Cybersecurity On The Front Lines

The most common attack vector these days with ransomware is people. It’s all about phishing, clicking on bad links, stolen credentials, etc., etc. … And the key to preventing that attack vector is, of course, training and awareness. And that takes collaboration. So now we’ve reached the theme of our podcast.

The podcast theme today is collaboration and awareness, and our focus today is on municipalities. And so what do I mean by that? I mean towns, cities, counties; and that means critical infrastructure like police, fire, and utilities.

Episode Table of Contents

• [04:00] Know your enemy
• [07:55] Gov sector best in class for cybersecurity collaboration
• [14:04] Transparency and trust in communications
• [19:35] Local gov is low hanging fruit for bad actors
• [27:54] If you have a dollar to your name, you are a target

Ted Gruenloh: To help me navigate the ins and outs of this collaboration discussion, I’ve got three of my good business buddies here, and one of them is Dave Bentz. And then we have Chris Lee and Scott Joyce. And I’m going to have each of you guys introduce yourself briefly. And so let’s start with Dave.

Dave Bentz: Good morning, Ted. Thank you for having me and this team put together on such an important topic. I think. Real quickly, I’m a retired federal agent. I used to run the cybercrime unit here in Dallas a number of years ago. So I’m a huge advocate of collaboration and sharing information and working together. I think at the end of the day, that’s what it’s all about, certainly in this world of cybercraft.

Ted Gruenloh: Great. And what organization were you with, Dave?

Dave Bentz: US. Secret Service for 22 years.

Ted Gruenloh: Great. Okay, and then let’s go to Chris Lee.

Chris Lee: Hello, Chris Lee. And again, thank you for having me on this particular podcast. I’ve been with the city of Louisville now for roughly about 23 years. I serve as the CIO for the city and really have had the privilege to be able to work in various roles through the operation, if you will. And from my perspective, this is one of the disciplines that is really the most, I think, underappreciated in a lot of ways, and obviously one of the most detrimental if you don’t do it right. So glad to be here, glad to be part of the discussion and look forward to what the other participants have to say.

Ted Gruenloh: Great. And for those kind of around the country or wherever you’re listening, Lewisville is Lewisville, Texas. It’s a larger suburb in the Dallas Fort Worth area of Texas. So. Thanks, Chris. And then finally, last but probably not least is Scott Joyce.

Scott Joyce: Most definitely not least. Hello, everyone. My name is Scott Joyce with the city of Euless. I’ve been there about ten years, been in it in some form or fashion in government for 26 years. I would love to say I started when I was ten years old, but unfortunately that’s not the case. One of the biggest things that we have in government that you don’t see a lot in the private sector is this ability that we have to work with each other because some would say we compete. But in the grand scheme of things, I really don’t think we do. When it comes down to cybersecurity and keeping each other informed about the threats that are out there, So this is really exciting for me to be able to do something like this and talk about how we can work together to prevent these kinds of things from happening to each other. So thank you for having me, and I’m looking forward to it.

Know Your Enemy

Ted Gruenloh: Of course. Thanks Scott and Euless, also a city in the Dallas Fort Worth area. So, yeah, you made a good point. And it’s why I wanted to get this particular group together, because I think of all the verticals and all the business sectors that we work in, in our company, by far and away, the municipality sector, the government sector, does the best job of collaborating and working together.

There’s a lot of work to do there, and I’m sure we’ll hit on that a little bit, but anyway, that’s one of the reasons I wanted to bring you together, so all right, the theme here is to talk collaboration both internally and across organizations, like Scott just mentioned. I wanted to start kind of at a high level because you all are in leadership roles. I wanted to start basically with the goals. Why is collaboration important? I know Scott touched on it just a bit, but Chris, maybe if you wanted to take a crack at why do we collaborate just at a very high level? What do we look to gain from it?

Chris Lee: Yeah, so I think first and foremost, know your enemy, right? And I say that, and it’s really twofold, I think it’s really up to us to ensure that we’re aware of what’s happening in this space. We’re aware of what threats and exploits, we’re aware of what our sister cities and counties are experiencing. But moreover, I think when you look at your bad actors the other side of the fence, well, guess what? They’re communicating quite well. And so if we’re not doing the same, if we’re not lock and step and we’re sharing information, then we’re already at a disadvantage. So I think part of cybersecurity and having a good security posture, communication is one of the utmost important goals that we can aspire. I can speak more on it, but I think David can probably speak better than I can to that point.

