Risk Management

Will Pelgrin: The CISO-Plus The CISO's CISO Still Sways Gov't Infosec from the Outside
When Will Pelgrin served as the top IT security officer of New York State, another state's chief information security officer called him the CISO's CISO (see The CISO's CISO). Pelgrin earned that reputation, in part, by creating the Multi-State Information Sharing and Analysis Center, known as MS-ISAC, a 50-state consortium that collects information on cyberthreats to government and critical infrastructure IT and shares that data among the states and local governments.

Pelgrin left his post as New York's director of cybersecurity and critical infrastructure coordination last summer to take on a new role, one that could be called CISO-Plus. He became chief executive officer of the Center for Internet Security, a not for profit that provides IT security benchmarks, which acquired MS-ISAC and the U.S. Cyber Challenge, the group that sponsors cybersecurity competitions and education programs to encourage high school and college-age students to pursue careers in IT security.

"We recognized that a different organizational structure would be more appropriate, one that had the ability to be much more flexible and to move at much more laser speed to challenges that we all face," Pelgrin says in an interview with GovInfoSecurity.com (transcript below).

Pelgrin points out that President Obama's Cyberspace Policy Review and the Commission on cybersecurity for the 44th Presidency recognized the need for a non-governmental organization to help bridge the gap between the public and private sector, another goal of the expanded of the Center for Internet Security.

In the first of a two-part interview, conducted by GovInfoSecurity.com's Eric Chabrow, Pelgrin also discusses how U.S. Cyber Challenge fits into the expanded Center for Internet Studies, why the center will not acquire other organizations in the near future and how it is funded.

In the second part of the interview, (see 3 Infosec Challenges States Face), Pelgrin addresses the major cybersecurity challenges facing local and state IT security organizations.

When he served as New York's cybersecurity director, Pelgrin also headed the New York State Public/Private Sector cybersecurity Workgroup, a group of officials representing federal, state and local governments, academia and business, that ensured cyber readiness in the state. He also served as a member on the Commission on cybersecurity for the 44th Presidency, which recommended cybersecurity policy in 2008 to the incoming president.

New Mission

ERIC CHABROW: The Center for Internet Security has been around for about a decade, but in the past few months seems to be on a new mission. What is that mission and how does the incorporation of U.S. Cyber Challenge and Multi-State-ISAC into this center help accomplish that mission?

WILL PELGRIN: You know, it really started a number of years ago. The Multi-State ISAC is an organization that represents the states, local governments, the territories and tribal governments. When I started it, it was very much a grassroots effort. It started with very few states. As it grew both in its membership but also in its responsibilities to really help the cybersecurity posture of those entities, we recognized that a different organizational structure would be more appropriate, one that had the ability to be much more flexible and to move at much more laser speed to the challenges that we all face, with the support of everyone. I wanted to make sure we did this the right way, starting with the governor of New York State, the state legislature in New York, as well as the White House, Congress, and Department of Homeland Security in particular, all supported that idea.

If you recall, both in the Center for Strategic and International Studies report to the 44th president, it recommended a non-governmental organization that was really necessary to help bridge both public and private sectors in this arena. Subsequent to that the, 60-day (cyberspace policy) review from the president also recommended that both recognized Multi-State ISAC as one of those organizations that was providing valuable services. It was really an intent to say, "How do we move from this environment of government entity still having a very governmental focus and move it into a not for profit?" And, it was critical that it would be a not for profit in that it would have a mission to help bridge both of the gaps of the cyber physical as well as the private and public sector.

CHABROW: And how does the U.S. Cyber Challenge get into all of this?

PELGRIN: When you think about the spectrum of what we're doing, you had the existing Center for Internet Security really focused on those critical benchmarking tools to help secure our infrastructure. You look at what the MS-ISAC was doing, everything from awareness and education to 7x24 monitoring of state and local governments, one of the obvious pieces that is missing is how do we ensure that we have a confident workforce going forward? How do we encourage taking the young individuals out there and building a pipeline and a path from education to the workforce? When the estimates of ten thousand, thirty thousand, whatever the number is of needed jobs in this arena, something needed to be done to start to focus on that population. I was really pleased at cyber challenge Cyber Challenge that started at the Center for Strategic and International Studies came over to the new Center for Internet Security as I took over. Is see this as a holistic approach from beginning to end on how do we help on improving the cybersecurity posture of this country.

