“When we have our crisis—and we will eventually—I hope it's small enough and not impactful enough that it doesn't harm too many people, and it wakes people up.” - Kirk Herath
Our host Bryson sits down with Colin Ahern and Kirk Herath, two of the only cybersecurity experts working in Governors’ offices in the United States. Colin was appointed Chief Cyber Officer of the State of New York by Governor Kathy Hochul in June 2022, and Kirk stepped into his role as Cybersecurity Strategic Advisor to Ohio Governor Mike DeWine and Lt. Governor Jon Husted the same year. In their positions, Colin and Kirk are responsible for coordinating their states’ cybersecurity capabilities, overseeing threat assessment and response, working with local governments to prepare for and remediate cyber attacks, and more.
What were the critical lessons learned in building statewide cybersecurity programs from the ground up? How do states navigate the shifting landscape of federal support? And what are the biggest challenges and opportunities on the horizon for cyber czars and strategic advisors across the country?
“You can't replicate these shared services unless you're doing it together. You just can't. We can either succeed together or we can fail separately. There's really not a middle ground where we can all have exactly everything we want all the time. Because like we've said, this is a risk management exercise in a world of limited resources,” Colin explained.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Colin: I'm Colin Ahern. I am the first Chief Cyber Officer of New York State. I was appointed to this position by Governor Kathy Hoel in June of 2022. I started my career in the Army. I enlisted in the Reserves after nine 11. I later received an ROTC scholarship to Tulane University, go Green Wave. I was then an active duty army officer.
Principally with the hundred first Airborne Division Air Assault, in Fort Campbell, Kentucky. I deployed a couple of times to Afghanistan, in support of Operation Enduring Freedom. and it's really there that I started the journey that's led me to this point. I did singles intelligence.
Targeting, intelligence support to a variety of, things. very interesting. from there I was asked to stand up a cyber operations mission team for the sort of then recently formed Army Cyber Brigade. So I had the incredible honor. Of working with a really top-notch team of cyber professionals at Fort Mead, and really got to cross paths with some really incredible people, some mentors, some that I still, talk to, this day.
That really encouraged me to, as I was leaving the army, which I did after my company command to stay on the cyber, path. So I got an MBA, because I wasn't quite sure what I wanted to do. And then from there. I was in financial services for just a hot minute, but then I really got bit by the public service bug again.
and Mayor Bill de Blassio of the, previous mayoral administration asked me and Jeff Brown, to stand up New York City Cyber Command, the city's first cyber defense agency. I did that for five years. I then was an acting agency head for the incoming administration. I decided, my fun meter was pegged, time to take a knee.
so I did some consulting. I taught at Columbia. I taught overseas at the Marshall Center in Europe. and then I decided, you know what, the public sector bug it bit me again. And the governor asked me to be the first chief cyber officer. and that was, just about three years ago. And, here I am.
Bryson: Kirk, same question to you. I think you get another, like 30 seconds though, because you're, slightly older than Colin.
Kirk: Yeah. Kirk Herath, I have already retired once. This is public service, was my, my post-retirement career. I'll caveat that a little bit. I spent, my first part of my career, I was a lobbyist for Nationwide Insurance.
I did 32 years of nationwide insurance in a series of public policy and legal roles. And as a result of the public policy roles, I, worked on some seminal bills in the nineties, HIPAA, grand Le Briley. And because I was, at that time, I was, I was young. you kind of got sh shifted into doing things that, that nobody else really wanted to do.
So I, I was on, I worked on, data issues. I worked on what became privacy and cybersecurity issues. And as a result of the work on, those two bills, Ram h Bliley, then in the late nineties and, HIPAA, and then a little bit of Crot reporting Act in the middle, I was asked to be the first chief privacy officer nationwide in 2000.
and then as a result of that, I realized almost immediately that there, there was no privacy without security. So I wedded myself, convinced the, CISO. That he needed a lawyer and, I became his lawyer and I found cybersecurity far more interesting than privacy. In about 2016 Governor DeWine, then Attorney General DeWine, asked me and about 15, 16 other folks from the business community and the academic community to come and be part of a group that he called Cyber Ohio. And for whatever reason, I still to this day don't know why he asked me to chair it. So I, chaired Cyber Ohio.
