Episode 119
Dan Persico CIO for the Virginia Department of Elections
Dan Persico CIO for the Virginia Department of Elections
Dan Persico served 15 years in the United States Air Force working a variety of duties including tactical aircraft maintenance, Command and control actions supporting homeland security, military police, security forces, and advance program management that included protection of classified and unclassified systems, designing continuity plans, and oversight of information assurance officers.
Dan was most recent CIO/CISO for the Virginia Department of Elections. Responsible for overseeing business operations, technology support, software development, project management, cybersecurity, data privacy and governance within the unique realm of elections oversight, designated as national critical infrastructure. Uses knowledge of elections policy and procedures to drive initiatives within the organization.
Plans, organizes, and controls all activities and services ensuring the effective, efficient, and secure operations of each product line within the portfolio of services and offerings.
He is also a season Ski Race coach instructor.
Connect with Dan on LinkedIn
Transcript
Welcome to the business samurai podcast.
Speaker:I'm your host, John Barker.
Speaker:I am pleased and excited to be joined by the Tesla owner.
Speaker:Dan Persico his youth, Dan was a cadet in the civil air patrol.
Speaker:And the only reason I bring that up is because anybody that does anything related
Speaker:to aviation, I bring that up just to, because it's, I'm enthusiastic about it.
Speaker:They answer 15 years in the United States air force working a variety of
Speaker:duties, including tactical aircraft maintenance, command and control actions
Speaker:that supported Homeland security, military police security forces,
Speaker:and advanced program management.
Speaker:And those tasks included production of classified and unclassified systems,
Speaker:designing continuity plans and oversight of information assurance officers.
Speaker:Dan was most recent CIO slash schisto for the Virginia department of elections.
Speaker:He was responsible for overseeing business operations.
Speaker:Technology support software development, project management, cybersecurity, data
Speaker:privacy, and all the governance that are unique in the realm of elections
Speaker:oversight, which now has been designated as national critical infrastructure.
Speaker:He used his knowledge of elections, policy and procedures to drive
Speaker:initiatives within the organization.
Speaker:You plan and organize and control all of the activities to ensure
Speaker:effective, efficient, and secure operations of each of their product
Speaker:lines within the portfolio of everything that he was an oversight,
Speaker:which was, as CIO, CSO, everything.
Speaker:Dan, appreciate you taking the time to be here, man.
Speaker:Thanks John.
Speaker:Appreciate you having me.
Speaker:She's going to have a fun and hopefully not make you cry conversation.
Speaker:As we discussed before I hit the record button.
Speaker:So don't make fun of me.
Speaker:Okay.
Speaker:I'm sensitive, right?
Speaker:Yeah.
Speaker:I th you know, those air force guys I'm used to talking to Marines,
Speaker:used to tell me was a former Marine.
Speaker:I have to say former Marine can't say experts.
Speaker:No.
Speaker:There's no, my dad and granddad.
Speaker:So what, give us a little bit, one of the things I, I really want to talk to you
Speaker:about was the role within Alexa security, particularly with all of this junk.
Speaker:That's been in the news for the last couple of years, but before
Speaker:it gets to that point, how did.
Speaker:Your career in the air force and your experience lead you into that particular
Speaker:role with the state of Virginia?
Speaker:Great question.
Speaker:And I'm like, how did that happen?
Speaker:Know, I, I've been to a technology since I was 15 actually before then, but 15
Speaker:employed, I worked for best buy back before it was the geek squad, I was I
Speaker:think I was a cashier and then I was doing computer sales and then I got
Speaker:gotten to the computer repair business there and didn't do it very long.
Speaker:But I did get my, a plus I think I was like 15 years old and, oh, wow.
Speaker:And so I was, this was all while I was in high school and I was doing some
Speaker:volunteer programs in high school where we refurbished computers for, folks
Speaker:that didn't have the financial means to, to buy their own and things like that.
Speaker:And so I was a lot of just.
Speaker:Work, if you will just fix in computers, replacing parts and then handing them out
Speaker:did similar at best buy troubleshooting, and home, consumer grade, computer stuff.
Speaker:Sure.
Speaker:Yeah.
Speaker:Somehow I was working, I was doing my high school, doing some work with
Speaker:our website and I needed to talk to I needed to talk to what was guess the
Speaker:webmaster, I guess at the time for Stafford county in Virginia I reached
Speaker:out to her to see if she can do a link to our site or something like that.
Speaker:And.
Speaker:I think after a few conversations with her, I said, Hey, do you
Speaker:got any jobs intern or whatever?
Speaker:And she's actually and then I ended up going to work in there for a
Speaker:little while, which was pretty fun.
Speaker:I learned a lot there also a brief stint working there after
Speaker:school for a few hours a day.
Speaker:And got a lot of got a lot of experience in, more of an enterprise environment
Speaker:and it did everything from touch, endpoints to servers, to network.
Speaker:I remember helping deploy the first wireless access points back in
Speaker:the, the 8 0 2 point, what is it?
Speaker:8 0 2 0.1 or 8 0 2 point 11 a way back in the day.
Speaker:And deploying These these where else access points for the board of
Speaker:supervisors, and I think that 1998 or nine or something like that.
Speaker:And so I got a lot of experience.
Speaker:I was also doing a Cisco CCNA class while I was in high school and then ended up
Speaker:using my experience that I got working at Stafford county to go get my CCNA.
Speaker:And so I had both an, a plus and the CCNA before I ever even graduated high school.
Speaker:And that's unusual at the aisle at the time.
Speaker:Extremely unusual.
Speaker:Yeah.
Speaker:And that didn't really think much about it didn't really care all that much.
Speaker:I ended up joining the military because I wanted to pay for college.
Speaker:Didn't really didn't have a, a college fund set up for me or rich
Speaker:parents that I knew I was on my own.
Speaker:I was like, wow, this will give me experience.
Speaker:And also pay for college.
Speaker:And they had no computer jobs.
Speaker:Everybody wanted to do computers.
Speaker:So I said, whatever, I don't care.
Speaker:I'll just join whatever, but I want to, I want it to be something meaningful.
Speaker:And so I signed up to be an aircraft mechanic and I was an
Speaker:aircraft mechanic on F sixteens for my first four years or whatever.
Speaker:And it, I was hoping that I would somehow go to the computer side,
Speaker:but it really never happened.
Speaker:And then I ended up becoming a cop, but intertwined with all of this in
Speaker:those, 14, 15 years in the military I was always doing computers.
Speaker:Even when I was an aircraft mechanic, everybody has everybody
Speaker:in the military, has some sort of, at least in the air force.
Speaker:Everyone, the air force has some additional duty that you do.
Speaker:You can be the fitness monitor.
Speaker:You can be the deployment manager while I was the computer
Speaker:nerd for the group I was in.
Speaker:So the aircraft maintenance group that I was part of I was like the
Speaker:liaison between the communications group and the maintenance group.
Speaker:And that also mean, I, did basic, endpoint, support when we had like
Speaker:email migrations, I was, I would get involved with those in addition
Speaker:to being an aircraft mechanic.
Speaker:So that kept me sharp in, you were like a network engineer
Speaker:administrator of their environments.
Speaker:I did have privileged access, but I wouldn't say I was more like, if
Speaker:somebody put a help desk ticket in.
Speaker:Or need take it in.
Speaker:I was like first here, basically, on-site there's so I could say
Speaker:like little things, whatnot.
Speaker:Again, when there was like bigger projects, like migrations or equipment
Speaker:refreshes, I would obviously be a lot more involved with those things.
Speaker:And so I wasn't doing this.
Speaker:I'd say I spent maybe five to 10% of my time on a weekly
Speaker:basis doing that type of stuff.
Speaker:But it, what it did was it kept me sharp.
Speaker:It kept me still, using the terminology and lingo and seeing how I remember
Speaker:we did an exchange server migration one time and what was new learning?
Speaker:What was new in that, the new exchange environment from the previous areas I
Speaker:might have experience in that, that helped me a lot, honestly to keep sharp and then.
Speaker:And then when I became a cop, I was doing that a little bit still, but
Speaker:what ended up happening was is that I started getting into cyber crimes and
Speaker:protection of classified information.
Speaker:And they, at one point I, I got brought in as a cop because it was
Speaker:a compatible what they call it, air force, specialty code or air AFSE.
Speaker:I had a compatible AFC with the position that they could open up, but the primary
Speaker:purpose was not for me to be a cop, was really for me to do, cyber security.
Speaker:And that was more, I jumped into that and I did spend a little
Speaker:time working at the FBI Okay.
Speaker:As an I S why I went reservist for a little while, like a year
Speaker:less, and didn't really enjoy it as much as I thought I would.
Speaker:But my what happened was my old boss an older boss who was
Speaker:a cop called me up one day.
Speaker:He's I got this position as a composition.
Speaker:It's got the potential to get promoted with promotion to this.
