Federal CISO says there’s much feds ‘can learn from the states’

One of the Biden administration’s top cybersecurity officials said Thursday that the federal government can glean many lessons from programs enacted at the state level, especially as the White House expands its attention on protecting computer networks and hardening critical infrastructure.

In brief remarks to the Michigan Cyber Summit, Chris DeRusha, the federal chief information security officer, recounted his own experience as that state’s top cyber official.

“I know from my experience with the state that there is much that we at the federal level can learn from the states,” said DeRusha, who served as Michigan’s chief security officer from 2018 to 2020.

DeRusha singled out several programs he oversaw or worked with during his state-government tenure, including the Michigan Department of Technology, Management and Budget’s risk-assessment services to local governments and the Michigan State Police’s cyber crime unit, which he called “one of the most sophisticated.”

“This is not happening in every state,” he said. “Though Michigan’s done a lot of big creative things, there’s a lot more you can keep doing. This is quite clearly to me not the time for status quo. Doing the things we know work is just not going to get us there.”

He also said that of the many cybersecurity topics he’s focused on, zero-trust architecture is the one he’s most bullish on.

DeRusha now is responsible for carrying out President Joe Biden’s May executive order setting breach-notification requirements and software security standards for federal contractors, along with expanding cybersecurity event-logging rules for federal agencies.

He won’t be the only former state cybersecurity leader working to implement that order: Earlier this month, the White House hired New Hampshire CISO Daniel Dister as one of DeRusha’s deputies.