And as a result of that, we, did some really cool, we passed a few bills, the Ohio Data Protection Act, which was the first, it's the first law in the country that, pegged the standard of care for cybersecurity to NIST and CIS and ISO. So I did that, through, and then 2020 obviously was a kind of a seminal year for all of us. My wife and I both decided that after 32 and 30 years respectfully, we respectively we were going to retire.
And, so we retired in 2020 and I did some, I too did some teaching. I'm on, I teach at Ohio State Law School, Cleveland State Law School, and then I did some consulting through 21 into 22 as well. And then out of the blue, I, get a call from. Governor's, staff saying, Hey, would you be interested in coming in and coordinating all the cybersecurity for the state of Ohio?
Kirk: And he did an executive order and created the first cybersecurity strategic advisor for the state of Ohio.
And I've been doing that since April of, 2022. And it's really been, one of the more interesting, fun jobs I've ever had.
Bryson: And Kirk, you're also a political appointee, correct?
Kirk: I am a political appoint. I'm actually on the cabinet officially. I'm a non-agency cabinet director.
Bryson: And you are both the only political appointees at this level for any state in cybersecurity in the adminis in administration.
Colin: Yeah. Me and Kirk have done this, we've checked this before.
We're the northern most outposts. Of the cyber czar, whatever you wanna call it, Kirk's, the title's different, but single issue in the governor's office. Yeah. Political appointee.
Kirk: The rumor is that Louisiana may have somebody now, they, they had somebody, we met him. He was a, he was an interesting fellow.
I really liked him. And then he kinda disappeared and I think he's back doing it again more formally, but. We're have a, we have a National Governor Association conclave every fall, and hopefully, he'll be back there. But Colin and I are I best as I can tell that it, it's he and I.
Colin: Yeah, I agree.
Because there's other, obviously every state has a chief information security officer, which Kirk was mentioning.
Bryson: Not the same thing,
Colin: But it's not the same thing. We have a CISO who's fantastic. Chris Isane senior state executive very good, but not the chief cyber officer, and then California, say they have a chief information security officer and they have a cyber fusion center head.
So there's other structures, but those are sort of, those are not at the governor's office. Those are not coordinating inter-agency processes. Basically. They're not, driving this policy process based.
Bryson: So the difference between a strategic execution at an administration political level and managing the actual enterprise of government itself?
Kirk: it, is. I, had no, which is interesting 'cause I'd done, I'd been a lobbyist for, 12, 14 years and I had no conception of how, of the importance of being in the governor's office. this could not happen. I could not have achieved what I've achieved in the last three and a half years if I hadn't been in the governor's office don't use my authority very much at all. Only a couple times have, I really ha, most of the time I'm just like, I can convince people like, this is the right thing to do, let's go do it now. It helps to be from the governor's office. But I had no conception when I was, negotiating this thing that, that the perch mattered as much as it did.
I mean, I wanted a governor's email address I wanted to be in I certainly knew it wouldn't hurt. Right. But I, had no idea just how important that was.
Colin: Yeah, I totally agree. And I think we're both quite fortunate that. Our bosses take the issue seriously. They take us seriously. and that, I, can't speak for Governor Dwy, but Governor Hle has a vision, safe, secure, and affordable New York, and obviously government services are delivered by, with and through computers.
Full stop. Right. and critical infrastructure, 85% of it in New York state, which is probably the same in many states, is privately owned. So the state's role in setting standards, in providing technical assistance in running its own services as well. I totally agree with Kirk that you can't make the movement that I've made without being in the governor's office.
I, I really, and it's a team though, but you need a really strong set of operational leaders. Other cabinet officials, agency heads, deputy commissioners, you need a really strong team, but there's just a certain je ne sais quoi of being from the governor's office where you can say, the boss has heard you, the decision has been made.
Bryson: Well, it's, like setting the chess board versus playing the chess board and segwaying from that question, right. The federal government has right through the executive order its own perspective on what's critical infrastructure. We have the 16 sectors as defined. we had the CISO for New York City, Kelly Moen on the other year talking about how they had a different perspective at the city level.
So let's start again with both of you being state representatives who actually set the chess board for everything that's gonna happen with cybersecurity down into your state from a government perspective. What do you think is different in how you approach critical infrastructure. How do you work with the different branches of the federal government
Kirk: today? It's not, there's not a whole lot going on between me and the federal government. It, it's, it seems, absurd that as a Republican I have less contacts, in government, in the federal government today than I did under Biden, but that is true. And so. We are, I'm in the process of, trying to establish some contacts of people who are like actually still there.
