A lawyer who likes information technology

Any public official who is responsible for cybersecurity will learn that a command-and-control management style doesn’t work, said Will Pelgrin, director of New York state’s Office of Cyber Security and Critical Infrastructure Coordination.

“Everyone in this agency has an opportunity to make their case,” he said.

Pelgrin enjoys discussing all sides of a problem before making a decision. “In the end,” he said, “it is not who is right but that we do the right thing.”

Besides being the state’s top cybersecurity official, Pelgrin is the founder and chairman of the Multi-State Information Sharing and Analysis Center (MS-ISAC), an organization with members from all 50 states and the District of Columbia.

It was created in 2003 to help state and local governments and industry protect their cyber infrastructures from an attack. The center’s purpose is to build relationships and trust among its members so they can prevent or respond to a major cyberattack.

Pelgrin also is chairman of the New York State Public/Private Sector Cyber Security Workgroup, whose members include executives from critical industry sectors such as agriculture, public safety, telecommunications and utilities.

Partnership is an overused word, Pelgrin said, but it accurately describes the workgroup. He had to assure the partners that he wasn’t interested in imposing additional reporting requirements on them.

“I’m a real deliverables-oriented person,” Pelgrin said. He is not interested in endlessly debating issues without reaching a conclusion. Whether beginning a major project or organizing a group, Pelgrin said he prefers to get something started and modify plans later.

Pelgrin’s vision and management style have made him a leader in the cybersecurity community, said Alan Paller, director of research at the SANS Institute, an educational organization for security professionals.

“He’s the most capable person I’ve ever met who finds ways for everyone to win in this difficult area of cybersecurity,” Paller said. “He honestly looks for the other guy’s benefit. People know that, and they [want to] work with him.”

Information sharing and analysis centers were created as part of the Homeland Security Department’s preparedness efforts, but only two have been notably successful, Paller said. One is the Financial Services ISAC. The other is the MS-ISAC. DHS has recognized the MS-ISAC as a national center for coordinating states’ cyber readiness and response.

The center initially included only states in the Northeast. Pelgrin reached out to other states, and under his leadership, the MS-ISAC created a secure Web portal for sharing information. It also has a public Web site. Through its National Webcast Initiative, the center has produced cybersecurity Webcasts viewed by thousands of participants nationwide. Its members have participated in reporting and simulation exercises, including events known as LiveWire03 and this year’s CyberStorm 2006.

No breaches
A lawyer by profession, Pelgrin said he had to take his legal hat off to help ensure the center’s success. He initially asked lawyers to stay out of the way. On their own, MS-ISAC members developed a one-page principles-of-conduct document that states that the goal of the parties is to share confidential information without violating the rights of others.

For the two and a half years that members have shared information, “not one breach of confidentiality [has] occurred,” Pelgrin said. The MS-ISAC brought in lawyers later. Now all but one of the member states have signed nondisclosure agreements, and the final state is in the process of signing an agreement, he said.

Pelgrin said he wants to bring more local governments into the MS-ISAC. In the smallest municipalities, the town clerk is the cybersecurity official. “When you have a town clerk who is a part-time person whose [computer] is in their home…you can understand that the challenges are huge,” he said.

One town clerk told Pelgrin, “When I get your alerts that say patch, I look for duct tape.” Pelgrin recognized that small towns need extra help. The MS-ISAC now offers a 10-page cybersecurity guide for elected officials.

Open door
Pelgrin has a strategic vision of the importance of information sharing among states and between the states and federal government, said Andy Purdy, acting director of DHS’ National Cyber Security Division.

He also has a knack for working with people on important issues. “There is nothing that we can’t deal with if people feel good about coming and talking about it,” Pelgrin said.