Federal funding runs out for cyber info-sharing center
Narumon Bowonkitwanchai via Getty Images
By
Chris Teale
Without federal support for the Multi-State Information Sharing and Analysis Center, it now shifts to a paid membership model.
The end of September marked the end of federal funding for a major state, local, tribal and territorial cybersecurity information-sharing center, with the push for renewal ultimately unsuccessful.
The Cybersecurity and Infrastructure Security Agency announced late last month the end of its cooperative agreement with the Center for Internet Security to help fund the Multi-State Information Sharing and Analysis Center, known as MS-ISAC. The $10 million funding cut was first announced in March, and from then on the center operated using emergency funding that has now run out.
CISA said instead, it has “transitioned to a new model” to support state, local, tribal and territorial governments that includes grant funding, no-cost services and tools, security operations center calls, advisors and coordinators to provide their expertise, and more.
“CISA is putting the power directly into the hands of our state and local partners,” Nick Andersen, executive assistant director for the Cybersecurity Division at CISA, said in a statement. “By expanding shared responsibility nationwide, we are ensuring that every community — large or small — has direct access to the resources and expertise needed to defend against today’s threats and prepare for tomorrow’s. This is how we safeguard the systems that keep America running."
The funding cut marks the start of a new chapter for the MS-ISAC, however, which has operated with federal funding help for over 20 years. Instead, the agency now moves to a paid membership model for governments.
“The MS-ISAC, operated by CIS, has been this nation’s most successful public-private partnership,” CIS President and CEO John Gilligan said in an email. “While we are disappointed by this decision, as a nonprofit and nonpartisan organization, CIS remains committed to the SLTT community. The new fee-based membership model for the MS-ISAC will permit it to continue to deliver high-impact cybersecurity services including threat intelligence in a variety of forms and formats, best practices and collaboration opportunities, and effective monitoring, blocking, and response to cyberattacks.”
The loss of federal funding sent shockwaves through MS-ISAC and the 18,000 government organizations it serves. Various groups tried to convince Congress and the Department of Homeland Security to reinstate the funding, including through a joint letter in August to House and Senate appropriators.
In that letter, the leaders of the National Association of State Chief Information Officers, U.S. Conference of Mayors, Major County Sheriffs of America, National Association of Counties and National League of Cities said they use MS-ISAC every day to protect private data and critical infrastructure.
“MS-ISAC helps us prevent expensive data breaches and thwart increasingly sophisticated attacks,” the leaders wrote. “Exploitation of the cyber domain almost always has a harmful impact on the physical world. Without federal funding, our members will be left to combat foreign cyber and multidimensional threats on their own.”
The idea of jurisdictions being left to face those cyber threats alone is a chilling one for many inside and outside MS-ISAC, especially considering that small cities and counties may lack the resources to have a dedicated cybersecurity professional of their own on staff and must try to buy services for themselves, rather than have services provided to them.
“They're going to be critically impacted,” Gary Coverdale, chief information security officer for Santa Barbara County, California, said in a previous interview. “They're going to have to do without all the services that MS-ISAC provides. They're not going to find replacements. They're going to go out and buy replacements. They can't afford it. A lot of these small agencies are very resource constrained, and so it's essentially going to be the weak spot.”
Bob Huber, chief security officer at cybersecurity company Tenable, warned of an exacerbated “cyber poverty line,” especially if smaller jurisdictions are forced to pay a membership fee to be in MS-ISAC, buy their own services or otherwise go without and risk being more vulnerable to attack. He said that while industry was caught “a little flat footed” by the government’s decision to slash funding, it is ready to step up and provide more support.
“Now you're starting to see more of the industry lean forward and try to figure out how we help in that public-private partnership,” he said. “Whether that's a Multi-State ISAC or some other security vendor that does managed services or something like that, I think there's opportunities there for industry to jump in and play a part.”
NEXT STORY: Preparing New York for evolving cyber threats