Every time I would sort of find somebody, they would be, they would be gone within a couple weeks. going back to, February-ish, we, had a whole CISA team here, a state team that I really liked. They were all ex state of Ohio employees who I knew well. Anyway, I, they, were phenomenal.
We worked very closely with them, coordinated everything, work a little bit with EPA, on water wastewater. So my relationship with the federal government right now is, at best tenuous and, the relationships that I am trying to build are, really with local governments trying to, establish, let me lemme step back a second. We, have I think, a much stronger home rule here than Colin has in New York.
There is a love hate relationship between the locals and the state, just like there is between the state and the feds, and they don't have outside of guns and knives and a couple other things. They don't. They can write their own. If they're chartered, they can write their own rules. They, and the state preempts very, irregularly, anything.
So, You have to really bring them along and you've gotta be a good salesperson to get them to consume the services that you are building. So anyway, I that's a long answer to your question, but it, yeah. So the feds, I mean, I, hope that the money that from the cyber grants begin to flow again, but they are not today.
It is inhibiting our ability to do some things. And then some money that I had, the, governor had put into his proposed budget back in January, did not pass in, late June. It was stripped out of the conference committee. So at this point we're trying to, we're trying to build things with existing dollars and it's, frankly it's kind of, it's becoming hard to do.
Bryson: So Kirk, I'm gonna come back to you actually answered a different question that we're gonna do later. So, Colin, can you answer the question from an operational coordination perspective and then how your state classifies critical infrastructure that's different than the federal, in the executive order approach?
Colin: Operationally, there's joint terrorism task forces under which the counterintelligence, the counter cyber and sort of the traditional anti-terrorism mission falls. There are several cyber touchpoints within those. There's an 18 member, task force chaired by the New York State Police, which does internet crimes against children, computer crimes, and other things.
there are 46 of those fusion centers across the United States, and obviously one of 'em is in New York State. so we work closely with, the Attorney General and a variety of federal agencies at that task force. New York is unique in that it has two, JTTFs it obviously has. New York City, the Joint Operations Center, and obviously there is a companion New York State Intelligence Center, in the vicinity of Albany, sort of in the more traditional, state level cyber.
JTTF Fusion Center, New York in terms of its critical infrastructure, operational collaboration with the feds. New York State is one of the relatively few single state independent systems operators from an energy grid perspective. So we have very close relationships with the Department of Defense, with NERC and FERC, the North American Electric Reliability Corporation, which is a, a, a basic, a government entity that regulates electricity generation and distribution. we have close relationships with the Department of Energy with other federal agencies, the DOD obviously. we have a very significant cross border energy relationship with the Canadians. For example, the Champlain Hudson Power Express, brings clean energy hydropower, in from Canada.
All the way downstate through Hudson River Valley. so there's, important implications there. And really from a, what is critical infrastructure, I really, our frame is that there is power, water and hospitals. And then really there is everything else, and it's, you probably have, might have heard this, I guess it's like an anecdote or a truism if there's no power.
You shelter in place, if there is no water, you have to leave the building. So the importance of power and water I think is in terms of people's experience of what it means to live in a modern society. It's impossible to overstate the importance of power and water, and certainly in terms of lifeline critical infrastructure, hospitals and public safety.
Those are really the other two. Those are the four legs of the stool. Starting from when we first got here in 2022, the governor worked with the legislature to give our public service commission our department of public service, additional legislative authority to regulate publicly owned electrical distribution utilities.
and so the first piece of rulemaking came out in April, two years ago, and some additional rulemaking has happened since then, and we're one of the first states to put cyber hazards on the same level as storm hazards. From an, how an electrical distribution utility needs to mandate and needs to respond to them.
