City

How the pandemic messed up D.C.’s cybersecurity plans

Facing budget constraints and a new cybersecurity model, Washington, D.C.'s CISO is bracing for an "interesting" 2021.

November 12, 2020

Getty Images

Eight months and several digital transformations after the onset of the coronavirus pandemic, Washington, D.C.’s, cybersecurity workforce is finally “able to breathe again” in the new normal of remote work, the District’s chief information security officer, Suneel Cherukuri, said. But looming budget constraints and cybersecurity modernizations will make 2021 an “interesting” year for the city.

Cherukuri, speaking on a webinar hosted by Fortinet Thursday, said D.C. felt a unique pressure at the onset of the pandemic, as it plays the role of state, city and county to its 704,000 residents, many of whom also work in the city. The past 11 months were supposed to be “our year of…maturing technologies and making them efficient and better,” Cherukuri said. Instead, they’ve forced city leaders to churn out new digital services and applications for staff and for residents who need economic and medical assistance.

Even with months of development, Cherukuri said, improving the cybersecurity for remote workers is far from a finished job, especially with the city attempting to build a zero-trust network that, in theory, requires users to authenticate every time they use an application.

“I can never say we’re secure enough,” Cherukuri said, “Now, people are working outside the office, so we won’t always be able to give them the laptop they need. They might have to use their personal computer for whatever reason, maybe their computer broke down.”

Prior to the pandemic, anywhere between 10% to 30% of the city’s government employees worked from home, Cherukuri said, a figure that has since jumped to 63%. Because “you can’t just shut down,” government, Cherukuri said, the transition has been a “huge challenge” at times, including explaining to some newly-remote workers what a virtual private network is and why they need to activate it.

“That’s how our workforce was,” Cherukuri said. “They didn’t need to know it so they didn’t know it. Our use cases were quite different, and week-after-week, we had to come up with solutions. It was quite a journey.”

Now that teleworking is the “new normal,” for District workers, Cherukuri said, some of the urgency in educating and training employees about the basics of how to work remotely has gone away. But while the city began building a zero-trust network nearly three years ago, getting staff to buy into a system that has to be explained via videoconferences is a “bigger challenge” tied as much to behavior as much it is to technical prowess.

“It is all of your applications, your user behavior, and everybody needs to understand what you’re getting at,” Cherukuri said. The expectation for an end user is that they come into the system and they click on one button and everything is right in front of them. Well, it’d be nice if only the important emails stayed on top and everything else disappeared.”

Implementing the technology for zero-trust framework, Cherkuri said, could be done “with our eyes closed. We can just say everybody has to authenticate every single system every single time.”

But actually teaching city workers how to use the complicated framework on an extremely limited budget wasn’t as easy. While all of the city’s new applications are being built on the zero-trust model, enabling nurses, social workers, firefighters and law enforcement officers to use an unfamiliar system will require a lot of help from the private sector in the coming months, Cherukuri said.

“We don’t have the luxury of saying ‘I’ll just try this and see if works.’ Now, everything we do, we want to make sure it actually works,” Cherukuri said. “We don’t have the surpluses we had before. The city needs money to handle the pandemic itself, and also try to keep businesses afloat, keep citizens safe during the winter coming up.”