A new group could change how the nation monitors cyberattacks against critical public infrastructure
Michael Hamilton has spent much of his career trying to prepare local governments for cyberattacks. During his stint as Seattle’s chief information security officer between 2006 and 2013, he led a program called the Public Regional Information Security Event Management System, or PRISEM, which attempted to consolidate cyberthreats directed not just at his city, but more than a dozen surrounding jurisdictions, ports, hospitals and other facilities, and enlist students at the University of Washington to be part of the response teams.
But it collapsed not long after Hamilton moved from Seattle city hall to advising Washington Gov. Jay Inslee. Funding for PRISEM, which came mostly from the U.S. Department of Homeland Security, ran out, and the program wound up as a victim of a turf war with the state chief information security officer.
Michael Hamilton
Now the head of his own consulting firm, Hamilton recently announced the launch of a rebooted version of PRISEM — this time called the Public Infrastructure Security Collaboration and Exchange System, or PISCES. The new venture, which is backed by Seattle venture capitalist Alan Frazier, recruits students at Western Washington University’s cyber range to respond to threats to local governments that don’t have the resources to mount cyberdefenses on their own. The goal is to create a continuously refreshed roster of cybersecurity practitioners who can work for the public sector instead of being swallowed up by the far more lucrative private sector.
“It’s designed for the downmarket jurisdictions,” Hamilton said of PISCES. Indeed, the first five clients are mostly rural cities and counties far from Seattle’s hive of high-tech activity. But, as Hamilton tells StateScoop, it’s those places that are the most likely to be targeted by cyberattacks.
We usually think about public safety through the framework of physical things: police cars, fire trucks, ambulances. How do you convince governments that cybersecurity, which is largely invisible, is part of public safety?
The Department of Homeland Security has designated 16 sectors as critical. Their narrative has always been this is a big private-sector problem. There’s this meme that 85 percent of infrastructure is in the private sector. Nobody knows where it comes from. But your local government does traffic government, provides communication for law enforcement, cleans water, removes waste. Local government crosses all these critical sectors. And everything I mentioned is dependent on IT.
Then how do you get local governments to improve their cybersecurity?
You have to make it inexpensive for them. If you are working in cybersecurity, what are you drawn to? It’s not 30 years in public service working for a pension. We need to create models to make it attractive. One is using students. Another way to do this would be transitioning military. We’re really worried about power utilities and the water sector. People there have come up through the trades — they’re not IT people. But they understand apprenticeships. But when I worked as a policy adviser, I floated this apprenticeship, and all they wanted to do was teach people to write Javascript.
Tell me about PRISEM .
I got some grant money from DHS. We wound up getting grants from the Science and Technology division, port security grants. Ultimately we spent about $3 million. We were monitoring nine cities and counties, six ports on Puget Sound, hospitals and other facilities. The data flowed up to the Washington State Fusion Center, and through some masterful political jujitsu I was able to get Seattle Public Utilities to loan one of their people to the Seattle Police Department so that person could be deployed to the Fusion Center as a cyber-analyst.
What went wrong?
We were looking for sustainability for the PRISEM project. The reason the state brought me in as a policy adviser was so I could put the state’s fingerprints on PRISEM and align it with the state SOC. The idea was always that we were going to train students, and we worked with the University of Washington. But both those institutions are too large to work quickly. The state CISO at the time was “noun-verb-multi-state ISAC.” The multi-state ISAC wanted to run the table. It became very clear we were not on the same team. We had different ideas of what the outcome should be. I looked at my watch and said I gotta go. I left with $80,000 still on my contract.
Is PISCES the ideal version of what you were trying to build?
PISCES can be described as the public option for monitoring. It’s designed for the downmarket jurisdictions. We monitor five jurisdictions for free, about 1,000 municipal employees. City of Anacortes, San Juan County, Stevens County, Washougal, and Covington. We’ve got more jurisdictions knocking on the door to get in. What made it possible was the participation of the company. Rather than these communities coming to our SOC, it is going to the cyber range at Western Washington State University, which can be used statewide. There is some grant funding to create a network of ISAOs and University of Washington would like the PISCES project to align so that we can share with a nationwide network. It’s about to get bigger.
It sounds like you’re trying to build your own cyber corps.
That’s exactly right. A lot of ideas have to be brought to bear. One of those ideas is nonprofits that can work for downmarket jurisdictions, especially with developing workforces. If we were able to monitor 500 jurisdictions and then share those findings, we have radar for infrastructure disruption. We really need to have an awareness of how importance cybersecurity is to the quality of living. ATMs down on the East Coast is a news story. My toilet won’t flush or 911 doesn’t work is a disaster.
What’s a likely scenario?
We end up not making any progress with North Korea. We have violated the terms of the Iranian nuclear agreement. Russia is already involved in this business. If I wanted to make Americans very dissatisfied with their government and get them into the streets, I would use this asymmetric warfare and look for the lowest-hanging fruit that would affect the largest number of people. Having government services stop workings, and especially waste management, that creates health problems that are immense. Because there are no regulatory requirements for the water sector for cybersecurity, that seems really easy to do.
Short-term, what can local governments do?
First, everyone needs to get on their Congress people and say “make [cybersecurity requirements] happen.” Number two, innovative thinking outside the DHS system of coordinating councils and ISACs. We need to break out of that as our mindset and start using innovative methods like nonprofits to start handling the downmarket stuff.
Do you think people are thinking about this stuff more?
I do, and it’s the stories like Atlanta that are driving the narrative. When something happens to an organization that looks like you, the question is ‘what’s the risk here?’ Government manages by landmine. I think it’s also getting people to ask more questions about what it means to them. We also need to be very aware of geopolitical events. Nation-states are now everybody’s problems. They want to disrupt and destroy. You do that to local governments, people die.
This interview was edited for readability.
This story was featured in StateScoop Special Report: Public Safety & Emergency Response (2018)