And obviously, or sort of, maybe not obviously, but the importance of states and the feds working together and not across purposes like states regulate energy distribution. States regulate a huge number of critical infrastructure sectors because they're handled at the state level. That's going back since these, this foundational legislation was passed decades and decades ago. So energy distribu, generation, bulk, energy generation, that's regulated by the feds bulk energy transmission that's regulated by the feds. But this last mile problem, which by the way in 2014 and 2016, let the Russians, use to compromise, in the Ukraine, in, in the run up to those other the other kinetic events, they were compromising electrical distribution utilities, right? Kind of the equivalent of the state regulated electrical distribution, municipal co-ops, et cetera. So we saw a gap. The governor worked with the legislator to close it, and that you gotta follow that up with policy, rulemaking, administrative procedures, act, all that stuff.
And then in terms of water, we publicly announced that we are doing, for the first time that we're aware, harmonized multi-agency water and wastewater minimum cybersecurity standards. Pairing those with a state funded grant program and technical assistance program.
And so that'll cover several hundred utilities that deliver water and wastewater to 3,300 or more hookups, 3,300 or more residents. But those, regulations are three things. Number one, they're risk centric, like Kirk was saying, kind of at the open. This is a risk exercise. This is not something where you can wave a magic wand and there's infinite resources or anything like that.
Number two, they're threat centric. We know that there have been cyber attacks by the Iranians, by the Chinese, obviously covered extensively in your podcast and in other places. so the threat out there is real. And the desire of our adversaries to hold critical infrastructure at risk, especially electrical distribution and water utilities, is very, real.
They're very important. and number three is they're cost centric. They're cost balanced. so we have cleared our regulatory framework to be, minimum sort of things that I think people would be surprised that people have heard about multifactor authentication. Your bank is required to put multifactor authentication on the computers that control your money, but your water utility except potentially in a few months in New York state, no, no one is requiring your water utility to put remote access on the computer that controls your water. So, I think that certainly there's a very important role and the fed's gotta do more. I don't think there's any secret about that, but that's both because we have seen the effects of the cuts of rescission, which trespass, we have definitely seen those as well.
But also because the world is changing very, dramatically, the capabilities and willingness of our adversaries to do bad stuff, definitely going up. and so unfortunately, we're blessed to live, or fortunately or unfortunately, we're blessed to live in historic times.
Bryson: Kirk, you had talked about the, decline in federal operational coordination.
we just heard Collin's definition of the four key components of critical infrastructure in the state of New York. How do you and Ohio classify critical infrastructure and your priorities?
Kirk: I was able to get, cyber into our state energy risk assessment basically. So I was, able to get that a couple years ago, get that in, that plan.
And it has, it is, it drives really a lot of the requirements then around grants from our Public Utilities Commission, department of Development and, those sort of things. I too, actually the money that was, taken out of the biennial budget was going to do something very similar to what Colin described and, was gonna be a, an assessment, of water wastewater.
And then, mitigation loans or grants. so that did not happen. Today we have, in the state of Ohio, very little authority. we have no authority from, the Ohio EPA, to regulate licensees. Now, I do have, a bill drafted that I'm trying to get a sponsor for. That would provide Ohio EPA with some authority in the cybersecurity space, as well as sort of a critical infrastructure bill overall.
It would also provide the Public Utilities Commission with some authority over, rural electric cooperatives. We have a lot of rural electric cooperatives, which fall under NERC, FERC they fall under Reliability First, which is the self-regulatory organization for, the Midwest. And like any private organization, they, there's, a range of maturity from relatively un immature to very mature.
and there's about 18 of 'em in the state of Ohio. About 25% of the population is covered by a rural electric cooperative that is essentially unregulated. And I don't wanna say that they've been fighting me. They really haven't. I actually, they're one of the first groups that I reached out to and, had several discussions with.
They are building a centralized security service, at their trade association level that's gonna scale out to all of their members. I mean, I came in and said, don't compete against each other. You all have your, you all have your territories, your monopolies effectively.
And so it's a perfect paradigm for sharing the cost of a very expensive, service and capabilities. And they studied it and decided that made sense. So they've, been going down that route. What we are doing today is the Ohio Cyber Reserve, which is part of our militia. I moved their main mission about a year and a half ago from schools.
'cause you'll recall that CISA was telling us all that we had to like, protect schools about two years ago. And then of course, then they shifted, and started saying that you had to, protect, water wastewater, critical infrastructure, other critical infrastructure. So we, shifted into that.
