Lance Bellers - Fotolia
Published: 01 Sep 2017
A week before the inauguration of the new U.S. president in January, portions of a police surveillance camera system in Washington, D.C., were infected by ransomware, making them inoperative for several days. The cybersecurity incident underscored the special challenges for a municipal government that lives cheek by jowl with America's national government.
Three years ago, the District of Columbia's Homeland Security Commission's 2013 Annual Report recommended the city establish the position of CISO to help provide an information security program to address the overlay of systems between the federal and local governments. Finally, after a lengthy search, part of that goal was accomplished in 2016 with the recruitment of John MacMichael to be government CISO for the District of Columbia's Office of the Chief Technology Officer.
A retired navy captain, MacMichael was heralded for launching and leading successful cybersecurity and military IT organizations within the public sector, the U.S. Navy and the Department of Defense. During his military service, he was responsible for all strategic and long-haul communications and cybersecurity in the Pacific region. After 20 years of service, MacMichael took his military IT and cybersecurity knowledge to the private sector. He served as information security and compliance director for Hawaiian Airlines and as vice president of IT for Charter Communications. While his positions have varied geographically and functionally in recent years, one thing has stayed consistent: MacMichael joins Sherlock Holmes, Maria von Trapp and Aristotle on the list of avid beekeepers.
Do you see your military experience as directly relevant to public and private sector CISO roles?
John MacMichael: The military cyberdefense experience has been relevant to my industry and government CISO positions. There may be a difference in priority and strictness in the military, but the technical threats, vulnerabilities, methods and challenges are the same across all sectors; we all share common or similar networks, systems and business needs.
A recent Wall Street Journal article by Christopher Mims declared "All IT Jobs Are Cybersecurity Jobs Now." That declaration wasn't a surprise to me, having grown up in military IT or cybersecurity while the military and banking [industry] were the leaders of cybersecurity.
This has been our mindset since cyber became a priority and focus area in the early 2000s. I was able to participate in the growth of [cyber] into defined warfare areas for each of the services. The lessons I learned around the people, process and technology that support cybersecurity have been ones that I have been able to use outside the military. I tend to consider myself less of a 'cyber guy.' That helps me keep the focus on implementing risk-wise decisions.
D.C. is a unique entity. What kinds of regulatory frameworks and best practices do you follow?
MacMichael: As a district government, we support over 90 agencies that represent all facets of the constituency, including finance, tax, healthcare and education. This in turn means that we must take into account specific sector requirements. While we don't have a requirement to align to the Federal Information Security Management Act, we have based our overall approach on the NIST [National Institute of Standards and Technology] Cybersecurity Framework and the Risk Management Framework, as they are recognizable standards that allow us to more easily meet the sector requirements.
As the first CISO for the city of Washington, D.C., how have you approached building out a District-wide cybersecurity program?
John MacMichaelCISO, city of Washington, D.C.
MacMichael: The District had a very solid set of technologies and technical support engineers in place when I arrived. What we have done is develop a cybersecurity organization that allows us to write overarching policies for the District network, provide cybersecurity services to the District agencies and be a technical and thought resource as they develop and implement internal risk management decisions.
What is your vision as the government CISO? Is there anything that you think of as key to decreasing an organization's cyberattack surface area?
MacMichael: I am a believer in data sharing across the Multi-State Information Sharing & Analysis Center. State, local and tribal governments are in a unique position in that we are encouraged to share information, and the MS-ISAC is a strong resource. Not all sectors are so willing to share with their competitor organizations.
I am also a proponent of the NIST Cybersecurity Framework; most other frameworks or requirements generally align or can be mapped to the NIST CSF. I like to use the Center for Internet Security [CIS] Critical Controls for cyberdefense as talking points to provide specific and actionable ways to stop today's most pervasive and dangerous attacks. We spend a lot of time talking about how to prioritize the CIS 'First Five' to develop cybersecurity hygiene and provide defense against the most common cyberattacks.
Do you have to compete with the federal government and defense contractors for talent? If so, how do you handle those challenges, and what type of person do you most seek to attract to the team?
MacMichael: This is a real challenge for any organization in D.C. and the surrounding area. The cyberseek.org Cybersecurity Supply and Demand Heat Map illustrates part of the problem. While the D.C. area has a 'very high' geographic concentration of cybersecurity jobs, there are a limited number of qualified applicants to fill those opportunities. Worse, many of the roles we seek to fill are very technical in nature -- such as identity access management, SIEM [security information and event management] engineer and cloud engineer. The number of applicants with those specific technical skills [is] even fewer. And we compete against the feds and corporate types that can generally outpay the District.
I try and focus on the areas that they can't: a sense of ownership of the technology and implementation, an opportunity to be a thought leader, a sense of mission in serving the 90-plus mayoral agencies and more than 600,000 residents of the District. The person I most want to attract knows the technology but also wants to lead in the implementation of the solution that meets the agency's requirements. That person winds up being a member of the team, not just an individual contributor that we hired to fill a technology requirement.
Why a federal CISO is necessary
Strategies to set up a cybersecurity team
Will the rise of chief data officers help CISOs?