Ted Gruenloh: Yeah, go ahead and take a crack at that too, Dave, because I know you’ve been speaking recently to different organizations about this topic, so why do you think it’s important? Why do you think this is the message you want to deliver?

Dave Bentz: Yeah, I think I can bring to the table and really to the community at large the very principles of the Secret Service. How do we keep the presidents of the United States safe? And as you guys have all heard me speak before, it is about collaboration. It is about intel that, yeah, we have all the resources available in the U.S. Government to keep them safe. But at the end of the day, it’s the intel, it’s the information that we get ahead of time that we can disrupt these plots and these various assassination attempts that are truly in the works. The same is true in cybercrime. If we can get the intelligence ahead of time, if we can get some evaluation of what’s going on in the world against our municipalities and government agencies, we can better defend ourselves and prepare for the issues that are coming.

Ted Gruenloh: Yeah, makes sense. Cool. Okay, so I’m going to move from goals here, take a step down into strategy, kind of high level strategy. Scott already mentioned that municipalities do a really good job of collaborating in their industry. So strategically, Scott, what do you think is kind of the driving force? I’m also pointing to you because I’ve actually talked to you before about the topic of communication in your organization, gaining trust, building relationships, that sort of thing. So I’m sort of leading you down the path of where the strategies around this might start. But if you wanted to kind of talk maybe about strategies to be better at collaboration.

Gov Sector Best in Class for Cybersecurity Collaboration

Scott Joyce: Yeah, I mean, at the end of the day, and I know this sounds selfish, but the goal of all this is to make sure that what happened to you doesn’t happen to me. And when you’re looking externally and so many of us in local government have been in this business for so long, when you look at the strategies we’ve got, everything from the regional groups that we have, where all of us in the same general location will get together and talk versus the larger conferences that we have once a year where we all get together.

And I know this sounds redundant, but get together and talk because the networking aspect is so big. And once everybody that’s involved realizes that the flow of communication is so much better. And I know you mentioned before that the public sector seems to be so much better than the private sector at this. And I would say that we probably are. But if you’re on the inside looking in, I know that sounds weird, but on the inside looking in, I would say that we still have so much further to go to get to that flow of information looking on the inside, inside our own organizations.

And you’re right, we talked about that several months ago, building that trust. From my own perspective. I want to have those relationships with people inside of my organization where they feel very free to stop before they click stop before they open any kind of an attachment, any kind of a link or whatever it might be. And call me the IT department, a security team, whatever it might be, without any kind of fear of any kind of repercussions or any kind of negativity that may come along with that. And that is part of the culture of the organization that takes forever to build, especially if you’re on the other end of the spectrum.

But those relationships, once they’re established, are absolutely worth whatever effort you had to put in there to make it happen. So I think that starting internally with the department directors and with city leadership and getting everybody on board with building those relationships and establishing that trust where the communication flows, it’s just natural is the way to get started with something like that, that’s great.

Ted Gruenloh: So, yeah, trust and transparency within the organization is a great theme, I think, here for the strategy around it. I’ve got a quick story there as well, but I want to throw it to Chris and see Scott sort of covered the internal organization piece. Can you talk to sort of the trust and transparency externally, like you talking to other municipalities? And obviously you can’t talk sensitive information, but if there’s any sort of examples you might be able to give, or something around trust and transparency across, you.

Chris Lee: Scott hit on some major points that I think we know collectively with respect to some of the resources in our TAG ITM group and things of that nature. But I’ll give you an example and I think when Scott’s talking about we still have so much room to grow, I do think it’s more external, quite frankly, than internal. And why is that?

So we had, I want to say it was back in 2019, David, I believe, or it might have been 2018, but we had several municipalities all get hit with ransomware here in Texas. And what we found is that it was from the same managed service provider. And unfortunately, a lot of that information was not being distributed among end users. Had it been, I think there would have at least some of the concern might have been not as heightened, if you will. Again, the more you know, but why hush hush, right? You ask yourself, why wouldn’t you collaborate? I think there’s different reasons, but two of which I believe that one, I think is from an insurance perspective, I think that depending on how you are at fault, could actually depict whether that insurance kicks in.