So our, we are doing, we do assessments, of water operators. We have been sending, clusters, I think we've got 40, of our cyber reservists who've gone out to the Idaho National Labs and who are, who've been trained up and certified on OT. And, we're gonna actually be training, five teams of 10 at a big, exercise here that starts, tomorrow down Cincinnati, where we're gonna be training, 50, individuals. We have five man teams, and they're gonna be certified at DOD levels and be capable of, being the, assessment, but also the incident response capabilities for, the big one if it ever, hits. So, I'm trying, again, back to, we have, we have a very, federated, decentralized system here in Ohio.
I'm trying as best as possible to, provide information through our Ohio Cyber Integration Center, which is the Fusion Center at Public Safety, Ohio Home Homeland Security at the Cyber Fusion Center, the Ohio Persistent Cyber Initiative, which is an education and assessment program out of our Ohio Cyber Range Institute.
Then the cyber reserves, we are, doing our best at trying to hit the, as Colin said, I, we're, focusing, we have finite resources, so we're focusing them on the highest risks. I'm focusing on population centers. the larger counties, the larger cities, municipalities. Now the, legislature, while stripping out all money did pass a provision in the budget bill that provides for.
Local government cyber standards. Among other things that requires notification to the Department of Public Safety and the auditor of state. It puts restrictions on ransomware payments, and it requires training, which we have capabilities for training. So they passed a fairly expensive unfunded mandate, and I can tell you everybody is, everybody at the local level is freaking out.
And it covers everybody. It covers everybody that the order of state audits below the state of Ohio agency level. So everybody, public, universities, schools, villages, water operators who are public, municipal power. So we will begin to see traction, I believe in, the, coming years simply because our auditor of state in his annual financial and IT audits will be focusing on this.
And, this will affect ultimately the, I was on a. I was on a call yesterday and somebody asked what the stick was for this, and I said, well, it'll affect their bond rating. Every municipality, every county, they need to float bonds to survive for roads and for sewers. And, these audits will be confidential. They will not be, well, they occasionally are leaked to the press by disgruntled people, but they shouldn't be. But the bottom line is, that the market, when they're, trying to sell bonds, to the bond market, the brokers and the buyers of the securities will demand all, they'll, wanna know what the risk is and, of the entities who, whom they're gonna be financing.
Bryson: How did that come about? I mean, was that, a state program? Was that one of those things that the market responded to the existence? Like how did that actually happen?
Kirk: I'll take a little bit of credit for it. The most credit, the person who pushed it initially was the auditor of state and the auditor of state, did something that I personally didn't think was possible, which was, again, to impose, fairly strong standards.
And, again, they, hunt back to CIS, ISO and NIST. And, so we ended up with standards, we ended up with notification. I mean, for years we've been trying to figure out, we're always the last ones to hear when a county or a city has a ransomware event and they're basically just between them and their cyber insurers, for the most part.
I was asked to collaborate with the auditor state on legislation, about a year ago, and, through several iterations. I, I think I helped to improve it and got it tighter and the sounded, there was a senate in the House bill that were both introduced in the fall. They, they, were gonna try to move it in lame Duck did not go anywhere as we're introduced in January.
And then I have no idea Bryson, like, who convinced the Senate to put it into their version of, the budget bill. But somebody did. And it made it through conference. And I was happy because a lot of what I had put into the budget was going to help fund through grants for local governments and for water wastewater, cybersecurity, improvements in capabilities.
So we, we had a grant for, we had a state dollars for, for local cyber grants and then state dollars for assessments and mitigation for water wastewater through EPA and that was all stripped out interestingly, and you guys will probably get a kick outta this. There, there was actually some quotes in the, every, legislature, every capital has their, in inside paper, right?
The, scuttlebutt. It's, usually pay for it. And it's, Anyway, there was a, there was an article about how the Senate did not think that, it would be very expensive, for local governments to be able to meet these standards. And, I have been walking around, telling and talking to legislators saying, I think we're in the, billions with a B and that assumes that we've got billions with a b for tech debt too.
So, I mean, if you combine tech debt and then cybersecurity risk, it's it's many many billions. And, I don't think they truly appreciate, and it's something that I am in the last few months that I have, in this role because I, am time boxed really to the end of next year when a new governor will be elected.
And, my governor is, he's term limit. And so I'm gonna spend the lion's share over the next, the next year basically doing education and awareness for the legislature and. I don't meet anybody that doesn't see this as a top priority when you explain it to 'em. But the biggest priority, was they wanted the, they wanted to lower the tax rate.