Speaker:And you could fill it.
Speaker:You, the bill at, for it is a cop billet, but it really needed to be an it
Speaker:guy and helped me secure these things.
Speaker:Cause I have no idea what I'm doing.
Speaker:And so I said, okay.
Speaker:So I went back to active duty and did that for awhile until until I got out.
Speaker:Okay.
Speaker:And then when I got out, I was like, what am I going to do?
Speaker:I love being a cop.
Speaker:That was, I never had any ambition to be a cop.
Speaker:That happened, there's a whole story there for another day.
Speaker:That's a unique transition.
Speaker:Yeah, it wasn't, it was, let's just say it wasn't completely my choice.
Speaker:I had screwed the pooch on on some career progression things, had some issues
Speaker:taking tests, to be honest with you.
Speaker:And yeah, was pushed in that direction to put it nicely and did
Speaker:not enjoy it really the first year or two, but then I really liked it.
Speaker:Cause I, every day was a different day.
Speaker:I was helping people.
Speaker:I learned a lot about that world, but also about myself.
Speaker:So it was a really good opportunity for me.
Speaker:And when I got out of, I was like I really like being a cop, but.
Speaker:I don't really, there's no reciprocity in Virginia as an example.
Speaker:I can't, I'd have to basically start over and I don't really feel I don't feel
Speaker:like starting over making 30, 40,000 a year when I'm, making almost six figures.
Speaker:And or I have the potential to make six figures at that point and get shot at,
Speaker:I have to put out a bullet professing, a shot at, I have a son and he was
Speaker:like, if that's a downside, it was one of those things where it's do I
Speaker:want to do I want to do what I really enjoy, but yet put myself at risk.
Speaker:And it's right, threaten you know, the security of my family or just
Speaker:go sit behind a desk and do computer stuff and make a lot of money, a lot
Speaker:more money than me in a cop anyway.
Speaker:And it was a balance between the two and, it's still I still.
Speaker:I wish I was a cop some days, but I'm happy with, I'm happy
Speaker:with the direction I went.
Speaker:And so my first job out of the military, I was, I think it was, I
Speaker:only spent my two or three months.
Speaker:I was a consultant, but then I became like a I went, worked for another
Speaker:company and became an it manager director type and been doing the same sense.
Speaker:And that was 20 14, 20 15 timeframe.
Speaker:And I was working for a hospital system, a regional hospital
Speaker:system in Southwest Virginia.
Speaker:At the time when I saw the advertisement for the CIO, for
Speaker:the department of elections and it was just a blatant advertisement.
Speaker:It was a, I li I think it was like a monster or a random person.
Speaker:I wasn't even looking that hard.
Speaker:I don't believe.
Speaker:I wasn't really thrilled about that job.
Speaker:I was in at the time, the job wasn't good.
Speaker:I just really didn't agree with leadership in their direction.
Speaker:And a lot of my peers felt the same and, it was funny.
Speaker:I laughed in my boss there, who I was pretty close with.
Speaker:We both left at the same time, essentially for the same reasons.
Speaker:And but I got, I ended up applying to be the CIO at elect and I had never,
Speaker:I was it director and I had never been a deputy or associate CIO before.
Speaker:And I thought that I had no chance at it.
Speaker:But when I went through the interview process had multiple interviews and
Speaker:ultimately I was selected for the role.
Speaker:And I literally, as a military guy, Never really care too much for
Speaker:politics or was, it didn't intrigue me.
Speaker:So I didn't really know a lot about it.
Speaker:I knew technology, but I didn't know the business of elections.
Speaker:If you will, at the time it's a completely different world.
Speaker:You not having done a lot of things, whether it's, working at best buy duke
Speaker:of yourself or working at Stafford county government doing computer
Speaker:stuff or my various military roles.
Speaker:And then even when I got out, I worked for multiple private sector organizations with
Speaker:different missions or, business different business business types, if you will.
Speaker:I never ever experienced anything like the elections business, to be
Speaker:honest, it was very interesting.
Speaker:When I first came on board, I was I was pretty surprised at the lack
Speaker:of maturity in the it space, the technology space within elections, but
Speaker:it started to make sense really quick.
Speaker:And to sum that up, it was there.
Speaker:Wasn't a lot of there wasn't a lot of drive or need, if you will, to
Speaker:make technology put technology at the forefront of elections, 10 years ago.
Speaker:So we had an my division in an elections back in 2010 had one full-time person
Speaker:and one contractor from what I was told.
Speaker:That's what I wanted to ask.
Speaker:You don't mind interjecting real quick.
Speaker:The structure of it.
Speaker:Did, were you like the first person that have a direct oversight of elections
Speaker:that as a sole responsibility where you essentially the first CIO CSO of
Speaker:that where you backfilling somebody's?
Speaker:No.
Speaker:Some so it was interesting.
Speaker:We had a we had a long time CIO a great guy.
Speaker:He ended up taking a role, working for a contractor.
Speaker:I think he went to like an SIC or one of those that was supporting the
Speaker:Virginia information technologies agency also known as Vita.
Speaker:And he he and I worked together numerous times and had a great
Speaker:conversations, a really good guy.
Speaker:But he needed to change.
Speaker:He went on, but when he started, he was, I believe the first CIO he started in, Some,
Speaker:there was a lot of people that got brought in to do different it related things.
Speaker:And a lot of those were contractors and there became a need to start flipping
Speaker:those contractors to full-timers cause they saw a more inherent need
Speaker:to put a focus on technology, but it started as small again, 2010, one,
Speaker:two people, I think by the time 2015 came, maybe they had 10 people, 10
Speaker:full-timers somewhere around that.
Speaker:Might've been less and it was really really a still small, very small shop.
Speaker:Most of the efforts were focused on software development around the Virginia's
Speaker:voter registration database, which is, it was called it's called Barris.
Speaker:And the, there was a company that built that was supporting
Speaker:that for the most part.
Speaker:But the agency, apparently again, this is second hand information
Speaker:cause I wasn't there at the time.
Speaker:It wasn't getting what it needed from this company and decided to bring in more
Speaker:independent contractors and some more full-time staff to manage this platform.
Speaker:And and then 2016 happened and everybody knows what happened in
Speaker:2016 with the election between former president Donald Trump and a former
Speaker:secretary of state Hillary Clinton.
Speaker:It, and then the, initially the claims and then follow up with the intelligence
Speaker:that Russia was interfering with our elections or at least attempting to.
Speaker:And so that really highlight.
Speaker:The technology and the election space more than they ever did.
Speaker:So a lot of organizations in different sectors and the sectors or businesses
Speaker:have had this experience at some point or another, whether it be financial sector
Speaker:medical things, but all of those had kind of a trigger point that they all, we're
Speaker:all a lot more well off, in 2015, 2016.
Speaker:And it was, the election space time to get you will, and really put some emphasis
Speaker:and focus on that because the lights on you, it was, there was a tremendous
Speaker:amount of growth that, that came from what happened in 2016 and the it space.
Speaker:With Virginia and I'm sure it happens.
Speaker:Similarly in many states or localities every state
Speaker:elections are a state run thing.
Speaker:Every state has a different way of doing business.
Speaker:Some really put the emphasis on localities, running elections in our case
Speaker:in Virginia, it's we're a Commonwealth.
Speaker:Look how these do have the most control over elections.
Speaker:And my agency at, sole purpose of it was for oversight over, over making sure
Speaker:that localities not only had what they needed, but that they were following all
Speaker:the laws and applicable regulations that you know, that were in, Virginia's yeah.
Speaker:What the constitution of Virginia, that was the main objective for the department
Speaker:of elections, but every locality has a general registrar and usually a deputy
Speaker:registrar and the buck stops with them more, more so than a and we support them.
Speaker:So from a technology perspective, we provide them access to the
Speaker:Virginia voter registration database.
Speaker:We had a central database that the entire state used and that database
Speaker:contains all the voter records, the eligibility, all that stuff.
Speaker:And it was a massive, it's a massive product.
Speaker:It's a very complex I can tell you it some somewhat overly complex, not just
Speaker:from a developer perspective, but from an end user perspective, it wasn't
Speaker:necessarily the easiest thing to use.
Speaker:It didn't have all the greatest features.
Speaker:And I think that they're addressing that post my departure.
Speaker:Earlier this year, I, there was a active RFP in progress to replace verus.
Speaker:And I'm not sure obviously where that stands today, but the idea was to
Speaker:to replace it with a more modern and more scalable product that will serve
Speaker:Virginia for a long time to come.
Speaker:And but the idea was that, okay, so we got this voter registration
Speaker:database that every locality, all 133 localities in Virginia use Howard H
Speaker:how has that system Maintained how has it enhanced and how is it protected?
Speaker:Became a big focus after 2016.
Speaker:When my when the, when my predecessor left when I was mentioning that went more
Speaker:for a contract company, they did bring in somebody for a temporary period of time.