So some people might be hush hush because they want to make sure they understand what happened, so they don’t necessarily present their agency in not the best light. And then you also have scenarios where, hey, this is a legal issue at this point. And so now I can’t necessarily say everything that I might want to say. So there are some external factors that contribute to making this more challenging than one would think it should be. Now, I would suggest there are things at the state and legislative level that are transpiring to help that. One thing particular, this year there’s a new Senate bill, Senate Bill 271, that requires all state agencies or government agencies in the state of Texas. You’ve got 48 hours in which to submit any type of cybersecurity discovery of an exploit that you’ve encountered and that’s submit to the state.

Ted Gruenloh: Who are you submitting that information to? You don’t have to make a public announcement in 48 hours, right?

Chris Lee: Yeah, that is correct. It is DIR, which is a state run organization, and then I believe it is within ten days of remediation, you’ve got to come back and report what’s going on. But again, this is as of October, this is new law that has been put in place, I think, to help expedite some of these communication gaps, if you will.

Transparency and Trust in Communications

Ted Gruenloh: Sure. Okay. Yeah. And that actually ties two of those things into the little anecdote I was going to say, which is I was at a conference earlier this year where a CIO of a local municipality basically walked through the post mortem of a ransomware incident that he had had to walk through. He was very humbled by it, and he was very thorough and transparent in his description of it. And two things he mentioned that you guys mentioned already right out of the gate. First, call cyber insurance, and then they lead from there.

So you’re right, your hands may be tied in terms of who you talk to, what resources you use, even depending on the resources you already have in. Chris, you’re right, and that was an interesting point that I had never considered until I really heard him speak on it. But the second point I was going to bring up about that discussion was we talk about the trust and the relationships and the transparency. He made a really interesting point because we were talking in another presentation. We were both in the room at the same time again, about how you build trust and relationships and those sorts of things within your organization.

And he said something you don’t think about until it happens is if you don’t have that trust, you guys have talked about learning from other people and all that sort of thing, but if you don’t build those relationships when something happens like that, if you have that trust in relationships, you can cash in your chips. That’s the phrase he used. You can cash in those trust chips. And they’re incredibly valuable in that moment because if you haven’t built out those relationships, you’re not going to get the answers you need. You’re not going to get any of the stuff you need.

So anyway, I thought that was kind of a fascinating point. Also related to this collaboration. Okay, we’ve touched on a little bit, but I think we’ve sort of hit on the strategy, which is all around trust and transparency and building that out. And Chris mentioned there’s even legislation that’s sort of trying to drive that. And so now, tactics, you’ve mentioned already a couple of things. Scott, I’m going to turn back to you a little bit. And so we’ve mentioned TAG ITM a couple of times. That’s Texas Association of Government IT Managers.

That’s the big IT group in Texas. And then there’s another organization called the Texas Municipal League, which is all city managers and all the administration around. So Scott, I’m going to point to you a little bit and as we talk about tactics kind of on the ground, how would you actually improve collaboration? Can you talk about those organizations a little bit and maybe kind of what you all are doing on the ground there?

Scott Joyce: Yeah, absolutely. So just to kind of give a quick summary of the two that you mentioned are Texas Association of Government IT Managers is a statewide association of government IT professionals across the state of Texas. Whether it’s CIOs, IT directors, all the way down to entry level desktop technicians, all are welcome on the TML side, that stands for Texas Municipal League. And that’s an organization also in Texas. It’s made up of mayors and council members and city management. And typically you’ll see those department directors also there.

So you kind of have to change your I don’t know, you kind of have to change your tactics a little bit depending on your audience, I guess, because when you go to the TAG ITM conference, you can talk tech and everybody’s going to know what you’re talking about. When we are in front of an audience at TML, it’s a little bit different because you have non-technical people and at that point you have to get out of the weeds a little bit. I don’t know, I would say stress the importance of getting out there. I know this sounds kind of strange, but we use TML a lot to market TAG ITM.

And while that might sound a little bit selfish, the reason that we do that is because we want even the smaller cities out there that may not have IT departments and they may not have IT professionals on staff can all come to this organization and join us and we can almost act as a second staff member. But at the same time, we’re communicating the importance of this to the leadership of all of these cities. I don’t want It to come across as training because it’s not training, but when we can get in front of council members and we can get in front of city managers and they hear us saying the same things that their own internal staff is saying, it lends a little bit more credence.

