of collaboration, and he talks about no expenses associated with it," Wethington said. "I think that's admirable. At some point in time, depending on how it grows, will he always be able to maintain that posture? Certainly he hopes so, and we hope so. But I think we've got to wait until we see what the real demands are -- as interest in the cyber-security issue continues to heighten -- to get a sense as to the volume and bandwidth associated with that interest.
"When we have that, we'll be able to more clearly sort out roles and responsibilities, and figure out what will be in NASCIO's Interstate ISAC, and what will continue to be a collaborative effort that also encompasses physical security," he continued. "In multistate collaboration efforts that I've seen, there's a point of economic return there where you can't continue to do it at no cost for the benefit of 49 other states. Where that point is, I don't know."
For his part, Pelgrin said he has enjoyed working with NASCIO, and he expects to work with the organization in the future as the multistate ISAC matures.
"We have so many states participating in the multistate ISAC at this point that we might as well continue with this effort and then merge whatever effort NASCIO has been doing and see what we come out with," Pelgrin said. "This is huge, and there's room for everybody to have an important role. There's a role for the National Governors Association, NASCIO and others, and this whole thing will collectively come together as we move forward."
Pelgrin said cost is definitely an issue for states that belong to the multistate ISAC because all states are simply spread too thin and have to watch literally every penny. Still, he said he's always told states that cost should not be a barrier to progress.
"If we're all in agreement that what we're doing is a value add collectively -- each of us providing in-kind services to make this work -- and if that's the best we can do because dollars are so tight, we're still a lot better off," he said. "We're talking. We've got 24/7 contact. We meet monthly. We share information. We all do our own analyses, to the extent that we have that capability, and we share that. If that's the level we get to, that's great."
Federal funding would be appreciated, he said, because that sort of infusion of dollars could lead to enhanced functionality for the multistate ISAC. Still, if the ISAC stays at the same level of operation, Pelgrin said he's happy.
Count Us In
The multistate ISAC is a sign of the times, said Laura Larimer, CIO of Indiana, which joined the ISAC in the second month of the group's existence.
"Sept. 11 and the new, more intense focus on security -- not just cyber-security but all kinds of security -- has simply necessitated something we didn't think of as a necessity before," Larimer said. "Circumstances change, and the responses change."
Though the multistate ISAC is still in its infancy, it has already delivered tangible benefits to Indiana, said Mike Holstein, a security engineer in Indiana's Division of Information Technology.
"There's definitely been a lot positive things that have come out of it so far, just in terms of being able to interact with my peers in the other states directly and information sharing," Holstein said. "You can contact the states that made the report to the ISAC to get the information directly, and that gives you a lot of opportunity through data analysis that you wouldn't have just using your piece of the pie.
"If somebody else has noticed an attack from a particular location, any data that I can get helps me with a more specific thing to look for when I mine through all of our data," he continued. "If somebody else has already noticed a particular pattern that has targeted a state, that would be very relevant to me when I try to look at events from the same place because we would represent the same kind of target."
No State Is an Island
Indiana's Larimer said the multistate ISAC is an extension of a growing realization of how closely connected state governments really are.
"We are really trying to be significantly more aware of how other places affect us, and be much less siloed in our approach to security," Larimer said. Aside from making security professionals' lives a bit easier, the ISAC is also a way for states to potentially save some money if a virus or similar electronic attack hits them.
"When those sorts of attacks happen, there is a cost to cleaning up," Larimer said. "Any sort of prevention activity we can invest in, in a fiscally reasonable way, simply means we're not investing in unplanned cleanup costs down the road. Certainly there is an avoidance of costs."
Indiana's Holstein said he received calls from the ISAC's Pelgrin warning of potential vulnerabilities to software or alerting of available hot fixes for software that will thwart the vulnerability several hours before getting such a warning from the software vendor.
"In those kind of situations, every minute really counts," Holstein said. "The sooner you're aware of something like that, the faster you can get them fixed and reduce your exposure."
