Two years after advisers urged the District of Columbia to take key actions to better manage potentially life-threatening cyber risks in the nation's capital, officials have not yet implemented the recommendations – leaving the seat of federal power lagging behind states nationwide and facing questions from the council overseeing D.C. agencies.
The lack of headway not only illuminates issues unique to the nation's capital, but also provides a textbook example of the leadership, governance and resourcing hurdles confronting public and private-sector organizations as they strive to address cybersecurity as an enterprise-wide risk issue.
The D.C. Homeland Security Commission's first annual report to the mayor and the D.C. Council, issued in early 2014, warned that cyber threats affect all sectors of critical infrastructure “and have the potential for disrupting the four lifeline sectors – energy, transportation, water and telecommunications.”
The report concluded that the District's lack of a senior-executive level chief information security officer (CISO) – a position long considered key for cybersecurity in both government and industry – hampered the District's ability to establish and maintain a District-wide strategy and program to protect information-management assets. It also found that greater coordination was needed among D.C. agencies and with industry and that more investments in cyber workforce education and training would be helpful.
It implored the District's leadership to issue a directive to strengthen cyber-risk management. The directive, the panel wrote, should 1) establish a CISO position; 2) create a governance structure for addressing cyber risks and working with the federal government and industry; 3) enumerate D.C. agencies' cybersecurity roles and responsibilities; 4) establish a process for resolving any disputes among agencies about their responsibilities; and 5) create a task force to complete a District-wide cybersecurity risk assessment.
“The need for such a directive cannot be overstated,” the commission wrote in its report. “The District is an urban area with great reliance on systems and functions that are vulnerable to cyber attacks including a complex overlay of federal and local government facilities and functions, as well as critical infrastructure under both public and private control.”
The commission also urged the District to hire a full-time CISO to serve the entire city without affiliation to any one D.C. agency; to develop a contingency plan for a cyber attack capable of causing a catastrophic loss of electrical power to the District for a week or longer; and to complete cyber risk assessments.
Two years later, however, the District has neither issued a cybersecurity directive establishing a District-wide CISO position, nor hired a CISO, Michael Rupert, a spokesman for the Office of the Chief Technology Officer, told Inside Cybersecurity last week. Further, it remains unclear whether the District will develop a cyber-attack contingency plan as recommended by the commission.
“These recommendations aren't rocket science,” said Jason Healey, a senior fellow with the cyber statecraft initiative at the Atlantic Council’s Brent Scowcroft Center on International Security and a senior research scholar at Columbia University’s School for International and Public Affairs. “They are the nuts and bolts of a basic cybersecurity program which any large organization should embrace. Corporate CEOs and heads of federal departments have been fired for doing far less.”
The commission recommended the District establish and fill an “an enterprise-level CISO” position modeled on CISO positions with statewide authority in Virginia and Maryland.
All 50 states have established a CISO or equivalent position – and the vast majority of those positions were filled as of last year, according to an October 2015 report by the National Association of State Chief Information Officers. In the past two years alone, the roles and responsibilities of state CISOs have matured significantly, the association wrote.
“Given DC’s role as our national capital it should, perhaps above any other metropolitan region in the world, be taking the lead (and taking the credit for doing so), not lagging behind,” Healey told Inside Cybersecurity via email. “Hopefully when DC suffers a cyber attack which sheds light on these shortcomings, it will be a relatively benign one, rather than something which affects critical systems.”
D.C. Council Chairman Phil Mendelson told Inside Cybersecurity last week in an interview that he understands that OCTO has given significant attention to cybersecurity and the agency is not ignoring cyber threats. But Mendelson said he was not aware of the status of efforts to implement the commission's cybersecurity recommendations. Mendelson said he would ask OCTO about the matter in conjunction with an upcoming oversight hearing, which might be in March. He underscored the importance of the cybersecurity in the nation's capital, noting District and federal infrastructure are intertwined.
Last March, Chris Geldart, director of the D.C. Homeland Security and Emergency Management Agency, told Inside Cybersecurity that the District might publish a cybersecurity directive by late spring 2015. But that effort remains in progress.
“We do anticipate publishing by [the] end of 2016,” Rupert said last week via email.
CISOs are in high demand in industry. Geldart said last year there was no way to hire a competent person through the human resources process, so officials had used a different process to conduct several rounds of interviews. He said at the time that the District planned to set up the funding stream needed to hire a full-time CISO and continue the job-candidate search. That effort remains in progress.
