Since its creation in 2004, the Multi-State Information Sharing and Analysis Center has gone from a small coalition of IT officials from the Northeast to a sprawling network where state, local, tribal and territorial governments communicate the latest cyber threats, share best cyber hygiene practices, get risk and vulnerability assessments and sign up for network monitoring services.
And earlier this month, the MS-ISAC, which is backed by the Department of Homeland Security as its designated go-to for state and local cybersecurity needs, enrolled its 10,000th member government organization. The milestone also coincides with the 20th anniversary of the Center for Internet Security, the Upstate New York nonprofit group that runs both the MS-ISAC and its newer sibling organization, the Election Infrastructure ISAC, which was created in 2018 to support the federal government’s designation of voting systems as part of the nation’s critical infrastructure.
As the MS-ISAC has grown over the years, it’s helped — true to its name — foster a culture of intelligence sharing among state and local governments that are maturing as cybersecurity organization, Mike Aliperti, the ISAC’s senior director, told StateScoop in a June interview.
“In the beginning, people were unwilling to share,” Aliperti said. “Our concept was that we’ll share what we’re willing to share. Be part of the organization. Eventually the states started to trust us. That trust we’ve built over the years has expanded.”
‘All in this together’
Aliperti said the MS-ISAC, which was born out of the wholesale realignment of national security after 9/11, launched in an era before state and local governments started hiring chief information security officers and got serious about collaborating with other entities — including the federal government, private sector and nonprofit outfits like CIS — on protecting their IT assets.
But Aliperti said recruitment spread by telling potential members that there’s strength in numbers.
“The pitch is we’re all in this together,” he said. “What affects me will affect you. If we can share information about how we’re protecting ourselves or these vulnerabilities.”
Software developers, he said, were a particularly tough sell. “Back then, none of the developers wanted to tell you they had vulnerabilities,” he said.
Nowadays, though, the MS-ISAC is the principal channel for distributing information about newfound vulnerabilities and critical software patches. It also gives its members regular guidance on emerging threats and good habits, including regular daily and weekly advisories, as well as ad-hoc warnings after major events, such as an alert that warned state and local governments to be on the lookout for heightened Iranian cyber activity following the U.S. assassination of one of the Islamic Republic’s top generals.
The MS-ISAC has also ballooned as online threats to state and local governments have grown, with much of the organizational growth coming after 2013, when the modern era of ransomware attacks took off. In the past seven years alone, the MS-ISAC’s membership roll swelled from about 1,000 to the five-digit figure it is now.
James Globe, CIS’s vice president of operations, said that the cybercriminals who prey on the public sector have also grown more sophisticated over that time.
“These days the [hacker] groups are more organized,” he said. “It’s a different world these days.”
But that’s heightened the thirst for more collaboration, especially below the statewide level, Globe told StateScoop.
“Just the nature of how [ransomware] moves from one school to the next school in the same county, that has made city agencies and county agencies want to share information,” Globe said.
‘Really happy it’s there’
The IT officials who make up the MS-ISAC’s members often speak its praises.
“We really value the services and capabilities the MS-ISAC offers,” said New Hampshire Chief Information Officer Denis Goulet. “Many if not all my peers would say the same things.”
Goulet, who’s also president of the National Association of State Chief Information Officers, singled out the Center for Internet Security’s line of network intrusion detection devices known as Albert monitors, as well some of its newer offerings, like a malicious domain blocking and reporting service it launched in September.
“They’ve offered some good things, and through the Albert program, have really delivered some concrete results as it relates to protecting our citizens’ data and systems,” Goulet said. “We’re eager to be early adopters and piloters of new things.”
But, similar to the gulfs in IT funding between the state and local levels, Goulet said states, more than cities and counties, have been quicker to adopt some of the MS-ISAC’s more robust services, such as the Albert monitors, which he described as “out of reach” for many local tech budgets.
Goulet said that in his state, he evangelizes the MS-ISAC’s free services, like free assessments and access to information-sharing feeds, to county and town governments and, increasingly, school districts.
“We were involved with the schools very heavily developing their minimum standards,” he said. “Through that activity our CISO [Daniel Dister] did engage with the tech directors in the systems. We’re really happy it’s there for us.”
EI-ISAC gave boost
Much of the MS-ISAC’s recent growth can be credited to its election-specific sibling. Members of the EI-ISAC — 2,911 state and local election officials at last count — are automatically enrolled in the MS-ISAC. And election officials have also been big buyers of Albert monitors, with some secretaries of state using recent federal election assistance grants to purchase the devices for every county under their jurisdiction.
But even without the boost from the election community, the membership numbers are impressive: MS-ISAC members using the MDBR service blocked more than 10 million malicious domains within the program’s first month. And since 2008, the CIS Controls — a set of 20 enterprise cybersecurity guidelines ranging from basic hygiene to advanced network settings — have been downloaded more than 270,000 times. A series of configuration benchmarks addressing products made by more than 25 different vendors have been downloaded more than 900,000 times.
Still, Globe, the CIS vice president, said the biggest focus area as the MS-ISAC continues to grow will be those smaller local government entities that are still maturing.
“What we’re trying to do is get them to have good cyber hygiene,” he said. “The biggest focus area that we’re pushing is a more integrated security operations with our SLTTs. States are much more secure.”
Going forward, some of those newest operations may helping state and local governments automate their cyber defenses, so that if the MS-ISAC’s operations center picks up on a new threat, it can ping an member’s Albert monitor or firewall to update network settings without the need for a local technical staff to do it manually.
“That’s the future instinct we’re trying to get to,” Globe said.