Speaker:And I'm not a hundred percent sure of the story there, but it didn't last,
Speaker:I don't know if it was temporary on purpose or if it was just a situation
Speaker:where that individual wasn't a good fit, but they brought me on and
Speaker:when they brought me on, I was taken aback by the level of maturity.
Speaker:That the organization was at within the IP space.
Speaker:And I was warned my boss, the commissioner had warned me about this throughout
Speaker:my hiring process, but I didn't really understand how the maturity
Speaker:was lacking, how bad it really was.
Speaker:And there was a lot of reasons for that funding being one of those.
Speaker:And just having, a big picture oversight.
Speaker:I came from two previous roles where I was in, hospital system and then
Speaker:a truly private sector organization.
Speaker:And those two organizations help give me a really good insight
Speaker:about the way things should be.
Speaker:And so when I got to the department of elections I immediately, within
Speaker:my first week I was like, wow Yeah, I've got a lot of work ahead of me
Speaker:and and I hit the ground running.
Speaker:I did hit the ground running.
Speaker:Were you talking about kind of oversight and making sure the
Speaker:localities could run the elections?
Speaker:Were you responsible for not just the database, but like the voting machines
Speaker:and things of that nature as well?
Speaker:Yeah, so we had we had a few divisions within the department of elections.
Speaker:I was just one of the divisions, the it division, and, but we had our election
Speaker:services division and they held.
Speaker:Make elections happen.
Speaker:We had a, we had policy folks within that space as well.
Speaker:We had a communications division.
Speaker:We had training folks to help train registrars and things like that.
Speaker:We had an actual business part that also controlled the, the business aspects.
Speaker:So there was multiple divisions, all had different things.
Speaker:The it thing, the, it divisions primary focus was providing
Speaker:these products and services.
Speaker:Just like anything, just like any organization it organization providing,
Speaker:we had our, we had customers let me back up first, we had the, our biggest system
Speaker:was the central voter registration data, but we also had a campaign finance system.
Speaker:It is required by law that the political candidates and such have to.
Speaker:Be very transparent about where their money is, where the money's coming from
Speaker:for their campaigns and things like that.
Speaker:Even just down to putting signs in front yard, if you don't have certain things on
Speaker:it who this was, who the page sponsor was or endorsed, or who's endorsing this th
Speaker:those rules about that, but the campaign finance system was used to for anybody who
Speaker:had any campaign that had the file what was, what the, where the money was coming
Speaker:from and where it was going essentially.
Speaker:And that was one of my, that was.
Speaker:Second largest system.
Speaker:We also have our website, our citizen portal website which, you, me as residents
Speaker:of Virginia could go in and register to vote request an absentee ballot.
Speaker:Since we knew that now I think different things like that.
Speaker:Change of address type of stuff make sure that we're still registered
Speaker:properly, all those things, so that's our citizen portal.
Speaker:So those are our three main major products.
Speaker:Obviously one of them was completely public facing the campaign finance one
Speaker:was for the campaigns themselves, and then the central voter registration
Speaker:databases meant for the department of elections staff, but also all
Speaker:of the registrars and their staff.
Speaker:And so we had a lot of different users.
Speaker:Accessing a lot of different systems.
Speaker:We had internal stuff too.
Speaker:We under my purview I implemented the Atlassian suite of products.
Speaker:If you're familiar as an example, JIRA confluence, I was really
Speaker:focused on bringing knowledge management and collaborative, project
Speaker:management approaches using those systems to bag it through, when I
Speaker:got there as an example agile was talked about, but it really wasn't.
Speaker:And so I really had a strong push to get us, My division because it was, primarily
Speaker:our focus was software development.
Speaker:We needed to be doing software development.
Speaker:The rest of the world is doing it, which is mostly agile, some form of agile right.
Speaker:Scale or whatever.
Speaker:So we started we started moving towards that and having systems
Speaker:like JIRA and confluence were really important to make that happen.
Speaker:And we use, we replaced a few of our other things like we had different ticketing
Speaker:systems for software development and we had a different ticketing system for
Speaker:just like normal help desk requests.
Speaker:And.
Speaker:I'm like, why are we using all these different systems and support
Speaker:for licenses let's unify it.
Speaker:And that actually talks to itself, living up to the government a
Speaker:trend of inefficiency is the key.
Speaker:Yeah.
Speaker:And that was really a huge focus because, I've majority of my life, in public sector
Speaker:whether it'd been the military organ at the FBI Stafford county, the majority
Speaker:of my life has been public sector.
Speaker:And I've seen this, all too often these inefficiencies and in a lot of
Speaker:ways, wasteful spending and really wanted to But that was, that's always
Speaker:in the back of my mind, whenever whatever decision I was making, about
Speaker:how we were going to move forward.
Speaker:I always thought about the taxpayers first and many of my staff or
Speaker:former staff would say the same.
Speaker:They would tell you.
Speaker:Yeah.
Speaker:Dan was always like taxpayer this taxpayer that, and it was true
Speaker:because I'm a taxpayer, Virginia, this is my money going to this stuff.
Speaker:So I want us to do this, I want us to be efficient.
Speaker:I don't want a million products all in place.
Speaker:It also makes it harder.
Speaker:I was going to say, make your jobs easier when you start consolidating
Speaker:your tool suite to a handful of things versus 9,000 exactly unified
Speaker:experience, helps reduce administrative overhead as what I always said.
Speaker:And so those were some things, just small things that I tackled especially
Speaker:early on, it took a long time to make some of those things happen, but
Speaker:that's the government way sometimes.
Speaker:So anyway, yeah, that was a major focus to bring external best
Speaker:practices to the organization as well, to reduce inefficiencies and
Speaker:to reduce administrative overhead.
Speaker:And again, that was like really important as a Seattle, but then there's
Speaker:a lot of other things going on too.
Speaker:And one of the reasons my former boss brought me on is because of
Speaker:my best cybersecurity background.
Speaker:We had one information security analyst.
Speaker:Wow.
Speaker:When I began and that individual did not have all of the.
Speaker:What they needed to have to be successful, to be honest in the role.
Speaker:And it was very hard, but you asked about like voting systems and w and I kinda went
Speaker:off the rails a little bit there trying to talk about the organizational structure
Speaker:and how our customer, who our customers.
Speaker:Yeah.
Speaker:We had our public, we had our internal to the department customers, and then
Speaker:we had all the registrars and then anybody, any of the campaigns, one,
Speaker:one of the, we had different areas.
Speaker:We had these voter, we had these platforms or general it systems, but then we also
Speaker:did have to support the certification process of all the voting technology.
Speaker:And that was one of the strangest things to me, because like I'm coming in.
Speaker:I don't know anything about.
Speaker:These scanning, these scanners these electronic devices use the check voter
Speaker:voters in that polling locations.
Speaker:I had no idea.
Speaker:And there's multiple vendors out there that are approved in the
Speaker:state and they're all a little bit.
Speaker:But what I did find out is that our certification process was very new and
Speaker:in its infancy, when I first got there we, and we were revamping it at the time.
Speaker:It was started before I got there the revamping of that, and it really
Speaker:made us we created a certification process that helped match the election
Speaker:assistance commission at the federal level and exceed their standards that
Speaker:they recommend for states to follow.
Speaker:And it's now being fully implemented and it get where
Speaker:there's a lot of focus on security.
Speaker:Even down to wiping thumb drives that, that, that are
Speaker:putting these computers there.
Speaker:They have so many like different audit trail type of things associated
Speaker:with how you transfer data is very spelled out so that way there's
Speaker:nothing knowing the various activity.
Speaker:And then once it's done and over with you, or whether you're done using the
Speaker:device or it's brand new, it's got a, you follow like DOD wipe standards, seven
Speaker:pass, white, since things like that.
Speaker:Those were never really spelled out before where they are now.
Speaker:And a lot of work went into that and I can not take much of the credit there
Speaker:because when this was all happening I was dealing with a lot of other things
Speaker:that I'll get into here in a minute.
Speaker:But what am I one of my counterparts who left the agency before I did
Speaker:he spent lot of time working with different vendors, different localities
Speaker:and other experts, and to come up with this to make it a really solid.
Speaker:Plan.
Speaker:So bottom line is that if any vendor wants to sell election equipment such as
Speaker:scanners or about scanners or whatever, they have to go through a rigorous process
Speaker:it's gotta be approved all the way up to the state board of elections, which is the
Speaker:oversight for the department of elections.
Speaker:It's it was when I was first started a three member board.
Speaker:Now it is a five member board as of, I think, okay.
Speaker:July 1st, I think it became a five member board and they fill those slots.
Speaker:They, that board has to approve any changes that are not like
Speaker:super minor, like typo type thing.
Speaker:They have to approve any change as recommended by the security team that I
Speaker:did eventually stand up and myself and the commissioner once that all, once all the
Speaker:internal approvals occurred, then it would go to the state board and we would have
Speaker:to present it to them in public session.
