State of Michigan Chief Security Officer Chris DeRusha Discusses Michigan’s Cutting-Edge Cybersecurity Efforts
WASHINGTON, DC – U.S. Senator Gary Peters (MI), Ranking Member of the Homeland Security and Governmental Affairs Committee, helped convene a hearing on establishing effective cybersecurity practices for state and local governments in Michigan and across the country. Chris DeRusha, the State of Michigan Chief Security Officer, testified during the hearing and discussed Michigan’s cybersecurity leadership.
At the hearing, Peters highlighted his commonsense, bipartisan bills to help states, localities, and schools get the resources and information they need to combat growing cyber threats. Peters’ bills include efforts to provide better cybersecurity information and expertise to state and local governments, ease the process for local governments to transition to .gov domain names, establish a Cybersecurity State Coordinator program, and secure students’ sensitive personal information at K-12 schools.
Below is video and text of Peters’ and DeRusha’s opening remarks at the hearing:
Peters remarks as prepared for delivery:
“Thank you, Mr. Chairman, and thank you to all of our witnesses here today.
“I’m especially pleased that we have Chris DeRusha with us today. He is the Chief Security Officer for the State of Michigan, and an important partner in combatting cyber-attacks in our home state. Chris, I want to congratulate you on welcoming a baby boy last month and thank your family for allowing you to come to Washington while you are on paternity leave to share your expertise with us.
“The cyber threats facing our nation are becoming increasingly sophisticated and we are all at risk – families, government agencies, schools, small businesses, and critical infrastructure.
“In today’s digital world, state and local governments are responsible for safeguarding everything from election systems to sensitive personal data, including social security numbers, credit card information and even medical records. State and local governments don’t always have the tools to defend against cyber-attacks. Financial constraints, workforce challenges, and outdated equipment are all serious challenges for states and cities.
“Attackers always look for the “weakest link” and that’s why we must ensure that everyone from small businesses to our state and local governments have the tools to prevent, detect and respond to cyber-attacks. That’s why I have introduced commonsense, bipartisan legislation with my colleagues on this committee to help bolster our cyber security defenses at all levels of government.
“I introduced the bipartisan DOTGOV Act with Chairman Johnson and Senator Lankford to help state and local governments transition to the more trusted and secure dot-gov domain.
“I also introduced the State and Local Government Cybersecurity Act with Senator Portman. This will help DHS share timely information, deliver training and resources, and provide technical assistance on cybersecurity threats, vulnerabilities, and breaches with states and localities.
“In 2016 – in my home state of Michigan, hackers used a ransomware attack on the Lansing Board of Water and Light, forcing taxpayers to pay a $25,000 ransom to unlock the targeted computer systems. My bill would give cities and states the tools to prevent and respond to these kinds of attacks more effectively.
“Recently, Richmond Community Schools in Michigan were closed for a week due to a similar attack demanding a $10,000 payment. Luckily, their data was not compromised. But this attack exposes a dangerous vulnerability as schools maintain a considerable amount of sensitive records related to their students and employees – including family records, medical histories, and employment information.
“I introduced the K-12 Cybersecurity Act with Senator Scott to protect students and their data by providing better cybersecurity resources and information to K through 12 schools in Michigan and across the country.
“It is clear that these kinds of attacks are only growing and they pose a serious risk. I will continue working to ensure that all of our state and local governments have the resources, information and expertise they need to safeguard Americans.
“I will keep working with my colleagues on this important issue, and look forward to hearing from today’s experts on what else the federal government can do to prevent cyber-attacks.”
DeRusha remarks as prepared for delivery:
“Thank you Chairman Johnson and Senator Peters for inviting me to testify today.
“As the Chief Security Officer for the State of Michigan, I am excited for this opportunity to highlight the steps we are taking to better secure our state, and discuss the enduring challenges we face at the state and local level.
“It is no surprise to the members of this committee that the threat environment we face is daunting. Attacks on government organizations at all levels continue to rise and demonstrate the ever-expanding resources and skill of our adversaries.
“For example, State of Michigan firewalls repel over 90 million potentially malicious probes and intrusion attempts every day, and we are far from unique.
“I’d like to start by providing a brief overview of our efforts at the state level in Michigan.
“For over a decade, state-level IT and cybersecurity have been centralized under one agency – the Department of Technology, Management, and Budget (DTMB). Centralization enables the state to enforce common security policies, standards, and controls across state agencies, and leverage economies of scale when procuring new technology.
“Some successes we’ve had as a result include: a standardized risk assessment and security accreditation process for all new IT systems; the ability to apply governance and enforce security policies across all state agencies; mandatory cyber awareness training and phishing exercises; a common operating picture of threats facing the entire state government enterprise; and the ability to act with command and control authority to respond to incidents.