They got a flat tax. They, so they, all new money was basically, cut out of the budget. So, so existing programs actually were, relatively un unscathed, but all new monies were cut in order to come up with a multi-billion dollar. Savings so that they could get to a 2.7% flat tax. Their ultimate goal is to have a zero income tax like Tennessee and Florida and Texas.
I don't know how you pay for stuff. 'cause you guys pay for stuff in Florida because everybody comes there and visits and the tour.
Bryson: we have a great tourist's ability to, soap. I know. and the challenge we're having, of course is the property tax and property insurance side of the market because that's the other revenue generator.
Colin: And I think one thing that strikes me about this conversation that your listeners might be interested in is you can't run a Department of Defense facility without. The local government, it's critical infrastructure, the privately owned critical infrastructure operators being secure and resilient.
Bryson: If only we had done an episode on that in season two.
Colin: Right.
Bryson: So the, so thanks for the call out. We're gonna be putting that back in.
Colin: You should, and like we, if you're gonna project power overseas, do bad things to bad people in bad places, which everybody wants. You're gonna need not just the federal government to be effective, which obviously regardless of your political party, we want, but you're gonna need states and local governments to be well resourced and to understand their role in the national security infrastructure ecosystem, which is that, your listeners can't see it, but I got a map of New York State on the back of my wall.
And there's, there's army bases upstate, the 10th Mountain Division, storied, infantry unit. And so, you gotta put thousands of people and thousands of tons of equipment on trades, on boats and, on airplanes and, get them to, to foreign lands potentially.
And that requires critical infrastructure at the local county and state level to be working. Full stop requires it. Water, power, transportation, integrated electrical port, like it requires all these things to work. And so the, as these. Entities, the technical, that's a great one, is a great call out.
I think as these systems become more attenuated, IE they're, they increasingly age and become more fragile, and our adversaries continue to try to hold them at risk. IE do bad, obtain access to them to do bad stuff. the importance of resilience as a key skill, I think goes up. and something that governor Hoko said is unfortunately some, sometimes our imagination for how bad things can get is not good enough.
Kirk: I think that's actually, that's, perfect. I mean, I, don't think they understand and I will take some blame for it at some point. you can't do everything and I can't be everywhere.
But I, like I said, I'm, shifting into education and awareness because I, don't think the legislature truly gets it. Again, their priorities have been to cut taxes. They're even cutting property taxes and cutting services and it's like two freight trains running down the track towards each other.
You can see it with like perfect clarity and there's nothing you can do to stop it and they're gonna crash and. We all know that crises do actually, are opportunities for, and hopefully though, when we have our crisis, this is what I've been telling people when we have our crisis, and we will eventually, I hope it's, small enough and not impactful enough that it doesn't harm too many people and it wakes people up, right?
Because I don't know how we run government. I'm incredibly conservative. I'm fiscally conservative. There are, health and safety, emergency preparedness. There are things that I think the reason that we coalesced in the Tigris and Euphrates, 5,000 years ago to create civilizations is for, self-protection.
We can, disagree around the fringes about the other stuff. I mean, there's some core stuff here that in my mind, cybersecurity is as important. As emergency vehicles, fire police, and, you said it earlier, one of the things that I've been saying to people is like, I, the priorities of my governor, that people go, well, he's, he wants kids health and he wants, mental health stuff and dah, And I'm like, yeah, okay. And I'm, aligned with him on that. He also knows that it's all digital and it all has to be protected, right? All the intakes, digital, the ser, the administrations. Digital and the, servicing is all, it's all digital. Like we don't have vast seas of bureaucracies in service centers anymore.
And so, these things are all at risk if we don't just spend a little bit of, money and it's not that much, 5%, 6% of it budget. I mean, it's not that expensive if we can, maintain it. But the tech debt is, yeah. Again, that's the one thing that, and that. My old company nationwide, we spent 10 years effectively investing in new technology while we're building, while we were running our legacy stuff.
So for 10 years the board bought into the fact we're gonna spend like twice as much money. 'cause we gotta run the old stuff and build the new stuff and then get rid of the old stuff. Unless you're gonna make money off that. It's a hard sell in government to get people to wrap their head around the fact that you just can't keep old computers laying around just 'cause like you, paid for 'em.