Speaker:Wha you know, and they would have to say yay or nay to it.
Speaker:And then once that occurred, then that vendor could then sell whatever
Speaker:product it is to the localities.
Speaker:So that was a big deal.
Speaker:Standing up, but a lot of other states or were pretty impressed with it.
Speaker:And even maybe starting their own certification process to match ours.
Speaker:I know that a lot of states like to look at us we looked at other states too.
Speaker:We, I, Colorado is a a really good they set a really good standard when it comes
Speaker:to elections and are a lot like us.
Speaker:So I was Al I got converse with the Colorado my CIO equivalent in Colorado.
Speaker:Quite often, I was going to ask if you interacted with a lot of your
Speaker:other counterparts in the other states to do, to kind of information
Speaker:share, here's what we see works.
Speaker:Here's what we don't see works.
Speaker:I know that.
Speaker:Like you said, each state has their own set of rules and the kind of things,
Speaker:the way to execute, but there are still best practices within security.
Speaker:And there's also things like, if somebody is becoming a test bed of
Speaker:bad things, it's oh, Hey guys, just be aware where we're experiencing
Speaker:this, be on the lookout type of stuff.
Speaker:Absolutely.
Speaker:And we definitely got a lot better over the three years that I spent there almost
Speaker:three years I spent in the department w there was a lot of collaboration between
Speaker:Our state are different states, our federal partners, and even local partners.
Speaker:And then some even, partners that are private sector, CIS they have
Speaker:the ice ax information sharing and analysis centers and they have them
Speaker:for financial well, there's a Ms.
Speaker:Multi-state Isaak and under the MSI sack, they stood up and elections
Speaker:infrastructure Isaak which I also S sat on their executive committee for
Speaker:a period of time while at elections.
Speaker:And that brought a lot of us together talking about different things and how
Speaker:we can make things better, but also offering, intelligence to the best of
Speaker:the ability without getting too crazy in the classified realm from national
Speaker:the national security aspect, but there was intelligence sharing about threats.
Speaker:There was we've had different.
Speaker:Different big ransomwares that come out, right?
Speaker:That would say they would send out messages.
Speaker:There's what you're looking for.
Speaker:Here's where you can report issues.
Speaker:Here's where you can get help if you were attacked or whatever.
Speaker:Like they're really good.
Speaker:Everybody bonded really well.
Speaker:In my opinion.
Speaker:As time went on from when I first started elect and it was
Speaker:really, actually felt very good.
Speaker:It's not people really care about our democracy and want to collaborate and
Speaker:want to share and want to be better because the building blocks is country
Speaker:are at risk, essentially post 2016 and coming together was really good.
Speaker:Technology.
Speaker:Being, as immature in the election space was, it was really important
Speaker:to, to recognize that and to put a lot of effort and energy into that.
Speaker:And I think that we are in a lot better place.
Speaker:I, I hear a lot on the news about this.
Speaker:I got a thing in Georgia, this Arizona, that following this last,
Speaker:the last presidential election.
Speaker:And, I can't speak to any other state, but I can say that holy cow, we were
Speaker:night and day from when I first started to when we had the last few elections we've
Speaker:had major elections with our ability to.
Speaker:To protect ourselves to share intelligence, to recover, if there
Speaker:is an issue to get the right people.
Speaker:I had FBI says slash DHS on speed dial.
Speaker:I can call them anytime and say, Hey, I, this is an issue
Speaker:I need help here or whatever.
Speaker:And they were there without a problem.
Speaker:And it, honestly, I don't, I didn't ever needed help with my area.
Speaker:Thank God I my department, but I did support a lot of localities
Speaker:who really, some of them.
Speaker:Yeah.
Speaker:That's call this the salacious part of the conversation, or at least a
Speaker:little bit, if you experienced it, you, I remember you making a comment.
Speaker:I think we talked at some point last year where you were talking about the national
Speaker:exposure that Virginia had in this last election, because it was only one or two
Speaker:governor's races in the whole country.
Speaker:So when something like that happens and you've got that spotlight
Speaker:on you, are you getting, do one?
Speaker:Do you feel the pressure, but two, are you getting a lot more
Speaker:outreach from those other places?
Speaker:Because they're, the national focus is very limited.
Speaker:So were you getting proactive phone calls from CYSA and FBI and absolutely.
Speaker:Absolutely.
Speaker:And it wasn't just this election, to be honest with you.
Speaker:It was, it, we, we had, there was a lot of productivity throughout the.
Speaker:Last two years, I'll put it that way with my last few years there.
Speaker:Even if it was smaller elections that weren't even on, they were always there.
Speaker:And a lot of times proactive.
Speaker:There was a lot of pressure on the agency, on the localities, the registrars in this
Speaker:last governor's race, it was in a way it was worse than the 2020 election for us.
Speaker:No, not in a way.
Speaker:It was because, and we knew going into that that there was not many elections.
Speaker:It was an election is off year for most people, but in Virginia and my, my, my
Speaker:former boss used to say all the time, like we're always having elections.
Speaker:People ask us, it's annoying.
Speaker:I live in Stafford where you it's super, super annoying.
Speaker:Sorry.
Speaker:I had to enter.
Speaker:Of course.
Speaker:Yeah.
Speaker:It's like all the time.
Speaker:There's like an election.
Speaker:I think.
Speaker:On average, we're having six selections a year, the last pretty much every year
Speaker:I worked there, it felt like it was like, say it could be something small,
Speaker:like a special election, or it could be a little larger state level election,
Speaker:or it could be a national election.
Speaker:There's always, there was like, there was always elections going on.
Speaker:And for me and my team whatever, whether it was a big presidential or
Speaker:it was a Virginia governor's race, or it was a special election, honestly.
Speaker:There's more attention with the bigger races, but the amount of work we had to
Speaker:do on our end was the same, getting the systems ready and all that our election
Speaker:services division, as well as my division.
Speaker:I had to put about as much effort in for every single election,
Speaker:no matter what the size was.
Speaker:Obviously there's more, little bit more to it with the bigger
Speaker:ones, but it sure felt the same.
Speaker:And it was constant.
Speaker:It was there, there was always an election.
Speaker:There was always the same, concerns.
Speaker:And that made some of my chain, most people at, in the previous
Speaker:role in other previous roles will say, I'm a change agent, right?
Speaker:Like I, I go in and I'm looking for problems and looking
Speaker:out to solve the problems.
Speaker:And that's one of my, one of my key contributions and in the workplace overall
Speaker:it was really hard to push forward, change the way I want it to not just because I'm
Speaker:in the government entity, public sector is not always easy and it's really slow.
Speaker:And it, it gets bureaucratic at times.
Speaker:When there's always an election going on, you can't be making changes to systems.
Speaker:We will go and change all this other stuff.
Speaker:And it really made it difficult to push the ball for sometimes.
Speaker:So we really tried to like cram things in last year was a great example.
Speaker:The Virginia information technologies agency had had a had to move the
Speaker:data center that their on-prem data center to a new place.
Speaker:And we knew about that for awhile.
Speaker:Unfortunately some of their requirements and rules will not let us move some
Speaker:of our physical servers away to their new data center because they were
Speaker:virtualizing everything to make, to meet the governor's executive order
Speaker:from a few years ago, which required all indices that get to the cloud by XYZ.
Speaker:And R I spoke about verus the central voter registration
Speaker:database and it was a beast.
Speaker:And one of our database servers required a lot of memory, a lot
Speaker:memory that they would not be able to get for us in that environment.
Speaker:So we had to quickly pivot on a dime and make, I had to make a decision to move
Speaker:not just that platform to the cloud, but decided that if we're going to do one and
Speaker:the one that we're doing is our biggest.
Speaker:And we have all these integrations with the other parts of it.
Speaker:We might as well do it all.
Speaker:And so we were also supposed to be doing redistricting based off
Speaker:of the 20, 20, 20 census with.
Speaker:I believe so.
Speaker:I know some of that stuff is going on now or has just got wrapped up.
Speaker:So it's now going on right now.
Speaker:But we were supposed to start it last year on this time and it was like,
Speaker:how are we going to do all this?
Speaker:And thank God for at the time that the census and the state was not, they were
Speaker:not ready to do it in the spring, in the late winter, spring of last year.
Speaker:And so last year we migrated every application and everything
Speaker:to the cloud to to Azure.
Speaker:And that was a big win, but it was a nightmare.
Speaker:And we were trying to do it in between special elections.
Speaker:And we had the potential for having to start this redistrict team.
Speaker:And we didn't know when that was coming.
Speaker:So there was a lot, and it took us till I think the majority of the
Speaker:guy done by June at migration and I think we were the first agency.
Speaker:At least executive branch agency in Virginia to migrate all of
Speaker:its applications to the cloud.