And I think it may not be that they’re not trustworthy and that they’re not believable, but if you have multiple people saying the same thing, maybe you get their attention to a level that you didn’t have it before. So maybe our hope is that they would go back to their home cities after these conferences and these events are over and say, okay, I know before maybe you talked to us about a cybersecurity training program and we didn’t give you a lot of attention. So let’s talk about that again and maybe open up some discussions, maybe some additional funding sources that they didn’t have.

Ted Gruenloh: And Chris, I might have, you know, if you’ve got any comments in addition to what Scott said, but definitely getting more leadership voices all speaking the same language, right, singing the same tune. So I don’t know. Chris, if you’ve got anything else.

Local Gov is Low Hanging Fruit for Bad Actors

Chris Lee: Absolutely. And Scott, you know, he summarized it really well, but when you’re talking about some of the difficulties, I think at times we all want to do the right thing, right? But at times we don’t know, what do we truly need, how do we position ourselves to have the best security posture? And I think when you look at organizational spend as it pertains to IT, sometimes it doesn’t equate to what the spend should be, right? And I would suggest that that communication that Scott’s talking about, a lot of that is even, in my estimation, more critical for smaller organizations that don’t have the money to invest in larger IT shops.

And what I’m getting at there is in local government, we’re low hanging fruit for bad actors. We have a wealth of information, and a lot of times we’re either understaffed or we’re underfunded for some security initiatives. And so if you’re one of those entities where you only have maybe an IT shop of two people, it is really even more. The requirement is really higher, in my opinion, for you to go out and look at some type of managed service like Managed Detection and Response or something like that, so you can have resources that are dedicated to your shop, I think, in the city management sphere, if you will.

If you’re not attuned to what that looks like and why that should be, signing a contract for $100 -$200,000 for a third-party service might seem ludicrous. So I do think that it’s really up to all of us to communicate that, not just for the larger organizations, but especially for the smaller ones, because, again, we’re all into this together. And like I was telling you about with the MSP earlier, the fall of one entity can definitely result in bad news for the other. So I don’t know how clear that was. But I guess what I’m trying to convey is that the funding for cybersecurity is of utmost importance. So for us to be able to communicate that to decision makers and leaders, that’s really part of our mission.

Ted Gruenloh: Yeah, that’s really interesting. I think you brought up a couple of interesting points there, which is the size of the organization really makes a difference, and you all with your ability to collaborate with each other and communicate with each other, you can share sort of across the size of the know. A larger organization that has a little bit more sophisticated team might be able to sort of trickle down and give some good advice to smaller organizations. Smaller organizations can talk to each other about what’s important. I think that’s super critical. And Dave so, yeah, you’ve been on the road a bit, and we talk about sort of the tactics here again and buy in, how you build trust, that sort of thing. Can you speak a little bit about, in your experience, the sort of on the ground tactics around how you make collaboration work? What’s a really effective message there?

Dave Bentz: Well, yeah, thanks for that hardball question.

Ted Gruenloh: Yes, right at you.

Dave Bentz: I just want to support everything that Chris and Scott said here. I 100% couldn’t agree more from my level which, to remove myself from the weeds, it’s more on the bigger picture of supporting what’s going on with municipalities especially, and what’s going on just across the board in the cyber world. How do you bring these people together? How do you get the information that they need to make themselves secure, number one? Number two, maybe number one is to get the budget, but you have to realize what you need to make yourself secure first. They need to know what’s going on.

I had a recent conversation with a municipality that keeps begging me, because what I do now in my retirement world is read a lot of intel. I stay abreast of, try to stay abreast of, most of what’s going on, the big issues in the country and in the world, and try to get that information out to you. Let’s take an example, Dallas just got hit with ransomware. Dallas County just got hit very recently in the last week with an issue.

The first question everybody wants to know is what happened? How did they get hit? What went wrong? Did they not have MFA turned on? The weeds of that, I think, is what you all need to know, and you need to know now. And are you going to get that information now for whatever reason? Chris, to your point, yeah, a lot of people don’t want to say, either it’s legal or the insurance company saying, don’t divulge that information, at least not at this time. When the After Action Report comes out in two years, it doesn’t matter what happened to them two years ago. Well, it really does. It does give us information, but you need to know that now. How can we get that information to you now? I recently spoke with a representative from CISA. Most of us know that Critical Infrastructure Security Agency, and I think we’re very much leading that way. I think it’s 2025, everyone is going to have to report their hacks and incidents to CISA.

