In 2010, police investigating what appeared to be a relatively minor case of financial fraud made a startling discovery: The case they were working on — which involved $30,000 stolen from a local college — was linked to a worldwide crime ring that was using malware to harvest personal data from infected computers and then sending it across the globe.
The larger implications of the case came to light after forensic images from college servers were examined by the Center for Internet Security (CIS), a New York-based nonprofit that acts as a hub for sharing cyberthreat information and security best practices among state, local and tribal governments. CIS analysts discovered that the servers were infected by a nasty piece of computer code called Qakbot, which opens a back door into compromised computers, allowing cybercrooks to steal confidential information.
By examining file transfer records from the college, the analysts determined that 17 states were victims of the crime ring, and they tracked down an IP address in Russia that was downloading the stolen information. With the permission of police investigators, the CIS quickly contacted states that were impacted and organized a conference call for members of its Multi-State Information Sharing and Analysis Center — known as the MS-ISAC — to warn others of the danger and tell them how to block it.
The incident, in a nutshell, demonstrates why the CIS may be one of the most potent weapons that states and localities can bring to bear against increasingly sophisticated cybercriminals and terrorists. Every state in the union now shares cyberthreat information through the MS-ISAC, and the CIS is working to pull in more local governments. The organization also has formed key relationships with the Department of Homeland Security and others, allowing it to tap into federal funding and cyberthreat intelligence.
Most of what the CIS provides comes at no cost to public agencies. Membership in the MS-ISAC is free, as is access to a storehouse of best-practice information, including standard templates that show agencies how to secure their computers, and shopping lists for the types of tools needed to lock down government systems and data. The CIS also offers an expanding number of paid services and programs that give agencies access to more sophisticated security capabilities at steeply discounted prices.
The seeds of what is now the CIS were planted in the years immediately after 9/11. The country was scrambling to safeguard its critical infrastructure, and Will Pelgrin, then director of the New York State Office of Cyber Security, saw the need to strengthen cybersecurity in the nation’s 50 state capitals. The best way to do that, he recognized, was for state governments to share with one another information about the cyberattacks hitting their computer networks.
Pelgrin talked 10 states into joining the fledgling MS-ISAC. That number grew to 15 before the group’s first official meeting, an event that drew a visit from Howard Schmidt, who was then in his first tour of duty as White House Cyber Security czar.
“It wasn’t your typical government meeting. Our attitude was, ‘Let’s don’t talk this to death; let’s get something done,’” Pelgrin recalled. “I remember Howard sitting next to me, and he just leaned over and said, ‘This is a good meeting. Can you do this for the rest of the country?’”
And that’s what Pelgrin did. Somewhat miraculously, he built and maintained support for the multi-state information sharing group under five New York governors, running the organization within the state cybersecurity office. Eventually he coaxed all 50 states to voluntarily join the MS-ISAC, along with a number of local governments and territories.
Pelgrin is quick to credit MS-ISAC members for the group’s success. But industry veterans say Pelgrin is the driving force. A trained lawyer, former state CIO and passionate security advocate, he has a nearly perfect skill set for leading the organization.
Michigan Chief Security Officer Dan Lohrmann has worked with Pelgrin since the early 2000s and spent five years on the MS-ISAC board of directors. He describes Pelgrin as “relentlessly positive.”
“What he does is focus on the pieces of the puzzle that we can agree on,” said Lohrmann. “He fixes those and then moves onto the next thing.”
In addition, Lohrmann describes Pelgrin as a master networker, easily rubbing elbows with federal lawmakers and unafraid to testify on Capitol Hill. And, in an industry that’s often obsessed with secrecy and legal protections, Pelgrin tends to cut through bureaucracy. For instance, Lohrmann says the MS-ISAC was built on a foundation of trust, common purpose — and very little red tape. “Will’s approach was, ‘Send me an email and you are in.’”
Pelgrin may be a lawyer himself, but he admits to steering clear of legalities — at least as much as possible, given the sensitive nature of the group.
“For the longest time I kept lawyers away from the table,” he said. “I didn’t want nondisclosure agreements; I didn’t want contracts. I wanted people to come in with a common passion and a commonunderstanding. It was very informal within a formal context. We developed a code of conduct that you respect the other person’s information and you don’t use it without their approval — and that we’re all in this together.”
One fundamental goal of the MS-ISAC was lifting the shroud of secrecy that surrounds information security breaches so that states could learn from one another.
“In the past, people just hid it. You didn’t know that you had a breach because the person who is responsible probably fixed it really quickly and didn’t say anything,” Pelgrin said. “We can’t have a culture that feels that way. We need this to come to the surface; we need to be able to talk about it.”
That starts with a painful admission from Pelgrin. Years ago, his own home computer was infected by a virus. He still keeps the compromised PC in his basement — a reminder to stay vigilant — but said he intends to take a sledgehammer to it someday. “I start out a lot of my speeches by saying, ‘Hi, I’m Will Pelgrin and I’ve had a security breach,’” Pelgrin said. “If I’m not going to say it, who is?”
Desire for better information sharing drove the biggest change in the MS-ISAC’s existence — a shift to nonprofit status in 2010. After nine years of operation within New York state government, the MS-ISAC joined with the Center for Internet Security, a nonprofit group that had been providing checklists for securely configuring computer systems since 2000. The combined organization, which retained the CIS name, moved into a state-of-the-art facility just outside of Albany, N.Y., and Pelgrin became its CEO.
The move to nonprofit status eases turf disputes with other government entities, Pelgrin said. And positioning the MS-ISAC as a trusted third party opens the door to greater information sharing between the public and private sectors, as well as new types of partnerships. “We’re doing things now that I don’t think would have been possible as a for-profit or government entity,” he said.
The heart of the CIS is the Security Operations Center (SOC), where teams of analysts monitor customer networks and scan the Internet for emerging threats 24 hours a day. In the room’s dim light, banks of monitors glow with news coverage and maps showing cyberalert levels for all 50 states. MS-ISAC members agree to follow a standard color-coded, five-level alert protocol. During a recent visit, most states on the map were shaded blue, indicating a “guarded” condition. The rest were green, signifying low threat activity.