Speaker:Meanwhile, while dealing with elections and whatnot and getting ready for
Speaker:this big gubernatorial one that we just went through in November,
Speaker:like there was so much going on.
Speaker:I thought 2020 was bad, 2021, honestly put 20, 20 the shame.
Speaker:And in retrospect I cannot tell you how last year was a lot.
Speaker:There was a lot going on between the cloud migration and these
Speaker:elections and, projects that we're trying to keep in moving forward.
Speaker:There was a lot.
Speaker:And so that, that was long-winded, but it was definitely a rough.
Speaker:A rough experience.
Speaker:How much, and I don't know if you experienced this at your time, that
Speaker:is there if it did some of the elected officials, if there was changeover, I'll
Speaker:say either from one party or ideology or priority even if it was, would play
Speaker:into either your decision-making or something that you had active going on,
Speaker:you mentioned the the executive order.
Speaker:But I would imagine that, let's say there was a switchover at a board of
Speaker:supervisors in a county or, the state legislature swaps houses or something
Speaker:like that, that reshuffles things around.
Speaker:Did you experience any of that at your, in your time?
Speaker:Other than having to do special elections as a result, like at one person leaves
Speaker:and then they have no, but no policies or no, no internal priority changes
Speaker:within the elections department.
Speaker:Not really experienced.
Speaker:I'm sure it's probably different today as we have a new governor.
Speaker:I left right at the beginning of January before the change of power
Speaker:and never really saw much policy change in that regard because I
Speaker:was the entire time I was there.
Speaker:Governor Northam, was a governor.
Speaker:And even though seats were changing, the one thing that I did, the one
Speaker:thing that did occur, but I would not have it, it seemed normal for me
Speaker:because at the time I think when both, I think both chambers went blue when I
Speaker:first the, it was like the first year.
Speaker:Yeah.
Speaker:That was like the first year in a long time.
Speaker:That's happened the first time in 60 years or something crazy or whatever that
Speaker:may have been right when I got there or.
Speaker:Shortly thereafter.
Speaker:And the amount of laws, election laws were Cree.
Speaker:I think we had 57 or 58 legislative changes ahead of 2020
Speaker:that needed to be implemented.
Speaker:And a lot of those were like required.
Speaker:It changes and it really crushed my development team and Mike and the QA
Speaker:folks and our infrastructure folks who were putting the deploy doing
Speaker:these deployments or DevOps folks.
Speaker:It was just, it was like there was change after change.
Speaker:And I remember we, didn't a good example of our immaturity.
Speaker:We didn't have change control when I got there.
Speaker:There was people doing deployments.
Speaker:Without me even knowing about it as a CIO and then come in the
Speaker:next morning and verus is down.
Speaker:And it's what happened?
Speaker:I called my director of this area software development, and he didn't
Speaker:know exactly what was going on.
Speaker:And then I called this other guy and he said, oh yeah, we did that last night.
Speaker:And I'm like, okay, nobody told me about that.
Speaker:And that was systems that we broke something and there's no record it.
Speaker:Like it was that type of crazy when I got, when I first got there, it
Speaker:didn't stay that way for very long.
Speaker:I think three months I had changed control was we were having weekly
Speaker:meetings and we made it, all the directors basically were voting
Speaker:members of the change advisory board.
Speaker:And, like I would be the either overrule or a tiebreaker person and know.
Speaker:It governance 1 0 1.
Speaker:But the whole point of saying that was that there were, because there
Speaker:were so many changes happening as a result of the legislative changes.
Speaker:Some of these bills had been, they tried to get through for years.
Speaker:And, if I guess in the case of the majority alleged the legislative
Speaker:branch being blue, now that there was a lot of people on the Republican
Speaker:side that were blocking those bills.
Speaker:So as soon as they had majority, always things started flowing like a faucet and.
Speaker:It was wild.
Speaker:How many things that were coming through at any given point in time with that,
Speaker:because there was a system change here, early voting was one of them,
Speaker:early voting, which we do and absentee, early, early slash absentee vote.
Speaker:I do early voting person.
Speaker:And that's it's really awesome to have that ability, but the amount of changes
Speaker:I thought about you last year, yeah, thanks for my life is way easier now.
Speaker:But my team really like they, they work countless hours to,
Speaker:to implement these by the cause.
Speaker:It's not just that these laws get passed.
Speaker:Implementation deadlines, July 1st is when most laws go into effect in Virginia.
Speaker:But in some, and most of these changes had to go in by July.
Speaker:First of every year, every time they would do this, some of them could be
Speaker:staggered cause it would be like the next presidential election or whatever, or
Speaker:the next federal election I should say.
Speaker:And so that some of those gave us some leeway, but for the most part,
Speaker:they had to be implemented right away.
Speaker:And when it's hard for a legislator to know the implications of all these
Speaker:changes coming through all at once and how fragile our systems are sometimes,
Speaker:specifically I spoke about verus and how these changes were a hard to make be.
Speaker:We don't want to like have them.
Speaker:Making multiple changes at the same time, break something completely anomalous
Speaker:with, and having those conversations, the charted out was just, it was crazy.
Speaker:And then the deadline doesn't make it easy either because now you're rushing things.
Speaker:And we because we were also immature in certain areas.
Speaker:I think I like to QA people from, having the QA, all, three major systems,
Speaker:three major platforms, any changes that happen to two people that can QA it.
Speaker:And I'm pulling other people in some of our BAS and whatnot to help with that.
Speaker:And that's hurting them too.
Speaker:But like I wish at points in time, I wish that the legislators knew the
Speaker:consequences of what they were doing.
Speaker:To us and how it was very hard because we're still a small team.
Speaker:I think at the end, between contractors and employees, I might've been like
Speaker:40 plus just a little over 40 people at the max and, with all the customers
Speaker:internal, external, and then in the field with all the systems that we had,
Speaker:it was a lot, it was quite a bit I know that they're in a better place now.
Speaker:When any whether we're talking about public sector, private sector,
Speaker:whenever there's a requirements are downward driven I believe that
Speaker:it's very important for those folks making those decisions to really.
Speaker:Truly understand the ramifications of what they're asking or directing.
Speaker:And it would have been, although we were very successful in making all the
Speaker:changes that we were required to make, obviously, because we don't want to be
Speaker:in violation of the law and get sued.
Speaker:The fact of the matter is that it takes a toll on people.
Speaker:People have to do the work and, if the budget doesn't allow me to hire
Speaker:more people and train them up, that's going to make it even more difficult.
Speaker:I am very grateful for my team to this day and all the work that they
Speaker:did to make all these things happen.
Speaker:I can say with, without a doubt, that Virginia did a great job in
Speaker:all the elections, since I was been there making them, accessible
Speaker:to everyone and free and fair.
Speaker:And no, that's no, that's awesome.
Speaker:And I think.
Speaker:I want to echo that sentiment because I've actually had that conversation
Speaker:recently that it seems like large.
Speaker:Some of those fortune 100, 500 companies take that same approach.
Speaker:And as someone that driven lots of projects, you've got to have all
Speaker:those stakeholders at the table.
Speaker:It's not that you're against the changes that are coming, but don't make an
Speaker:arbitrary decision without understanding exactly the, kind of the scope and
Speaker:level of effort that goes into that.
Speaker:And matter of fact, you'll be a champion of that instead of having
Speaker:arbitrary timeframes, which is for better or worse in your case,
Speaker:probably what happens when you get.
Speaker:An elected official with no experience in this and making promises that they
Speaker:don't exactly understand in some cases.
Speaker:And I think it's worked for us, like people like me and my peers and my leader.
Speaker:It's, I think it's also important that, we try to educate them.
Speaker:And if I talk to you about localities and I don't know how much time we
Speaker:have, but if I talked about localities and get more on the security topic
Speaker:one of the things that I would do with so I assisted them all multiple,
Speaker:cyber attacks at localities across Virginia dive into that for a minute.
Speaker:Oh without you, so you know what, at one point there was a rural
Speaker:locality who did not really.
Speaker:Any more than a guy that showed up once a week for a few hours
Speaker:to up printers and whatnot.
Speaker:This lookout, it got completely taken down by a ransomware attack and was out
Speaker:of commission for a month and a half basic services like life safety type things like
Speaker:nine 11 and things were back up pretty quick or either were up pretty quick
Speaker:or were not effective in the same way.
Speaker:So the worry, the concern that wasn't bad, but that's still a huge concern
Speaker:and validating that they're okay.
Speaker:Was really important.
Speaker:But when all of your constituent services, whether it's getting a
Speaker:building permit, election, whatever, pay the water bill, like personal
Speaker:property taxes, things like that, when you can do those things like that.
Speaker:Puts you in a grounding hall.
Speaker:And it's not just about the county collecting revenue, but if I'm if
Speaker:I'm building a house or want to put stairs off my deck and I need
Speaker:a building permit and I can't do it because you're sure your phones are
Speaker:down, can't get in touch with you.
