How would DC handle a cyberattack? Here’s how OCTO and the city approach cybersecurity

Cybersecurity is, by nature, difficult to predict. Be it the constantly changing players, the ever-evolving technology or its need to be instated everywhere, it’s an area with threads in almost everything.

For local government, it’s a crucial component, if not one that can go unsung. In DC, that means constant planning, communicating with all sorts of district employees and making sure no stone goes unturned, the district’s Office of the Chief Technology Officer (OCTO) said.

With all that in mind, when it comes to the district’s cyber policy, DC’s CISO Suneel Cherukuri and CTO Lindsey Parker noted that there’s never a way to be 100% secure.

“Cybersecurity is never absolute,” Parker told Technical.ly. “The truth is that you do need to manage risk, but the truth is that cybersecurity is a big buzzword, a nice way to think about things. But if you are connected to the public internet, you’re never completely secure.”

Still, OCTO has some thoughts on how to keep the city government’s offices safe. Cherukuri said that the big focus over the past few years has been on the risk management framework, as well as focusing on city employees and making sure they understand the potential risks of their cyber decisions.

“It’s not about a shiny new thing,” Cherukuri added. “It’s not this pretty thing that I’m going to spend a million dollars and all of a sudden we’re able to protect ourselves. It’s the ground rules that need to be in place. It’s the basics.”

Lindsey Parker, DC government’s CTO. (Courtesy photo)

According to Cherukuri, the city’s strategy involves a combination of traditional cybersecurity and automation. While it focuses on signature methods, like looking for odd data or other information coming in, it also leans on AI and machine learning to catch cyber issues as they start.

In the 2022 draft budget, the city is putting $15 million towards DC’s “cyber hygiene,” which largely requires implementing a significant risk mitigation framework. It also looks to update some equipment and apply 24/7 remote system monitoring.

“If I fixed my goals on, like, ‘Here is what I’m going to do from a technology perspective,’ it might be obsolete before we even get to the full presentation phase,” Cherukuri said. “This whole discussion will be diverted toward risk management. If I have my risk management plan right, if I have my assessments in the proper way, that is what is going to keep us ahead of the curve.”

OCTO’s work with city officials exists alongside a cybersecurity push in the office’s initiatives for residents. Parker said that the infrastructure bill has more money for cybersecurity than the office has ever seen before. The practice is being baked into initiatives like broadband and the district’s broader tech plan. Mayor Muriel Bowser also created a Build Back Better Infrastructure Task Force, and Parker co-chairs one of its subcommittees.

OCTO also plans to merge cybersecurity into its work with vendor and academic communities, including by creating a pipeline for more cyber jobs. Parker also mentioned Bowser’s investment in several local high schools’ cyber programs to help build the pipeline.

“The more hands, the better, right now, as we think about where we’re going next, as we continue to push out new and better technology solutions across the government,” Parker said. “This is an exciting place to be.”

Planning for an attack

Although the tech chiefs emphasized OCTO and DC government’s separation from the risks of the federal government, the city remains a potential target for attacks. DC’s Howard University experienced an attack last year that kept the school offline for days, and nearby Baltimore’s government has been hit by attacks a few times over the past decade.

In preparing for an attack, what OCTO is really trying to do, Parker said, is bring agency partners along in the work so they understand the risk. Those outside the office can do things like monitor legacy systems and make sure their unit is prepared for an attack.

The preparation is a key part of the strategy, Cherukuri said. Even departments and leaders that claim not to be technical need to understand the tools in place and know exactly what to do. Instead of explaining what went wrong and the next steps after the fact, he wants every department to have a game plan in the worst-case scenario.

That also means keeping the whole staff up to date, which DC government tries to do by having at least one annual training for all employees.

“It’s not even a discussion about how we’re going to move forward, it’s just what we do,” Parker said.