Ten months after John MacMichael resigned as Washington, D.C.’s first-ever chief information security officer, the district has appointed a permanent replacement in Suneel Cherukuri, a longtime network-security architect for the city. Cherukuri, who has worked for the city on-and-off for about a decade, had become the acting CISO in January, when MacMichael left for a job with the research firm Gartner.
In an interview with StateScoop, Cherukuri said he plans to continue the “programmatic approach” to cybersecurity that he credited MacMichael with developing.
“We’re taking a holistic approach toward security,” he said. “That means we’re taking cybersecurity as a [citywide] program. I’m trying to make that program better by making decisions in terms of collaboration between agencies.”
Before, Cherukuri said, the nearly four dozen agencies that make up the D.C. city government approached cybersecurity problems on an ad-hoc basis, treating the information security office as more of a troubleshooting shop than a leader that can set citywide policy.
“Previously, someone came to us with a problem and we said ‘this is how you solve a problem,'” he said. “Somebody said ‘I need to publish a website,’ we said, ‘this is how you publish a website.”
Under the system MacMichael established, Cherukuri said his office is much more rigorous when evaluating an application an agency wants to install. “What is this application?” he said he asks. “What is this application going to do for the district? What information is it going to store?”
By asking so many questions — however seemingly obvious — Cherukuri said the CISO office is developing standards and guidelines for city agencies that can give it a stronger cybersecurity posture in the future and keep the district’s computer systems out of the headlines.
“We stayed out of the news for a very long time, which from my perspective means we’re doing something right,” he said.
But D.C.’s government networks have been the cause of ugly cybersecurity incidents, notably in January 2017, when a ransomware virus infected the system that stores footage collected by city police department’s surveillance cameras. The cyberattack, which hit days before the presidential inauguration, knocked out the cameras for three days and was blamed for the loss of surveillance footage that could’ve helped police make an arrest in the murder of an elderly woman.
Federal authorities eventually traced the ransomware incident to hackers in Romania, one of whom was extradited to the United States and pleaded guilty to taking part in the attack. But the episode was still a bad look for D.C.’s cybersecurity preparedness. Cherukuri blamed a lack of cooperation between his office and other agencies, and said it helped spur the development of the CISO’s new method.
“That is why we did the programmatic approach,” Cherukuri said. “Both sides are to blame, and the compartmentalization in D.C. existed prior to 2016. We did not want to work together even though we are all one single entity. After that, we started collaborating more.”
Now, Cherukuri said, he meets regularly with agency chief information officers, as well as the individual agency employees tapped to lead their bureaus’ cybersecurity efforts. The meetings were started after D.C. Mayor Muriel Bowser issued an executive order in April 2017 establishing a citywide data policy. Cherukuri credited Bowser with taking the most interest in cybersecurity of any of the three mayors he’s worked for. (His previous city service came during the mayoralties of Anthony Williams and Adrian Fenty.)
In his role as the city’s top cybersecurity official, Cherukuri also oversees mandatory training for the municipal government’s 35,000 employees, which he said will become much more rigorous than the once-a-year, half-hour seminars of the past.
“When it comes to user experience, it’s very hard if you ask a person to take one 30-minute course,” he said. “One of the initiatives we plan is to make it much more targeted, so when you see an increase in phishing attacks, there’s a targeted training that talks about phishing efforts and what the user needs to do.”
During Cherukuri’s first stint with the D.C. government, from 2006 to 2010, he worked as a network security engineer. Between stints with the city, he spent time in Australia, working as a security consultant for ANZ, one of the largest banks in Australia and New Zealand.