Speaker:I walk in theaters are down and can't do nothing for you.
Speaker:That's pretty bad.
Speaker:And that happened numerous times in my tenure and.
Speaker:'cause there was a law that was passed back in, I think the 20, 20, 19 general
Speaker:assembly session that basically gave the department of elections, the authority
Speaker:to ensure that locality security met his specific set of standards that eventually
Speaker:myself and a work group created.
Speaker:And then the state board promulgated out to all the counties.
Speaker:So like when, and when you say security, not just Alexa security,
Speaker:but you're talking about a whole infrastructure, whole everything security.
Speaker:So here's the thought process here.
Speaker:And I'm going to bounce around a little bit.
Speaker:So a few years ago there was a locality out there and I said, this
Speaker:is some public speeches that I made.
Speaker:You can probably Google it pretty easily too.
Speaker:Now this isn't, this one be public, but bottom line they bought.
Speaker:Was it Kaspersky?
Speaker:Yeah, I think.
Speaker:Oh yeah.
Speaker:Yep.
Speaker:And then you might've heard this story off.
Speaker:We talked about this maybe off on a side or something, and one
Speaker:time they got Kaspersky that, that individual, that was the sole
Speaker:information security officer analyst.
Speaker:When I got to the agency had said, can't use that.
Speaker:It's like Russian is a Russian, product.
Speaker:And that was a nighttime news thing.
Speaker:And it's on the DHS.
Speaker:You're not useless basic.
Speaker:She taught, told the, whoever was running it in this locality, they said
Speaker:don't care money spent or keeping it.
Speaker:My boss ended up calling, I think it was my boss.
Speaker:That ended up calling the locality.
Speaker:County administrators, city manager type.
Speaker:And they sided with the it thing.
Speaker:Eventually it caused a lot of ways.
Speaker:Eventually they removed that.
Speaker:We negotiated for them to remove it from the election computers,
Speaker:but this got brought up.
Speaker:And so the law basically says that because the registrars in each locality are
Speaker:supported by the by locality, they're not.
Speaker:Their paychecks come from locality, but some of that money comes from the state.
Speaker:There's some reimbursement for the registrar, but they're not
Speaker:really full state employees.
Speaker:The, I think they're considered constitutional officers, so
Speaker:they are in a way independent.
Speaker:They don't report up through the county administrator city manager.
Speaker:I want to say, I want to say something only because you triggered
Speaker:a thought and I want to tell you a story after you get done.
Speaker:I was told board of supervisors were constitutional authorities and they
Speaker:didn't have to abide by any of the it regulations of anybody anywhere.
Speaker:And I looked in their face and I said, you want, I don't believe you.
Speaker:But to anyway, I digress.
Speaker:I don't know.
Speaker:I don't know about that one.
Speaker:I have the board of supervisor They're supposed to follow the same rules
Speaker:that are driven by the policies and procedures from the it department, if
Speaker:there is an IC department, but that's all, then we'll talk about that.
Speaker:It's interesting.
Speaker:It's interesting.
Speaker:So these folks are getting the registrars are getting their
Speaker:computers from the locality.
Speaker:And if we use the Cali, I was just starting to talk
Speaker:about the ransomware attack.
Speaker:They got one it contractor that shows up once a week.
Speaker:Sure.
Speaker:And for a few hours and, might just be a computer savvy person, but may
Speaker:not have an, a plus certification, let alone something more.
Speaker:You can imagine that there's no group policies, you'd be lucky if
Speaker:there's these endpoint protection.
Speaker:So access control.
Speaker:So we, yeah, so these computers though, are connecting back to our
Speaker:central voter registration database.
Speaker:And that was the linchpin.
Speaker:If you are connecting to our system with your systems, they
Speaker:have to meet these requirements.
Speaker:And so the scope of it is just elections computers, but Hey, you
Speaker:still need to have a firewall.
Speaker:And if those election computer systems are on a domain and that domain controller
Speaker:now becomes part of that scope, are you in the same network or the same submit,
Speaker:even if you V LAN it, it doesn't matter.
Speaker:You gotta think about everything that, that touches were
Speaker:at something had happened.
Speaker:So this caused a lot of issues and it still is causing issues, this law
Speaker:and it but it's the first time that a law basically put any sort of.
Speaker:Cybersecurity requirements over localities in any way, shape or form.
Speaker:Now the scope was again, just elections activities, connecting back.
Speaker:Okay.
Speaker:But that scope can be expanded at some local.
Speaker:It's very easy to do that.
Speaker:I've made the comment.
Speaker:I said, I can take a cyber security hole.
Speaker:How far deep do you want to go?
Speaker:Th the problem was, some of this stuff costs a lot of money and sure.
Speaker:If you have a rural or Cali that doesn't have the, the revenue, if you will,
Speaker:to hire it folks or the right ID folks for the right products, then you're.
Speaker:In between a rock and a hard place.
Speaker:I think and I think that some localities chose to completely kick or to create
Speaker:completely independent networks and computer systems, because they said it
Speaker:was too much work, too much effort to do it across their whole enterprise.
Speaker:And I begged and pleaded on the side saying, this is not the right move.
Speaker:This is the opportunity that you guys should be taking to do X, Y, Z across
Speaker:your entire platform as much as possible.
Speaker:Because if you just say you're prone to your okay.
Speaker:Election elections activity in locality might be okay,
Speaker:but what about your nine 11?
Speaker:That's a life safety thing.
Speaker:When, if they're on the same network, wouldn't you want to like, just kill
Speaker:two birds with one stone, if you could.
Speaker:And some people show is different and it's not my, it was not my place as the POC or
Speaker:head of that whole program and instituting this on behalf of the state board, it
Speaker:wasn't my place to tell them how to do it.
Speaker:I just said, here's the requirements.
Speaker:It is.
Speaker:We got to do to meet them.
Speaker:You choose whatever way you want to meet them.
Speaker:My main concern is the protection of the voter registration database and
Speaker:safe and secure elections in Virginia.
Speaker:But if I take my CIO hat off and put my, the Persico hat on just
Speaker:me, I don't do that to yourself.
Speaker:And here's why the ransomware attack that we had, that I was
Speaker:starting to talking about, a month and a half a month and a half of.
Speaker:I would say Mo I would say two weeks of completely, nothing after
Speaker:about two weeks, some main things started coming back, which were
Speaker:available to recover some main things.
Speaker:And then, after a month they started getting more of the outliers back
Speaker:online, but it was, for two to three weeks, almost completely
Speaker:crippled, you know what I'm saying?
Speaker:And look how it can't do it.
Speaker:What it's meant to do because it didn't take the proactive steps.
Speaker:So one of the things that I did through this process and through some others is I
Speaker:met with the state Medisafe, or I'm sorry.
Speaker:I met with the board of supervisors.
Speaker:In some cases I met with the electoral board at the localities who oversee
Speaker:the registrar and hire the registrar.
Speaker:I met with these folks and I said, you got to invest in this because this
Speaker:is what happens when you don't it.
Speaker:And you don't want.
Speaker:Tap.
Speaker:And again, we're having emergency meetings until midnight and blah, blah, blah.
Speaker:Everyone is freaking out right now.
Speaker:This could have been prevented if there was more proactivity and you can't
Speaker:always protect against all threats.
Speaker:But one thing that they really screwed the pooch on this one case
Speaker:they didn't have offsite backups.
Speaker:They had an attached NAS storage on a server that had a password that
Speaker:was basically basketball password.
Speaker:That's like as the security we're talking about and the lack of contingency
Speaker:planning or incident response.
Speaker:There's not like nobody, nobody knew what to do when this happened.
Speaker:Either it took a week just to get everybody involved.
Speaker:And I when it got to me is I'm the one that started making the
Speaker:phone calls I had within about 12 hours of finding out I had.
Speaker:Everyone on the phone from FBI, it says a state police, national guard, and
Speaker:everyone showed up and they, everyone came together and did the right thing.
Speaker:But Boyle boy it was a mess.
Speaker:And here's the other thing in that case, the locality county administrator
Speaker:did not want to hear her advice from all these people, including
Speaker:me, shut me out, shut me down.
Speaker:She was worried about her reputation more than recovering.
Speaker:And so we're to all leaders out there, put your, puts your own emotions and your job
Speaker:security aside, your job security minded, self aside for a second and do the right
Speaker:thing because that, that individual made a lot of missteps, a lot of missteps and.
Speaker:Yeah.
Speaker:When I asked about yeah, I wanna, I want to ask a short question and
Speaker:then I want to tell you experience.
Speaker:I had to see if this is what in the localities.
Speaker:You talked about getting cyber Sanders and there was a law there.
Speaker:Were you using like a miss standard or did you make up your own set of rules?