Leaving Well Enough Alone

CHABROW: Are there any acquisitions on the horizon, perhaps another ISAC or something?

PELGRIN: No, you know me well enough; the only thing I am concerned with is how do we provide a value add? How do we do this in a collaborative and cooperative manner and how do we ensure that we are more secure today then we were yesterday? From my measurement of success, that is what I constantly measure myself against. Persistent attacks, with everything that is going on, looking too far down the road doesn't make a lot of sense since what was happening just over a year ago is dramatically different from what we are facing today and how we are dealing with those. I really look at where we can provide the value add.

One of the neat things that we have done recently, when I started this in New York State, but I did it as Multi-State ISAC, I started a cyberthreat intelligence coordinating group. The purpose behind that was how do we bridge the physical and cyber side together? When you look at how traditionally in the past we would look at a threat-risk analysis to potentially incredible threat, that analysis would focus on - from a physical perspective, let's say just hypothetically a bridge was the critical infrastructure in question, it would look at the consequence of that bridge being incapacitated or destroyed. It would look at the economic consequence to that, the human consequence to that, the inconvenience consequence of people having been diverted if that bridge was also impacted. But one of the things that may not have been considered was, what would have been the cyber effect of that if that bridge was impacted? And as we all know, in certain cases our telecommunication systems may run underneath those bridges. I met with our New York State Police and with the local FBI, we all said we work really well together as situations arise, why don't we institutionalize this and work on a day to day basis. It started small which is what my philosophy always is and then let it build if there is a value to it.

I'm really pleased to say that today we meet on a monthly basis with private and public security at the federal level, not only at the National Cybersecurity Division, the I&A division and the S&T division. The FBI, both locally and Albany, but FBI in New York City and Buffalo and Syracuse, and periodically even from Washington, the FBI chimes in. We have U.S. Air Force, we have U.S. Secret Service, we have Department of Justice, we have diffusion centers, we have the New York State Police, of course, and we have our New York State Office of Cybersecurity, our local police departments, and homeland-security advisers.

The concept was how do we sit down and talk, not necessarily about collaring somebody - if you can get somebody, that's great - but really talk threat analysis and more importantly how do you take that threat analysis and make it actionable? How do you take that information and share with individuals that can actually mitigate or prevent a situation from occurring within their environment? Traditionally, a lot of that information stayed within those communities. It's working so well. I am so pleased that the value has been seeing that right now we have FBI detailed to us, Secret Service is detailed, Air Force will be soon detailed, Homeland Security advisers are looking to do that, state police, fusion centers detailed to us and again on a part-time basis, but that really built a momentum to on a day-to-day activity to start looking at this from a different perspective.

NYS as a Template

CHABROW: Now you were describing things happening in the New York State. Is this happening in other states too?

PELGRIN: The way I brought them other states in is through the homeland security advisers and through them. So, no, it's not happening.

We're trying to build this as a template, and that is why I am so pleased that the federal government is a part of this as a partnership with us in doing this so that it can be replicated, if necessary, but more importantly, how do we ensure that it gets distributed throughout the country to those that want to participate.

For example, with the Homeland Security advisers on board they are starting with all the different state homeland security advisers that are part of the cybersecurity committee within that organization, headed up by an incredible individual, Gen. (Donald) Dunbar from Wisconsin. We are now branching out beyond that. We have New Jersey participating because they heard about this and wanted to be an active participant. So this is all about inclusion not about exclusion.

I'm also bringing in the private sector so we met with utilities. We met with telecommunications. We met with the financial sector and that will go on an ongoing basis. I can tell you the value of it already is in one little local investigation that was occurring within the law enforcement community, because we are in this environment of sharing, they allowed us to share certain information to all of our members across the country to see if they were seeing something that was part of real, again very small investigation that probably would have been closed out as just a local event. That was historic because of sharing outside of the law enforcement community, they trusted us not that we would not interfere with their investigation and not go to certain places that could tip off their investigation. But what occurred because of it, we found 19 other states that saw this exact same thing going on that they would not have known necessarily other than for the fact that this was occurring and we were able to take this and it became a much larger investigation of course and is still ongoing, but really critical from the perspective that it showed value immediately.

CHABROW: Can you just give us some idea what this investigation was about?

PELGRIN: The investigation was very similar to a Zeus Trojan, where financial dollars were being tapped and potentially shipped offshore.