They still work. It's like, no, it's just not the way it works guys.
Bryson: What's one big project you're proud of, you've accomplished with your administration? Kirk you had earlier talked about the Ohio Data Protection Act, so I don't know if that's yours or if you wanted to add something different.
Kirk: Well, the Ohio Data Protection Act was done under, DeWine when he was Attorney General. it's certainly one of the things I'm very proud of, but the biggest thing was unseen by anybody is I came in and in about a year and a half, reorganized the entire state of Ohio cybersecurity, both agencies and centralized services, assess them, build a strategy.
No one ever, no one had ever built a strategy before. Build a plan, to execute on, to get from a modest maturity level to a, attainable and good maturity level. And we've been executing on it now for three years, and it has, it, it's, beautiful and we've done it really, we've done it with monies that already is there and the support of the governor and key agency directors.
That's my other job is to coordinate all of the security at the agency, at the State of Ohio executive branch level. So, that was the first thing that I did and once we built that foundation, then we started building our whole of state capabilities like our Fusion Cyber fusion center and the building out the cyber guard and.
Ohio Persistent Cyber improvement program and, other, capabilities. And directionally, I feel like when I walk outta here, in a few months, directionally, it's, gonna be hard to, dismantle it. it's on the right track and I I think it'll sus, think it's, it going to be sustained.
It'll be different, right? It'll be different people running it, but you know, they can hunt back to the strategy. and we've, amended the strategy twice in the last three years as well. We've assessed ourselves twice and are assessing ourselves again this fall. so there's constant, basically governance risk and compliance going on and, we're, when we're doing better, it's the rinse and repeat method that, a lot of us have done in private sector and managing risk rather than everything, right?
Colin: for us here, couple things really stick out. Number one is, in December 22, I referenced the legislation, that we worked with the legislature to sign, kind of imbuing really bringing cyber to the same level as other hazards. and kind of clarifying legislatively, that cyber is a hazard and it's a hazard that is as serious.
And as important, as these other hazards. And I, agree with Kirk that in some ways it's more salient because of, in sort of risks we gets highly correlated, right? We're, everyone's in the tool change SharePoint universe right now. And so, it's not like physical things where something happens in Ohio. It doesn't necessarily happen in New York, right? That's not how, that's not how enterprise software works these days. That's certainly one. So the legislative acknowledgement that's important. And then two is the shared services program. We have, I think, one of the more comprehensive cybersecurity shared services programs. We started it in 2022, we kicked it off. it was, one of my first, days on the job, and now we have. A hundred thousand government computers in 55 counties, 40 cities, towns and villages, dozens of sheriff's offices and other county law enforcement and, city law enforcement entities that are all a part of the governor's, the state's, joint security operations center.
and so that's providing, really three services that we think, have, they have made a huge difference, number one. Endpoint detection and response. Number two, attack surface management. And number three, manage detection and response. And we're doing that at a scale, like I said, hundreds of thousands of computers, nearly a hundred, 115 or so entities.
If you were to do that individually amongst those entities, it would be many, times as expensive if you were to take the sticker price. 'cause most of these entities, counties, villages, towns, are really small and medium sized enterprises. There's a few hundred and a few thousand computers they can't afford.
We have 49 civil servants in three different offices spread across the state, you know in, in really two geographic locations. In the western part of the state and obviously in New York City. and so you can't replicate these shared services unless you're doing it together. You just can't. And so we can either succeed together or we can fail separately.
Like there's really not a middle ground where we can all have exactly everything we want all the time. because like we've said, throughout the last 30 or so minutes, this is a risk management exercise in a world of limited resources.
Kirk: I will say that, as I said, our, home rule, our constitution makes it almost impossible without, constitutional amendment or a a, preemptive statute for us to do anything like Colin just described.
However, I have been funding and through fund, through federal grants, which again, hopefully the money starts to flow here again. And I had hoped to fund through state grants. Collective security, which, and building regional. So, for public sector. And I had two pilots going, I've got two pilots going right now, that I'm going to use again to try to sell to the legislature to fund more of them into the future.
So my goal would be, somewhere out there in, somebody, not me, but somebody's gonna have. 10, 12, regional SOCs around the state of Ohio, probably one day coordinated by our Ohio Cyber Integration Center. That would be my dream.
