An underused approach to fighting cyberattacks
Only about 12% of the non-county localities in the U.S. are members of the Multi-State Information Sharing and Analysis Center, while less than half the counties are. Erik Isakson via Getty Images
The Multi-State Information Sharing and Analysis Center offers free services to help localities with cybersecurity. Why aren’t more governments using them?
At an event in late May, finance officials from a broad swath of localities ranging from small towns to giant counties overflowed a room beyond capacity to listen in on a session about cybersecurity. To start things off, a question was posed to the audience: “How many of you are fearful of a cyberattack on your community?”
Almost all the people in the room thrust their hands upward within a moment. This set the tone for a presentation by one of the panelists, Theresa Masse, who works as a cybersecurity advisor with the federal Cybersecurity and Infrastructure Security Agency (CISA) in region 10, which covers Alaska, Idaho, Oregon and Washington. She explained to the audience that the agency provides a variety of cybersecurity resources, most of them free of charge, to communities and government agencies. She indicated her hope that more localities would take advantage of these services.
Masse spoke about the work being done by CISA, which was founded in 2018, to help fight off cyberthreats, but we were particularly intrigued by an effort funded by Congress and administered by CISA called the Multi-State Information Sharing and Analysis Center, or MS-ISAC. The laundry list of offerings provided by the center is long and varied. “Technology is evolving at an ever-increasing pace,” says Rita Reynolds, chief information officer at the National Association of Counties. “And MS-ISAC is extremely valuable for helping local governments keep up with the threats it poses.”
States, localities, territories and tribal nations all live in fear of cyberthreats, and the anxiety is mounting now as many dread the possibility of a breach in their technology during the upcoming primary elections. Yet, only about 12% of the non-county localities in the U.S. are members of MS-ISAC, while less than half the counties are. Why?
“This is a question I ask myself every single day,” says Jillian Rucker, section chief of state, local, territorial and tribal engagement at CISA. She indicates that one of the biggest problems is that small municipalities, many of which don’t have a full-time cybersecurity official, lack the resources to even know what is available. “If you’re playing a multihat role, it’s very difficult to know everything that’s available to you,” she says. “It’s a huge, huge challenge to get to those entities.”
This is a real pity. "We refer to them as cyber underserved and they can absolutely get the most benefit from the services that we provide,” says Karen Sorady, vice president of MS-ISAC Member Engagement. Even though membership is approaching 16,000, she adds, “there’s a lot more that don’t know about us.”
What’s more, although MS-ISAC has no specific data on the number of its members who are accessing the resources it provides, Sorady says it is apparent that there are localities that join and then are largely inactive. “We have been trying to focus more on engagement to ensure that our members are getting the most value that they can out of their membership,” she says.
MS-ISAC was founded as a grassroots effort in 2003, emanating from several states’ cybersecurity offices. “Way back 20 years ago, a number of these professionals began to realize that they needed to collaborate on cyber threats because often something that was hitting one state was almost always hitting others,” says Sorady. “They realized that they would be better off sharing that information to become better able to protect themselves.”
Eventually, the grassroots effort generated Congressional interest and funding with the program now administered by the Department of Homeland Security’s CISA.
MS-ISAC’s services can be extremely useful. A few of the outstanding ones include:
The Security Operations Center. This is a 24-hour a day, year-round operations and analysis unit that monitors and analyzes cyber incidents that have targeted state, local, tribal and territorial entities. It “provides real-time network monitoring and notification, early cyber threat warnings and advisories and vulnerability identification and mitigation,” according to the MS-ISAC website.
“As the trusted third-party source for sharing threat information among multilayers of government, and the public and private sectors, MS-ISAC effectively brokers, filters, and conveys both technical and explanatory information to its targeted government members,” says Arnold Kishi, senior advisor in the Office of Enterprise Technology Services of Hawaii and chair of MS-ISAC's executive committee. “Plus, from a customer service perspective, the MS-ISAC staff is always available to answer questions, talk through and explain an alert or advisory.”
Malicious Domain Blocking and Reporting. Members of MS-ISAC are given free access to a powerful piece of cybersecurity software provided by the technology company Akamai. When members sign up and provide the necessary information, network requests from known harmful domains will be blocked. For example, if an end-user opens an email and clicks on a bad link, the service will block that access. The cloud-based software can be implemented in minutes and doesn’t require any additional software or hardware for users. “It’s a great tool,” says NACo’s Reynolds, “and is proactive in nature and gives counties another degree of defense that helps protect them from cyberattacks.”
Take for example, AC Transit, a public transit agency that serves portions of Alameda and Contra Costa Counties in California. To replicate the Malicious Domain Blocking and Reporting service provided for free by MS-ISAC would cost over $100,000 a year. But by subscribing, the agency was made aware of some 2,593 threats during the week of June 4. The vast majority fell into the category of malware, designed to potentially gain access to, disrupt and damage computer systems.
MS-ISAC Working Groups. This offering is a particularly important benefit as the groups are made up by members who volunteer their time to directly interact and collaborate with similar organizations. As the MS-ISAC website explains, it allows people to “open new possibilities for your organization’s cyber defense posture as you learn more about what other organizations are doing.”
For example, according to Gary Coverdale, the chief security officer in Santa Barbara County, California, “The mentoring workgroup, which focuses on leadership skills has been going on for about five years now. It’s a yearlong program in which there’s collaboration on specific topics that the mentees bring to the mentors for help with. We have 150 pairings who come together minimally once a month, and then we communicate through email and text to help people who are fresh to the world of cybersecurity to learn how to communicate with the management team at their agencies. The mentors are available all the time. The feedback has been phenomenal, and it accelerates careers in the world of cybersecurity.”
Given the potential of MS-ISACs offerings to make the world of high tech safer, most of its new members join the organization based on word-of-mouth from other entities that are already taking advantage of them, explains Ian Moore, Washington state’s cybersecurity coordinator for CISA.
Beyond that, CISA is making a real effort to spread the word about MS-ISAC’s offerings, as well as others that come directly from CISA itself. One of the primary ways it does so is through representatives from each state who go to cities and counties, explains Moore, “and offer them services and talk to them about what we can do ... and all the stuff we provide is taxpayer funded so it never costs anyone anything.”
NEXT STORY: Why computer security guidelines are so unclear