State and Local Governments' Shared Cyber Defense Is Going to Change. The Question Is How.

As cybersecurity threats to state and local governments continue to grow, the federally funded nonprofit that provides threat information and analysis is under increasing demand.

The Multi-State Information Sharing and Analysis Center, better known as MS-ISAC, is tasked with boosting the overall cybersecurity postures of state, local, tribal and territorial governments. But as it membership increases, along with the number and sophistication of attacks, the question that hangs over the organization today is whether it will be able to provide the same level of support its members praise it for—and if not, what does the organization’s future look like?

As one member told Route Fifty, “Obviously there’s a benefit to bringing as many people in, but there’s also the potential to where you’re not able to support that entire base.”

Security With a Personal Touch

In January 2003, a handful of information security professionals from northeastern states gathered in New York City to discuss sharing information on cyber threats they were seeing in their environment. They were led by Will Pelgrin, then-chief information security officer of New York state. The next year, with an initial pilot grant from the U.S. Department of Homeland Security, the MS-ISAC became a formal entity in earnest and other states quickly joined in.

Pelgrin moved from his role with New York to run the MS-ISAC. Public universities and other state entities began to join, and in 2011 the organization swung its doors open to localities.

Almost 15 years removed from that initial informal group of state security professionals meeting in New York City, the non-profit organization now boasts members from “all 56 states and territories, all 50 state capitals, all 78 fusion centers, over 1,000 local governments” and many tribal governments, as well.

The task is enormous. The local governments involved represent over 60 percent of the U.S. population. That doesn’t include the public infrastructure providers like airports, public utilities and mass transit systems. Following last year’s election, MS-ISAC began expanding its support to election authorities—work it expects to grow in the years ahead.

“We were figuring out what we were going to do and how we were going to do it, and how we were going to partner together,” Elayne Starkey, CISO for the state of Delaware, told Route Fifty about the first meeting. “It’s amazing to look back and see how far the organization has come.”

Starkey said the support provided in those early years was “invaluable as we built the program in Delaware.” In interviews with several current and former state information security officers, I found that sentiment to be nearly unanimous—the MS-ISAC has been vital in helping states continue to mature their security operations in the face of an ever-increasing cybersecurity threat.

“I think we are a stronger cybersecurity program with the support that they provided,” Mississippi’s Chief Information Security Officer Jay White, explained. He cited the ALBERT network monitoring program, a tailored variation on the federal government’s EINSTEIN program, as an example of the organization significantly upgrading the state’s security posture.

Growing Pains

In 2015, MS-ISAC’s chair and long-time driving force behind its growth, Pelgrin, retired. Thomas Duffy now serves as chair and is tasked with ensuring the organization can continue to provide quality service to its growing membership.

Duffy attended that initial meeting in New York City, having served as deputy to Pelgrin in New York state at that time, and ultimately played a parallel role as his No. 2 at the MS-ISAC until Pelgrin’s retirement in 2015.

To Duffy, much of the solution to keeping up with membership growth can be found in building tools to expand the organization’s services. “If you can automate it, it doesn’t matter if you’re doing an analysis for a hundred people or a thousand people,” Duffy said. “If you get it automated, you can scale much faster.”

Duffy had just finished his speech to the National Association of State Technology Directors at their Annual meeting, where he provided examples of how MS-ISAC is embracing automation and meeting the needs of its growing membership. For instance, MS-ISAC created a script a few years ago to scan its members’ websites each week for vulnerabilities—over 27,000 of them by his count.

More members also gives the MS-ISAC a larger pool of threat intelligence to share. As Starkey explained to me, “There are many large cities and large counties that are even larger than the state of Delaware, so from that standpoint that helps as far as our intelligence feeds and the trend data… I think that’s helpful to a small state like ours.”

The organization is also exploring ways of analyzing and preventing unique cyber threats that haven’t been encountered before. That type of technology, known as non-signature based detection, is increasingly becoming standard in the enterprise cybersecurity market. According to Michael Atkinson, national solutions architect for state and local government at FireEye, “over 80 percent of all malware strains are used once and never reused again,” making non-signature detection vital.

Currently threat intel and data is still sent to members by email. However, the organization is working with Illinois and Maine on ways to integrate their threat information into members’ cybersecurity interfaces known as security information and event management systems, or SIEMs. It is also investigating a port scanning technology, to better secure local governments as they enter the “smart city” age, integrating vital infrastructure with the power of the internet.

Technology is increasingly automating what was once an informal professional information sharing network.

And, while automation helps solve the issue of scale, it does erode personal interaction. The network of members today is both larger and more diverse. While annual meetings used to consist of 40 to 50 state representatives, the last event had about 400 people from organizations with a myriad of different responsibilities and facing different threats.

As such, some of the comradery of the original state group seems to be more difficult to find among the sea of new members, according to some long-standing members of the MS-ISAC.

“It’s a tough charter when you think about it, especially since the expansion,” Starkey said. “I think when they were a state-only focused organization the requirements were much simpler and yes, we were all at different maturity points but there was a common state government thread. … We, meaning the state CISOs, have had to work harder to maintain those connections.”

The MS-ISAC is trying to tackle that aspect of growth with internal opportunities for smaller networking and information exchange opportunities.

For instance, White co-chairs a committee that created a mentoring program for new security leaders in management positions. The MS-ISAC has also created segmented discussion channels for various sectors of membership, such as airports, K-12 and higher education.

Duffy recognizes the complications of growth and supporting a broader membership base. “It’s been challenging, because when it was just the states, you had more intimate contact with each state CISO. As we grew, you just naturally you don’t have that intimate contact.”

It’s Always a Question of Money

As with most things in government, the elephant in the room is the organization’s long-term is funding. Among the attractive features of the MS-ISAC is that its services and support are free to its members, care of Uncle Sam.

As the threat and members grow, there is a question of whether the existing Homeland Security funding will be sufficient for the increased demand.

If not, the MS-ISAC could potentially try to charge for portions of services. However, fees or cost-sharing would create a multitude of difficulties for MS-ISAC and its members—from small localities who could not afford the extra costs to state procurement rules that could require competitive bidding for services.

Funding limitations could also hinder the ability of the MS-ISAC to keep pace with evolving cyber threats. “I’m sure I could come up with a list of ‘I wish we could do this and this and this’ from the MS-ISAC, but that’s kind of unrealistic,” Starkey said to me when I asked about what other services she hoped to see from the organization. “It requires new budget and new dollars to do some of those additional services and I’m not aware of any new dollars that are on the horizon.”

Starkey wasn’t concerned about with how the MS-ISAC would deal with the growth or support from the federal government. “I’m confident in Tom [Duffy]’s leadership to adjust to those shifting priorities. He’s made strong cases to the decision-makers in terms of demonstrating the value of the MS-ISAC.”

Duffy, in turn, believes his partners on the federal side understand the value proposition of the MS-ISAC, and how better security for state and local entities means better security for the federal government—and the nation writ large.

He told me there has been no change in “support and attitude” with the transition to the Trump administration. “The current folks we deal with are tremendously supportive.”