Speaker:We actually did start from the nest, but we knew that there was no way that all
Speaker:the localities, all 133 localities were ever going to meet, which one, which
Speaker:special population were you trying to align to the cybersecurity framework?
Speaker:Just to CSF one.
Speaker:Okay.
Speaker:Starting from there.
Speaker:And we did do, top 20 top eight, we combined the two of those.
Speaker:And we w so the work group, it was a work group that was formed.
Speaker:And the work group was led by me.
Speaker:I was the chairman for it, but I had locality it directors, CIO slash
Speaker:CISOs slash you know, you name it.
Speaker:As far as Alside JLR the the legislative audit, I forget what the acronym stands
Speaker:for from the state that were there.
Speaker:I had representatives from the VML and baker of the Virginia municipality league
Speaker:and the Virginia association of counties.
Speaker:We had a huge work group.
Speaker:We met every three weeks from like may of 2019 to October, every three weeks we
Speaker:met in person and for four hours we had four hour sessions in the Richmond area.
Speaker:And we, it started off bad.
Speaker:I make the joke, like people were throwing chairs at each other, but
Speaker:people were raising their voices.
Speaker:It was not because we.
Speaker:Like we had everything from who are you, big state to tell us what to do.
Speaker:And we had people like, that's not, that's just bullshit.
Speaker:We shouldn't have to do that.
Speaker:And it was you name it.
Speaker:We had some, it was a lot of infighting, but eventually I say within the first
Speaker:month or two of doing this, like people got on track and started to see the
Speaker:light and what we're trying to do here.
Speaker:And it became the, it ended up being the standards were ended up being
Speaker:a reasonable set of expectations that we can push on localities.
Speaker:And the idea was to, to now, as of my last meeting with the group,
Speaker:cause we have a work, we saw, we have an advisory group now that is
Speaker:all the time that meets to decide if the standards need to be adjusted.
Speaker:So the idea is that the standards will be adjusted based off of the threat landscape
Speaker:and and but we started starting small.
Speaker:And then figure out where we're at.
Speaker:There's a lot of folks that are still struggling there and
Speaker:we are doing different things.
Speaker:So we had, we got to with, through UVA and a consortium with a bunch of
Speaker:colleges, including Virginia tech, UVA Norfolk state George Mason, I'm
Speaker:trying to think VCU is a big one.
Speaker:We create, we're creating a cyber navigator program to get,
Speaker:have students come and help.
Speaker:Localities.
Speaker:So they learn and then look how I can get some help.
Speaker:So that program is taking off.
Speaker:We did a pilot with a locality in Southwest Virginia that I
Speaker:led last summer in the fall.
Speaker:And it did produce some good outcomes there, but there's a lot of different
Speaker:things in the works there to try to increase the overall cybersecurity
Speaker:posture of the Commonwealth, because localities are a part of this.
Speaker:It's funny.
Speaker:You mentioned the university's cousin in the latest study that came
Speaker:out of the biggest industries that are hit universities and research
Speaker:institutions are number one.
Speaker:And it's not even close if you go look at the chart.
Speaker:Yeah.
Speaker:So I'll tell you the experience that I had a few years ago with another county.
Speaker:As far as I wasn't looking for anything, I was doing some volunteer
Speaker:work for the front of the local chamber of commerce, and I came across
Speaker:something that just wasn't right.
Speaker:And so I knew everybody in play except for the local it staff.
Speaker:And ended up, setting up a meeting.
Speaker:And I said, because I wasn't necessarily getting responses.
Speaker:And then I knew the county administrator, so I knew how to make it happen.
Speaker:So I reached out and had the, the meeting to understand, the lack of budget, the
Speaker:lack of resources, and no kidding, almost proud and bragging about the ability
Speaker:to do things that are horrible as far as, taking, equipment past end of life.
Speaker:And I'm not talking obviously election equipment, but, I know these guys had
Speaker:purview over essentially everything, sheriff first responders, all of that
Speaker:type of stuff and a very minuscule staff for even just the amount of people
Speaker:to support much less, who knows what systems are and stuff are in play.
Speaker:Is that.
Speaker:Do you see with now all of the exposure in the local government, I use elections
Speaker:obviously as being a news dominating piece of technology for state governments, that
Speaker:there's going to be a ramp up and funding to better implement technology across
Speaker:the board and cybersecurity standards.
Speaker:I certainly hope so.
Speaker:I know that there's, there was a lot of talk about this this
Speaker:infrastructure bill at the national level and what that would be used for.
Speaker:I know that, scissors up in their game with, hiring a lot
Speaker:more people making the pay.
Speaker:And you still got to have the boots on the ground in the
Speaker:localities to execute day to day.
Speaker:That's all true, but it starts at the top.
Speaker:And.
Speaker:You know it again, if you technology is not cheap paying good
Speaker:technologists is also not cheap.
Speaker:If you want somebody good, not somebody that can just connect the
Speaker:printer or reboot a computer for you.
Speaker:These people, either go to school for it or they spend a lot of money
Speaker:getting certified and et cetera, et cetera, you cannot look, you can't.
Speaker:Expect a locality.
Speaker:That's got a very small population to generate the amount of revenue
Speaker:themselves, somebody 150,000 a year, to run their it and security stuff.
Speaker:You just, that's just not going to happen.
Speaker:So without grants or some external funding, you're going to continue
Speaker:to see that, that being a problem.
Speaker:Now, there are ways around it.
Speaker:And, you could do, different things with contractors and whatnot, so you're not
Speaker:paying maybe for somebody on full time, but a lot of the time it's just, there's
Speaker:the other component here that I've noticed is that you'll have leaders in
Speaker:roles like boards of supervisors, county, administrators, and things like that.
Speaker:And not to be disrespectful to any of them, but a lot
Speaker:of those folks are not this.
Speaker:I know where you're going because I've seen regulatory, but if you have somebody
Speaker:who's 80 years old, who's retired and Ben in got appointed to this position
Speaker:or got elected to this position.
Speaker:They know what they know what their advisors tell them.
Speaker:And who knows what kind of their knowledge background is and what they
Speaker:see threats to be and where they want to, approve budgets to, that for that
Speaker:money to go here, there anywhere.
Speaker:That is a huge problem.
Speaker:More so in the rural localities than not that I see.
Speaker:I think I mentioned earlier, educating leaders is a huge
Speaker:component to a successful cyber security program or operation.
Speaker:And I will say I am very thankful.
Speaker:I wasn't keen about the 57 legislative changes or 58 legislative, but I am
Speaker:very thankful to them because they gave me three bodies, three brand new
Speaker:full-time positions just to stand up.
Speaker:I stood up a cyber security team in elections back in 2020.
Speaker:And the team is going strong now heard it just hired a citizen
Speaker:and I'm really happy about that.
Speaker:I was able to get that, but, I think for, if I was one of those members of
Speaker:the general assembly and I see this.
Speaker:For cybersecurity around elections.
Speaker:I couldn't could not vote for it.
Speaker:That would just be really bad, look bad.
Speaker:But and I'm thankful that we got those spots, but what happens at these
Speaker:localities or other states or other, even nonprofits and private sector,
Speaker:like with the leaders, don't understand the risk of not doing something because
Speaker:nobody's advised them or if they've been advised and they're just like I
Speaker:got to do this, a friend of mine who represented look out east in Virginia
Speaker:through one of the lobbying groups when I was having a conversation with
Speaker:them about this kind of situation.
Speaker:And they said Dan, if it's between another deputy on the street or a fire truck or
Speaker:your security requirements for computers, what do you think is more important?
Speaker:What do you think that the board of supervisors or whoever's
Speaker:going to think is more important?
Speaker:And I said, I know the answers, I know your answer to that,
Speaker:but that is not my answer.
Speaker:It depends on what's going on as a cop, former cop who has, was had to
Speaker:pull extra shifts at times and do extra things because our Manning was
Speaker:low or our cars were broke because we.
Speaker:We use our cars into our cop cars, into the ground.
Speaker:And I worked entire shift without heat in the middle of winter in
Speaker:a vehicle because they couldn't afford to fix it, having been there.
Speaker:I get it, I get some of the sentiment that individual is telling me,
Speaker:but I'm like, okay, so it's great.
Speaker:If you have more deputies and more fire trucks, but what happens
Speaker:when you can't dispatch them?
Speaker:Because the entire nine 11 dispatch system down your radios are down,
Speaker:your phones are down because you didn't think about the technology
Speaker:implication of this, or even worse.
Speaker:Think about it this way.
Speaker:As a cop.
Speaker:If I pull somebody over and I run an NCI check on the license plate
Speaker:or the driver's license and, or the driver's license, and the person has
Speaker:an active warrant armed and dangerous.
Speaker:Obviously if I pull somebody over and like the vehicle was flagged for having
Speaker:it's going to tell me right away, and I'm not going to approach that vehicle
Speaker:until I have backup, it becomes a high risk traffic stop at that point.