“In Michigan, we work as a team across several organizations with cybersecurity responsibilities, formally delineated in the Michigan Cyber Disruption Response Plan.
“Michigan Cyber Security within DTMB manages the state’s information security program. The Michigan Security Operations Center hosts advanced security capabilities such as threat hunting, incident response, digital forensics, and vulnerability management.
“The Michigan State Police’s Michigan Cyber Command Center investigates computer-based crimes and coordinates cyber emergency response efforts during critical incidents in Michigan. Whereas DTMB is primarily focused on the state government’s information assets, State Police’s purview extends to all of Michigan.
“Michigan is fortunate to have both Air and Army National Guard Units with cybersecurity capabilities. We work closely with our colleagues in the Guard to formalize coordination in times of emergency through joint exercises and regular interactions.
“Next month will mark the first National Guard assessment of a state agency’s cybersecurity capabilities, which will enhance our knowledge of one another’s capabilities and improve our ability to collaborate during an emergency.
“While the close working relationship between DTMB, Michigan State Police, and the National Guard is essential, another key relationship is the one we share with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“Michigan is fortunate to have a CISA cybersecurity liaison. By having a direct line to DHS, we are able to incorporate Federal Government cyber threat information into our decisions and streamline access to Federal expertise and resources.
“To that end, S. 3207, the Cybersecurity State Coordinator Act, would be a major asset to state and national cybersecurity efforts by ensuring greater continuity between the efforts of states and the Federal Government. It would also provide a stronger state voice within CISA, helping them to better tailor their assistance to states and localities, who have widely varying levels of maturity and needs.
“S. 1846, the State and Local Government Cybersecurity Act would help states like Michigan access resources, tools, training and expertise developed by our Federal partners and national cybersecurity experts, to include DHS’s National Cybersecurity and Communications Integration Center (NCCIC).
“I want to sincerely thank the Chairman, Ranking Member, and numerous members of this Committee for their bipartisan leadership on this legislation. The State of Michigan fully supports efforts to see both bills enacted into law.
“I would like to conclude my remarks by highlighting the needs and challenges of our local government partners.
“Governments at the Federal, state, and local levels digitally interact with each other every day. This interdependency means improving the security of any of these levels of government requires enhancing security capabilities for all.
“As much as state governments face shortages of human and financial resources, they are far more scarce for local units of government.
“Of Michigan’s 83 counties, which are home to approximately 10 million residents, only three have uniquely designated Chief Information Security Officers. Even their websites face legitimacy challenges as fewer than 10% use the .gov domain, opting instead for the easier to obtain .com. .net, or .org domains.
“S. 2749, the DOTGOV Act seeks to ease the process for these governments to obtain .gov domain names, providing the sites themselves with greater security and offering greater assurances to residents that they are, in fact, looking at a government website. This Act is an important step in the right direction and I am hopeful this bill will be enacted into law.
“The State of Michigan has also been proactive in developing innovative ways to provide support to county and local governments.
“In 2018, our “CISO-as-a-Service” initiative leveraged a centralized pool of cybersecurity experts to advise a pilot group of counties and cities on their security posture and provide an improvement roadmap. While the results were positive for the 13 participant communities, the model lacked scalability for the 1,600+ local IT entities across the state.
“A successor program “Cyber Partners” is pulling together the IT and cybersecurity leadership of county and local governments across the state by providing a forum for sharing best practices, expertise and threat information. Cyber Partners is currently piloting a new initiative that would assess risk posture against the CIS top 20 critical security controls, develop prioritized improvement plans, and potentially provide additional consultative assistance and managed security services.
“This work has been essential as the State of Michigan, and the country at large, prepare for the upcoming 2020 elections.
“In addition to helping counties and localities improve their defensive postures, Michigan has also taken steps to help them respond to incidents when they do occur.
“The Michigan Cyber Civilian Corps is an organization of highly qualified cybersecurity professionals who have volunteered their skills to respond to incidents at critical infrastructure, county, or local government organizations. Currently 100+ members strong and growing, the group has worked alongside Michigan State Police to help numerous organizations respond to significant compromises of their systems, including ransomware attacks, and helped reestablish operations.
“In closing, our country’s state and local governments are on the frontlines of today’s digital conflict, attacked daily by highly resourced advanced persistent threats, and there remains a great deal of work in order to secure the networks we rely on to provide essential services to the public.
“The State of Michigan greatly appreciates the attention paid to this issue by the members of this committee and we look forward to continuing to work with you to secure our critical infrastructure and protect our residents.
“Thank you again for inviting me here today to tell the Michigan story and I look forward to answering any questions you may have.”