Security

Michigan’s CISO as a Service Boosts Local Cybersecurity

The Wolverine State is one of a number of states partnering with local communities to improve preparedness and response.

Calvin Hennick

Twitter

Calvin Hennick is a freelance journalist who specializes in business and technology writing. He is a contributor to the CDW family of technology magazines.

Chris DeRusha, chief security officer for the state of Michigan, wants to assist cities, towns and counties around the Wolverine State with their cybersecurity efforts to ease the burden on local officials and help make the best use of their limited resources. He also acknowledges that the cybersecurity partnerships with local governments benefit the state.

“We’re all connected,” DeRusha says. “There’s a local government network, and it runs to the state network to connect with state and federal resources. So, there’s a logical connection. But there’s also a trust connection. When a local entity gets phished, and a legitimate government account gets taken over, that’s something that could come in and affect us.”

Like a growing number of states, Michigan has explored a variety of ways to partner with local governments to ward off cyberthreats. Officials are in the process of revamping the state’s CISO as a Service program, a pilot that wrapped up at the end of 2018 and allowed some local governments to essentially treat the state as their chief information security officer.

Also in 2018, the state passed legislation allowing officials to deploy the Michigan Cyber Civilian Corps (often abbreviated as MiC3) to assist with recovery efforts after cyberattacks on local governments, critical infrastructure and other entities. And officials are experimenting with a program called Michigan Cyber Partners — essentially a club where local and state officials can swap cybersecurity information.

While many state and local governments across the country have stepped up their cybersecurity partnerships in recent years, some have dragged their feet due to concerns about jurisdiction, says Meredith Ward, director of policy and research for the National Association of State Chief Information Officers. But Michigan’s CISO as a Service program cultivated the cybersecurity capabilities of local jurisdictions. Working with the state government, local governments have stood up to strengthen their interconnected IT enterprises.

“Whether you have jurisdiction or not, you can still reach out, make sure you know the IT officials across the state and open the door,” Ward says. “You don’t need legislation or jurisdiction to allow you to do that. It’s just building a relationship.”

Michigan Offers Cybersecurity Aid to Local Agencies

Michigan’s 18-month CISO as a Service pilot was a response to a reality for most local governments: They can’t afford to hire full-time cybersecurity staff. “There’s no money,” DeRusha says. “They can’t hire or retain the employees that the state or federal government can.”

When the program launched, only two counties across the state had a full-time CISO, notes Andy Brush, who leads cybersecurity partnerships for the state. Previously, Brush was IT manager for the state's Washtenaw County, which participated in the CISO as a Service program.

“The challenge has always been that there are so many things you can do to improve your security posture, but which should you do first?” Brush says. “That was the goal of CISO as a Service, to focus on improving the top five or 10 cybersecurity priorities for a community. At the county level, the program allowed us to prioritize what was a series of disjointed projects.”

Back to the article Autoplay Full Screen Grid View Exit Full Screen

Back to the article Autoplay Full Screen Grid View Exit Full Screen

A key component of the program was Michigan’s CySAFE security assessment, which it built using Microsoft Excel.

Steve Sedore, executive director of operations for the state’s Allegan County, says the county’s participation in such partnerships has been a “catalyst to become more cybersecurity focused.”

“Over the past couple years, the county has made significant upgrades to our security infrastructure,” Sedore says, noting that the county utilizes Cisco infrastructure. “We have replaced our firewall and core infrastructure switches, as well as completely redesigning our virus, spam and malware environment. We are now dedicating increased time toward other critical controls discovered through the current state analysis performed when CISO as a Service was first rolled out.”

Cyber Civilian Corps Responds to Emergencies

The Michigan Cyber Civilian Corps started as an idea — proposed in 2013 by then-Gov. Rick Snyder — to leverage volunteer cybersecurity professionals in the event of an emergency. But the corps wasn’t deployable until 2018, when the state passed legislation allowing the MiC3 to help out local governments and other entities even when there was no declaration of a statewide emergency.

“We realized we can’t get these people ready for the big ‘bad day’ unless we regularly deploy them on a smaller scale,” DeRusha says.

The MiC3 has around 115 volunteers, and it has been deployed a handful of times after county governments and other entities were affected by incidents like ransomware attacks.

It’s free. You could have a $20 technology budget, and you can play. I’m saying, ‘Here are my experts; it’s not a problem if you borrow them for a few hours a month.’”

Chris DeRusha Michigan CISO

To join the corps, cybersecurity volunteers must pass a series of tests and background checks. “The bar is extremely high,” DeRusha says. “You’ve really got to know you have people who can handle it.”

The corps typically works for a period of three to five days after an attack, helping to remediate damage, wipe out malicious programs and perhaps provide some recommendations for next steps. Ray Davidson, program manager for MiC3, notes that other states likely have a similar crop of cybersecurity experts who would be willing to pitch in during an emergency situation.

“There’s a whole community throughout the country that goes to hacker conventions because they want to understand things better,” Davidson says. “I’m trying to leverage that community to do something good.”

Local Governments Get a Cyber Education

Through the emerging Michigan Cyber Partners program, the state is offering monthly webinars on cybersecurity topics, hoping to share critical information that will help county and local governments, school districts and other entities to defend their networks from various threats.

“It’s free,” DeRusha notes. “You could have a $20 technology budget, and you can play. I’m saying, ‘Here are my experts; it’s not a problem if you borrow them for a few hours a month.’”

“We try to get out and do these from different parts of the state,” DeRusha adds. “There might be eight people in the audience and then another 70 on the webinar.”

“One of the important things other states should know is that we are just collecting and curating information that exists already,” Davidson notes. “We’re just organizing it. States should try to leverage what’s already out there.”

Ward says that such educational efforts can be “extremely powerful” despite not being flashy or high-tech.

“It’s a lot easier to go to someone for help if you have a working relationship with them,” she says. “When I talk about relationship-building, that sounds so basic, but really it’s not. If you just get people talking, it can really help on both sides.”

Photography by Bob Stefko