Bryson: Colin,
Colin: one thing that we see is kind of related to cyber that I think, is again, another bipartisan issue is, distraction free schools.
And one thing that I think. And the sort of the Venn diagram overlap between cyber criminals, ideologically especially, nihilistic and, other kind of nihilistic adjacent groups, sextortion and really the role of unfortunately organized criminal gangs to perpetrate fraud and sextortion by with and through the internet and mobile devices.
so actually starting next year, New York State, we signed, like, signed a piece of legislation, worked with, bipartisan across, the state, to. They're, bell to bell school, bell to bell, cell phone band in schools. And so, just raising awareness of the ubiquity of these devices and social media, and the importance of not just these problems are unfortunately all interrelated. So we have, like I mentioned, the internet Crimes Against Children's Center. The governor two years ago doubled the size of the state's contribution to the internet Crimes Against Children's Center. Now, along with several other states across the country, I think advocated appropriately for the Senate not to put the AI moratorium, which would possibly placed at risk, some of the important protections that we're using in schools, to protect children on social media and other things. So that's a bipartisan issue. and it's not, a cyber issue because if you're looking at cyber, fraud, these are transnational criminal organizations that are reaching vulnerable populations, and are perpetrating fraud and, really despicable, crimes.
And unfortunately, there's a lot that I think across the country states are doing. and so, yeah, I did wanna mention that the bell to bell cell phone ban, I think is, it doesn't seem like a cyber issue at first blush. but really raising awareness of the importance of cyber issues to the education and, kids, I think is important.
Bryson: If you could wave a magic air gapped wand, what's one thing you would change?
Colin: The one thing I would change, I would want the. Industrial control system, manufacturer community to prioritize safety at the first instance instead of an afterthought. And I know that's sort of inverting the market dynamic currently.
because what we see, I think, is that the drive towards more and more connectivity seemingly for connectivity's sake. Is in many ways not in keeping with the public's interest because an air gap network is fundamentally a more secure and reliable one. And as these entities are refreshing technology across the board by driving towards connectivity, that doesn't fundamentally improve, if it doesn't make something cheaper or safer. Why are we selling it?
Bryson: You get the wand now, Kirk.
Kirk: Well, to do what I sort of mentioned in the last answer, I get enough money to build, regional SOCs and in 10 to 12 different places around the state of Ohio and I'd knit them all together and coordinate them from our Ohio Cyber Integration Center, in a collaborative way. In the same token it would also include the water, wastewater operators as well. But that's what I would do is just, is be able to get the adequate resources to, to do that in a, quick way. 'cause I think it'll happen organically over the next five to 10 years.
Bryson: All right. You've waved your magic wand, Kirk. Now looking into your crystal ball, which looks suspiciously like an HMI. One good and one bad thing you think is going to happen.
Kirk: One good thing is gonna happen is we will eventually get more money. unfortunately it will be after something, like a cyber attack on water, or electricity happens and takes down large chunk of, the grid and harms a lot of people.
Bryson: Colin, your crystal ball look.
Colin: Yeah, I think, one good thing is that, crisis and pressure. I think when you have, the cyber community is not a big one and so I, I unfortunately, I agree that I've, there's too much fragility and interconnectivity amongst these entities and our adversaries are too well resourced and not deterred enough.
You know, there's been a failure of deterrence. I do agree with Kirk that there will be a, hopefully not catastrophic, but significant cyber attack impacting. Critical infrastructure. Maybe Taiwan 2027, maybe second, Thomas Shoal Philippi. Like we don't know what the flash point's gonna be.
Right. maybe it's Europe, who knows. Right? But it will significantly change people's risk perception. and then I do, I think that we will be surprised at the incredible team that is the cyber ecosystem. We're fortunate. Bryson both have a connection to the Army Cyber Institute, both to have a kind of the cyber OG mafia.
It goes to cyber summer camp, black Hat Defcon. The, there is a real community of cyber professionals that extends across party lines that extends, across the world. So I do agree with. So did Kirk on both counts, but also that people are gonna be really surprised and impressed at how the community comes together.
and people don't see it most of the time 'cause Right, it just happens, cyber defense of Ukraine, Kirk's great cyber volunteer programs in the city, the cyber guards. So I do think there's a lot of that happens organically, but I think people will, really start to see that in the next several years.