The road to better information security, ironically, passes through better information sharing.
Improving information flow is a top priority after many offsite government meetings, but how can governments accomplish this in the security space? What internal and cross-boundary sharing models work, and what are the operational benefits?
Public IT leaders face myriad daily challenges. We must implement best practices, keep legacy systems running, secure wireless networks, boost morale, patch holes, stop bad guys and stay current on technology - all with fewer resources. We can't do this by ourselves.
Joining the Multi-State Information Sharing & Analysis Center (MS-ISAC) provides many operational benefits to state and local governments. The MS-ISAC is a central resource for gathering and sharing cyber-threat information among states and local governments, according to the MS-ISAC Web site. "The U.S. Department of Homeland Security has officially recognized the MS-ISAC as the national center for the states to coordinate cyber-readiness and response."
The MS-ISAC coordinates actions between the U.S. Computer Emergency Readiness Team and the states. State-specific ISACs are now being built around the country. Michigan, New York, Wisconsin, Pennsylvania, Texas and Florida already share information with local governments, universities, K-12 schools and other public institutions via state ISAC portals and most other states are establishing ISACs. These state-specific ISACs provide a valuable central resource for information sharing within those states.
"We wanted to empower states to build information sharing communities within their own states, to encourage collaboration and partnerships between the state and its local governments and education institutions," said William Pelgrin, chair of the MS-ISAC. "By promoting this approach, we are helping enhance the cyber-security posture within each state, and collectively, across the nation."
Several state ISACs have operated for more than a year now. Michigan holds regular calls to discuss cross-government issues on hot security topics, such as denial-of-service attacks, botnets and spam. As in most states, Michigan shares network control and responsibility on many critical services between federal, state and local entities. We can now share information among these groups more securely and encourage even more local participation. Some types of information regularly shared via the secure portal are: direct access to cyber-security threat information from the state;access to security awareness materials and policy templates;secure messaging capabilities among ISAC members;time-sensitive information on current Internet incidents and metrics; andmaps of cyber-alert statuses across the U.S. and within the states.
In addition to daily operational benefits, participation in the MS-ISAC and state ISACs provides unique opportunities to get involved in and learn from global strategic initiatives like cyber-exercises. Several states participated in Cyber Storm I in February 2006, and Cyber Storm II is slated for March 2008 with 10 states participating. These exercises are great occasions to test cyber-defenses and put training into practice.
It's free to join. In fact, the MS-ISAC worked with the federal government to facilitate bulk purchasing of encryption products that should save significant money.
"By allowing for this multigovernment procurement," said Pelgrin, "those entities which buy off the contract will be implementing sound best practice standards which they might not otherwise have implemented."
Not surprisingly, after the Northeast 2003 blackout, our technology team's first priority was to improve internal and external communication during emergencies. It may sound easy, but the hardest part is knowing who to call given various scenarios. We still struggle with some of the same questions today, but things are improving.
The Internet radically changed how the public sector delivers services. Securing "govspace," as I call it, requires us to partner in new ways. No matter what you've done in the past, I encourage public CIOs to get involved in their state ISAC efforts. We all need help, and we all need to help each other.