Working with the Feds

CHABROW: MS-ISAC recently opened a cybersecurity operation center near Albany, N.Y, and White House Cybersecurity Coordinator Howard Schmidt attended its dedication in November. First briefly tell us about the mission of the operation center and how does that represent the evolution of cooperation between local and state government and the federal government?

PELGRIN: It's a great example of the collaboration between federal and state local governments. We're unique in the country; it provides services to state, local, territorial, tribal governments right now. Congress saw the value of this collective view, which is in my opinion so much more important than the singular view, meaning that if you see something within your own little environment or large environment, you may not take note of it because it's one event within your system, but when I can start to correlate that with multiple events from other entities, it takes on a great significance. And, then going back and look, you can find it really was a bigger event.

Last year alone, we sent out 2,400 notices to all state and local governments regardless of who is actively being monitored. The value of this is that we provide the outcome of all of this and the outfits of all this to everyone, not only to all state governments and any local government that wants it, we post it on our website. We also send to all the different private sectors out there by sector to the National Counsel of ISAC and each of the ISAC. Plus, we do distribute to as far and wide as possible to all the good people who need to help mitigate and protect their environments.

The mission is to provide security services to those that need it, and again it's very costly to have 7x24, 365 days. Even if you had the money, to ensure the quality of those individuals at the level that you need on a constant basis is vigilance that is very daunting. We see a value that from a cost perspective, we can do this much more reasonably for a lot of entities because the scalability is so great.

I was really pleased that Howard Schmidt from the White House, the president's cybersecurity adviser, came to help launch this cybersecurity operational center. Howard was (at) the very beginning of the Multi-State ISAC. Multi-state ISAC is here because of Howard Schmidt. He said to me at one point, "Do you think you could this for all the states? And, naively, I said yes when he was in his first tour of duty at the White House. The creation and its support that we've gotten from Howard and the White House have just been tremendous.

At the Department of Homeland Security, Adm. (Michael) Brown was here, Jenny Menna, Kelvin Coleman and others were here to help take it off, because it what it really did is show this integration between the federal and state and local, territorial and tribal governments.

When you look at what we will be doing in 2011, we will be on the joint operational forum in Washington with Multi-State staff. We were there during Cyber Storm 3. It showed an immediate, clear value by having us physically located on that. We are in the process of hiring somebody. We will start at a time shift and then as the value is demonstrated we may look to having it 7x24 in Washington. What that does is provide a direct conduit on a minute-to-minute basis, if necessary, between us and the federal government. That's just huge in its relationship to what we will be offering to state and local governments as to from both awareness and situationally where we need to be and more importantly, what is occurring in their environment near real time. The recognition of this, even Congress was so supportive of this collective and collaborative approach, that they sent their wishes for a successful launch and where we were going to be in 2011 and on. I think it's a great demonstration of that collaboration between the federal and state governments.

Funding Sources

CHABROW: A lot of work is being done by the center in these various areas. How are you being funded?

PELGRIN: Multiple ways again. As a not for profit, our goal is to be sustainable, to bring value to this is to bring the dollar down. You mentioned, when we were talking earlier, sort of the budgetary situation that government is facing generally, but it's not just government. The private sector faces that as well. My concept has always been, how can we do this collectively? Do it once, but share it multiple times. We get funding from the federal government. We are very fortunate and very honored that they fund us. We get funding from some states that have come to us for specific services for them in monitoring their infrastructure. We get some Congress and we have gotten some from grants as well. It is across the board ability.

But one of the good things about being a not for profit, we were not necessarily, in all cases, able to do as a government entity is apply for grants. Some of those grant are limited to that type of an organization. Now, we are looking at where we can provide that. Again, the whole goal is how do we approve the cyber posture of everybody by bringing the cost down for everybody, and making this almost a no-brainer that this is the area that we need to go into.

CHABROW: Are there any private companies contributing to the center?

PELGRIN: Yes there are, Cyber Challenge and on the website in the Cyber Challenge you'll see that some companies have donated to the support of Cyber Challenge, which I think is again such a worth while activity. It does two things, not only takes individuals that have incredible potential, bring them into the pipeline, ensure that there is an avenue for them even from high school through college to the workforce, but also and maybe even more importantly, hopefully diverting those that have an interest that may go down the wrong path, sadly, and keeping them on the path to a very productive work environment.




Around the Network