The commission's report noted that the head of OCTO was by default the CISO for the city. It noted that OCTO had created a CISO job under the auspices of its agency and had tried unsuccessfully to fill it. But the report noted there were “no explicit CISO roles within any other District agency and the CISO position within OCTO would not have either the bureaucratic independence or authority necessary to oversee citywide risk reduction efforts.”
“The District’s CISO should be charged with establishing and maintaining the District-wide strategy and program to ensure the protection of information management assets, and maintaining coordination with private sector CISO counterparts,” the report stated. In addition to creating a District-wide CISO, the commission recommended filling the vacant CISO position within OCTO.
“The District has never had a permanent official CISO,” Rupert said. “Previously, the chief technology officer (CTO) or the CTO’s designee has acted in this capacity.”
The District last year hired contractor Science Applications International Corporation (SAIC) to provide the CISO function temporarily in a six-month $150,000 deal as officials worked to arrange a funding stream for a permanent position. An SAIC spokeswoman told Inside Cybersecurity that the company ceased providing the function last July when the contract ended.
The District is not formally advertising for a CISO position.
“There is no position currently posted,” Rupert said via email. “We are working with [the D.C. Department of Human Resources] to address the maximum salary that OCTO can offer for this position to better compete with the marketplace.”
The commission's report acknowledged that the District, like all local governments, faces fiscal challenges, but concluded the “lack of funds committed to cybersecurity stems not from overall resource constraints but more from a lack of coordination and prioritization.” Issuing the recommended directive “would be an important step in underscoring the importance of cybersecurity in the context of annual budget-making,” the report stated.
The commission's call to develop a contingency plan for a cyber attack capable of causing a catastrophic loss of electrical power to the District for a week or longer has received less attention from D.C. officials than the other recommendations.
Geldart said last March that officials had “not been able to move out on” the recommendation to create such a plan. Although such a scenario has very significant consequences it is considered unlikely and therefore had not been the focus of immediate attention, he said. The District has a contingency plan for a catastrophic loss of power for up to a week, but it is not specifically focused on a cyber attack, an agency spokeswoman said last April.
Rupert said all of D.C. government is reliant on commercial power providers. OCTO, he added, has continued to “make security a major priority and has improved its security posture” by investing in new enterprise-grade virus detection and firewall tools; using multiple redundancies across its network, preparing to launch city-wide cybersecurity training programs for all employees; using new tools and cloud-services to prevent distributed denial-of-service attacks; pursuing “a full-scale effort to update and publish new policies”; addressing legacy hardware and software upgrades; and through ongoing city-wide information-technology assessments that identify and address potential vulnerabilities.
The leadership of the District and OCTO have both undergone significant changes since the commission's cybersecurity report was issued. The report to the mayor and the D.C. council was published in January 2014, when then-D.C. Mayor Vincent Gray (D) was facing a re-election challenge from Muriel Bowser (D). Bowser, then a member of the council, ousted Gray in an April 2014 primary, won the mayoral election in November 2014 and assumed office in January 2015.
The mayoral election and the ensuing leadership transition initially led officials to delay developing the cybersecurity directive recommended by the commission, Geldart said March.
But OCTO's leadership has since been in flux. Three people have held OCTO's top post in the last year. In January 2015, Rob Mancini stepped down. Tegene Baharu was soon appointed to the job. Baharu resigned in October 2015 just before his confirmation hearing. Washington City Paper reported Baharu told others he “underestimated the administrative and political challenges” of the job. An interim successor, David Bishop, was named days later. This week, the mayor announced a new chief technology officer: Archana Vemulapalli, formerly of the facilities management company Pristine Environments.
During Baharu's tenure, OCTO declined to answer follow-up questions that Inside Cybersecurity posed in July 2015 about efforts to implement the commission's cybersecurity recommendations. OCTO ultimately provided responses last week.
The cybersecurity challenges facing state and local governments have not gone unnoticed on Capitol Hill. Last month, the House passed passed H.R. 3869, the State and Local Cyber Protection Act of 2015, which would require the Department of Homeland Security to assist state and local governments with cybersecurity upon request. DHS already provides such assistance informally, Rep. Will Hurd (R-TX), one of the bill's sponsors, noted last year.
“The need to address cybersecurity at the state and local levels is of the utmost importance,” he said on the House floor before the chamber approved the measure. “From our local DMV offices and courthouses to our critical infrastructure, the exploitable vulnerabilities and possible consequences are alarming. Yet, in the cybersecurity realm, state and local governments often do not have access to the technical capabilities and training that the federal government does.” – Christopher J. Castelli (firstname.lastname@example.org)