States share data on cyberthreats
- By William Jackson
- Apr 15, 2003
The multistate ISAC eventually could pool infrastructure threat information from all the states.
'New York State's William F. Pelgrin
A dozen states have banded together to pool their data about critical infrastructure threats.
William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, is heading up the multistate information sharing and analysis center, which conducted its first exercise in February. Pelgrin said he is reaching new states almost daily.
'Our goal is to have a 50-state ISAC,' he said.
The multistate ISAC would be modeled on private-sector centers that have grown up with federal encouragement. Industry ISACs facilitate sharing information about threats and vulnerabilities in a given sector, such as IT, financial services or public utilities. Federal officials hope that such centers eventually will foster cooperation between various sectors and government agencies. For the time being, however, sharing is limited because of confidentiality concerns.
New York formalized the exchange of information between public and private sectors through its Public-Private Sector Cyber Security Workgroup, which first met in March 2002 and is chaired by Pelgrin. About 17 companies, trade associations and state agencies meets regularly to exchange information about threats and risks.
Most of the state's critical infrastructures are represented: financial and economic services, health care, public safety, telecommunications and utilities. Representatives of the transportation sector and local governments could soon join the group, which must navigate a fine line between sharing data and protecting proprietary information.
Each sector is doing a fine-grained risk inventory of its assets but is reporting only high-level summaries to the group. Reports come to Pelgrin in writing, he said, except that 'if there are things that need to remain verbal, we'll have telephone conferences.' He disseminates the data to the entire group for an overall assessment of the state's critical infrastructures.
Pelgrin proposed the multistate ISAC at a January meeting of the Northeast State Homeland Security Directors' Consortium, established by James K. Kallstrom, senior adviser to New York's Gov. George E. Pataki. Initial member states are either in the Northeast or have displayed leadership in cybersecurity.
'They invited Florida because of some of the work we're doing in the cyber area,' said Mike Russo, chief information security officer in Florida's state technology office.Disaster exercise
Since May 2001, Florida has been auditing agency networks to establish baseline security and procedures for disaster recovery and training.
'We'd been doing a lot in Florida before Sept. 11, and since Sept. 11 we've accelerated,' Russo said. 'I think we've made progress,' although the work is incomplete.
After the national threat level was raised from yellow to orange in February, the multistate ISAC held its first exercise 'very much at the last minute,' Pelgrin said.
Despite the short notice, each state reported by phone or e-mail to Pelgrin each day by 4 p.m. about cyberthreats they had detected. He consolidated the information in an e-mail bulletin transmitted to the states that evening.
Although snowstorms had halted physical traffic in many of the states, 'there was no malicious activity' on the cyber side, Russo said. 'The key to the exercise was the communications and working relationships with the other states.'
William Jackson is a Maryland-based freelance writer.