My hope is that CISA will get that information extremely quickly and be able to scrub the county or the city or the company that had the problem and get that data out to us immediately because you need to know what happened and prepare yourself for that issue. So if anything, I think on the macro and micro level, it is that that’s going to help us react and respond quickly and keep ourselves secure.

We have to have that information now. Again, I boil back to the Secret Service days. We don’t want to find out that a plot to assassinate the president has gone unnoticed and unaddressed. That’s going to result in a catastrophic situation. We need to know that now. And fortunately, that does happen … mostly. We need the same thing to happen in the world of cybersecurity. We need that information now. I think that answered the question, Ted.

Ted Gruenloh: It does. You know, we’ve been involved with TAG ITM for a long time, and we really sort of marvel at the group’s ability to communicate with each other, just generally. But when something really does go down, you’re making a really good point of, and Chris already made the point, sometimes hands are tied. You can’t say anything. And just how do we get over that hump? And how do we get to a point where everybody, right, vendors included, because you guys are great about including vendors in TAG ITM. Like, how do we communicate things in a way that doesn’t compromise security or privacy or any of those sorts of things?

There’s got to be an answer to that question, and we need to get better at it. Okay. I think we wanted to kind of hit the strong points really quick and get to them. I think we did a good job of that. Thank you guys for your input. Do you guys have anything else? You kind of sitting there like, chomping at the bit to make another point after Dave’s salient point there.

Scott Joyce: I have one more thing I’d like to throw out there, if it’s okay. Ted.

Ted Gruenloh: Yeah, go right ahead.

If You Have a Dollar to Your Name, You are a Target

Scott Joyce: You don’t know how many times or maybe you do … I don’t know how many times I have heard from a smaller city’s perspective, oh, this is never going to happen to us, because these guys are only after big cities, right. And as a result of that, they put zero effort into it. And I wish I could stand up at a podium somewhere in front of every city manager in the world and say, if you have a dollar to your name, you are a target, period. At the end of the day, this is about money in 90% of the situations, I think, and whether you are a city of 2000 or a city of 2 million, you are a target.

Ted Gruenloh: Well, speaking of target, target is a great example from a decade ago when they were hacked through a supply chain attack through their HVAC vendor. Right. So I think a municipality is the same way, a small city that maybe even doesn’t even have an IT staff. They don’t think they’re a target, but they communicate with the counties that they’re a part of, know their systems are connected. So if you want to think of it almost like a supply chain sort of situation there, you’re right. You absolutely have to be aware of that. And I think Chris brought that point up earlier about talking to smaller organizations and hopefully through groups like TAG ITM, we can create some leverage there and get that message out to.

Chris Lee: I want to go back to something that David was speaking of earlier. And at the end of the day, it’s your responsibility as leaders within your organization to have your thumb on the situational intelligence, if you will. You need to know yourself. You need to know what are your critical assets. You need to be able to classify and know where all these things are. But in turn, you also need to know your enemy because this is like a war, if you will.

And so I think in any type of situation, you want to gather as many facts and information as possible. And a lot of that is through this communication sharing that we’re talking about. And so when David’s talking about rapid detection, rapid information coming out, that’s what helps us speed up our OODA loop, if you will. And I think that the more of that that we can share collectively, the stronger we’re going to be as a government organization.

Ted Gruenloh: Yeah. Great stuff, guys. Yeah. So I think I’m going to throw this out there. I’m going to surprise them with this, but if you’re listening to this and you’re interested in reaching out to any of these people, go ahead and just drop us a line. We’re at nomicnetworks.com. You can email me if you want. tedg[@]nomicnetworks.com. Yes, I just threw my email out there to the world and I can get you in touch with these guys if you have any questions whatsoever. Any other final thoughts, guys, or are we good? All right, great. Thanks a lot for your time, guys. Love the information and hopefully we’ll talk to everybody soon. Thank you so much.

We hope you enjoyed this unique perspective on cybersecurity collaboration in local government. For more information on how some of our clients prioritize their budget decisions and use various tools across their networks, check out our monthly podcast. We share honest, objective takes from real people fighting bad actors on the front lines.