Speaker:But if I don't know that because the computers are down and I can't get
Speaker:that information and I walk up to the car and say, license, registration,
Speaker:here's the reason I pulled you over.
Speaker:And the guy just pulls a gun out and shoots me.
Speaker:Now you have an officer dead because of a technology issue.
Speaker:People don't realize how technology has truly become the cornerstone
Speaker:of every aspect of our society.
Speaker:And if we're not protecting it, we're not investing in it
Speaker:and we're not protecting it.
Speaker:We're gonna, we're gonna, these threat actors are gonna always.
Speaker:You know ahead of us, even though we're trying to say ahead of them,
Speaker:and they will always continue to wreak havoc for whatever their motives
Speaker:are, they will continue to do that.
Speaker:So it is really important that leaders at all levels, all sectors realize
Speaker:that organizational risk managers.
Speaker:Is needs to account for our technology risk or digital risks,
Speaker:sensitive data, things like that.
Speaker:I know that, one of the things that I did as well at ILAC
Speaker:is introduced data privacy.
Speaker:We might have hired a privacy officer and made it part of this cybersecurity thing.
Speaker:I'm going to talk about that next week in that I was telling you earlier, before we
Speaker:went live, I'm speaking at an event next week and government innovation event.
Speaker:And I'm going to really talk a lot about how it's important to look at
Speaker:cyber security in a more organizational risk management perspective, but also
Speaker:how you can include data privacy.
Speaker:Data privacy is, got made huge out of GDPR and over in the, in the European
Speaker:union, A few years ago, back in 2016, I think is when it went to effect.
Speaker:California's got some silver rules.
Speaker:We pass a consumer data, privacy law in Virginia last year.
Speaker:Those are huge and it, and cybersecurity, data privacy and organizational compliance
Speaker:and organizational risk should all be folded into one area really in, and it
Speaker:needs to be, it needs to go to the CEO or the boards that that maybe oversee
Speaker:or there, whatever the title is at the top, it needs to get to the top so that
Speaker:people are funding the proper things and really addressing the risks before they
Speaker:become a disaster for the organization.
Speaker:It happens so many times if you read articles, but the other thing I hear all
Speaker:the time, I'm going to shut up after this.
Speaker:It's not going to happen to us until.
Speaker:Absolutely.
Speaker:I know you're not there anymore.
Speaker:And I wanted to ask this as the final question to wrap up if you, on your way
Speaker:out, could there like wave the magic wand in the public sector and in the
Speaker:areas that you were doing to go, I, you accomplished a lot with the monitorization
Speaker:to the cloud and getting some of the cybersecurity principles in place.
Speaker:What does that thing that you could have, you felt that was maybe left
Speaker:unfinished or you would have liked, you could snapped your fingers
Speaker:would have been the next thing.
Speaker:Honestly, I think I said it on the right trajectory.
Speaker:It was more of follow through.
Speaker:There were some bigger issues that I wanted to work on this.
Speaker:Overall and bring other partners in to help fix.
Speaker:I really wanted to unify cybersecurity across the Commonwealth
Speaker:efforts to do so already.
Speaker:And some of those were I was involved with but it was really important to,
Speaker:in my opinion, looking back, and I will say this, even if it probably gets me
Speaker:in trouble, if anybody sees us this is how I'm going to title the episode.
Speaker:Now, here we go.
Speaker:Cybersecurity data privacy those key, thing, those key areas to combat
Speaker:the, or mitigate digital risk need to be more unified in Virginia.
Speaker:You got your three branches, Vita of the Virginia information technologies.
Speaker:AMC is bylaw.
Speaker:Going to take care of security and infrastructure for all executive
Speaker:branch agencies which is the majority of the state, but then you don't
Speaker:have outlying independent agencies.
Speaker:You've got the legislative branch who did actually suffer an attack.
Speaker:Remember a few months ago, the, yeah.
Speaker:And then you have your judicial branch and you've got organizations like state
Speaker:police Virginia's Homeland security group, or I forget the department,
Speaker:I forget what their public safety and Homeland security for Virginia.
Speaker:And they have some roles and responsibilities over incident
Speaker:management and emergencies such as a ransomware attack.
Speaker:And then you've got localities and then you've got these other kind of outliers
Speaker:out there that somehow contribute.
Speaker:There's not a unified front.
Speaker:I, I was aware that previously I think what was the last Republican governor?
Speaker:It was before McCullough.
Speaker:Yeah, I'm blanking myself now because Virginia does one for anybody listening,
Speaker:Virginia does one term governors.
Speaker:They can run again, but they can't be concurrent.
Speaker:Exactly.
Speaker:But there was the last Republican governor.
Speaker:It, I can't remember who it is.
Speaker:I'll stop my head.
Speaker:I'm blanking.
Speaker:I know.
Speaker:It's like the word there that his name is on the tip of my tongue.
Speaker:They, under that administration, they had a secretary of technology
Speaker:back then that was disbanded.
Speaker:I think.
Speaker:Around the time Terry McCall.
Speaker:Nope, no McAuliffe, I believe had the last one because that was a shoot.
Speaker:I've actually talked to her.
Speaker:Karen.
Speaker:Hey, gotcha.
Speaker:Yeah, I'm online because I wasn't really, this was before my time, but
Speaker:they had a sec and they actually, it was Northam that rolled it up underneath
Speaker:the econ E the economic development.
Speaker:The secretary administrator, no secretary illustration, it fell under after that.
Speaker:And so that, but that was just like, I think it's really important to
Speaker:have that at the governor's cabinet level to have somebody technology,
Speaker:not just the operational side but the cybersecurity side and then other things
Speaker:principles within there to when you were talking about organizational risk.
Speaker:And sorry.
Speaker:Apologies.
Speaker:Being able to remember, but I just know it was Karen Jackson and Jackson was the
Speaker:last one because I remember talking to her and I don't know what a Yuncken, if he's
Speaker:reinstated it or have left the structure of the same, he is not, the structure
Speaker:is currently the same as of right now.
Speaker:And it's funny because the current secretary of administration, as I've
Speaker:been told is a former CIO of the fed reserve, a specific location or whatever.
Speaker:So that was cool to hear that.
Speaker:Okay at least they have a technologist in that role.
Speaker:I don't know much about the individual, but I'm happy that they're that, that.
Speaker:There, because that is helping put technology, but that still
Speaker:doesn't, that's an executive branch.
Speaker:Again we need to a little bit bigger and we need to have some
Speaker:form of whether it's a work group advisory group or board or something
Speaker:that brings all of this together.
Speaker:And it does include qualities because even though the state can't
Speaker:force localities to do anything, theoretically, I think it's, I think we
Speaker:all have a we all have a common need.
Speaker:To stay ahead of this.
Speaker:No matter what part of the Virginia government you are, and we can even
Speaker:include some of the, the public sector, universities, state run schools
Speaker:they, there's a lot of smart people that that I'm, I know I'm tech UVA.
Speaker:I deal with some of these computer science folks, some of the research
Speaker:programs and research labs that they have, like they're bleeding edge.
Speaker:And we can really, honestly, if we unify better, we can really make the
Speaker:Commonwealth of Virginia stronger.
Speaker:And then if we do that, maybe other states will follow suit.
Speaker:If they're not, if there's nobody else out there doing that already, cause
Speaker:I'm not familiar with every state and how they structure it, but sure.
Speaker:But I will say it's a little disjointed and that disjointedness
Speaker:is I always equate this back to the nine 11 commission report.
Speaker:What happened.
Speaker:W what are some of the biggest failures of nine 11 and why it happened?
Speaker:It was a failure to communicate.
Speaker:It was a failure to unify.
Speaker:And if we can't take lessons of something like that catastrophic and
Speaker:then apply those to to any sort of, forward risk management principles
Speaker:in cybersecurity or otherwise, right then we're bound to have problems.
Speaker:And I don't want to see that not just for myself, but my family, friends,
Speaker:my child, I want to, I want us to be, I want us to be 10 steps ahead
Speaker:of them, bad guys all the time.
Speaker:That's my.
Speaker:And I hope that that we can get to that place by changing our
Speaker:mindset, be more proactive and not saying well, that's never going to
Speaker:happen to us and make an excuses for why we can't fund these things.
Speaker:It's really important.
Speaker:No.
Speaker:And I'll wrap this up with a saying, I always hear from
Speaker:the Marine Corps to rub it in.
Speaker:You don't want to show up, we don't want to show up to a fair fight actually.
Speaker:That's a, we gotta keep this light unfair.
Speaker:Got stay ahead.
Speaker:Yeah.
Speaker:I really appreciate the time.
Speaker:If anybody wants to reach out, connect with you.
Speaker:What's the best place I could hit me up on LinkedIn or, and
Speaker:send me a message on there.
Speaker:Sounds good.
Speaker:Awesome.
Speaker:Awesome.
Speaker:Thank you, John.
