Hi all,
Well candidly here’s a blog I hate to have to write but I appreciate the show of support from the cybersecurity community; in all the social media posts/Twitter/etc. any negative comment was outweighed 20:1 by comments noting my actions didn’t sound wrong at all. On a very difficult day I just want to say I love you all and appreciate the kindness and trust. I struggled with the decision to say anything because I didn’t want to amplify the article but enough people have asked for my point of view I feel I owe it. I often joke that no one has ever had to wonder my opinion. I am perfectly fine with anyone thinking anything they want about me – except for challenging my integrity. I appreciate your time in reading this article.
For those that missed it here’s the Bloomberg article in question.
The article notes I was called into the White House to provide ICS cybersecurity insights. The article states that I used those interaction to position specific technology requirements that benefited my firm Dragos. As many on social media noted the requirements of “high-fidelity sensor-based continuous network cybersecurity monitoring” and anonymizing of data that is shared between participants is not Dragos technology specific and exactly what is required to gain visibility into the critical parts of our critical infrastructure to detect threats.
However, what I found misleading (not intentionally so, even though I didn’t agree with the basis of the article Jack the journalist was extremely professional throughout and had numerous calls with me to hear me out including many of my quotes in the article) is that I never actually did what was alleged.
I did not use those meetings and interactions to position any technology requirements. What I tole Anne was that I would support her and her staff fully and provide general ICS cybersecurity advice. That’s what I did. When the conversations started there were rumblings in Congress post Solar Winds that the country needed to significantly enhance regulation on the sectors to include the electric sector. I used my meetings to note that industrial asset owners and operators sincerely listen to the government when they talk and the problem is they often get very conflicting guidance from different government agencies. That the electric sector is already heavy regulated. That industry groups supported by DHS and DOE like the ESCC already exist. And that if there was any work to be done that it should be done in a way that doesn’t reinvent the wheel, speaks with one voice of the government to the community, and use existing government sponsored bodies like the ESCC. The White House personnel I talked to agreed and were very focused on national security and protecting people.
I did offer to help contribute to any plan the White House wanted to author as I am deeply committed to national security of our infrastructure. But I noted that if I was seen as being involved no matter how good the recommendations were it’d create distracting noise from good efforts (which ended up happening) and therefore if I was involved let’s not put my name on it. But the White House turned down the offer after discussions with ethics professionals as the optics could be bad, which I agreed with. I was never involved in authoring or editing of the 100 day action plan or any other government document/plan. Nor did I get to see it until after it was published.
What the article conflates is there was an independent contractor, not a government representative and not employed by the government, who later authored a whitepaper offering recommendations for ICS cybersecurity to submit to the government for consideration in their future efforts. This whitepaper was floated around to dozens of industry experts for comments. At one point there were Dragos’ Neighborhood Keeper specific requirements in there. The edits that I made that the Bloomberg article mentions were to edit those out and instead offer solution agnostic suggestions, one of which was the high-fidelity sensors which every single competitor in this space complies with. There would be nothing wrong with me advocating to another private citizen for our technology as the CEO of the firm, but I didn’t want that because I want the community to have options and choose what they want. I’ve always believed we’ll win on our own merits. The solution agnostic terms I used were directly from the Cyber Solarium Commission (a Senate appointed commission) and public comments and requirements from the Department of Energy. In essence all I did was join numerous industry experts on a whitepaper that informed the government of existing government requirements and language. Some of the whitepaper’s content made it into the 100 day action plan but I had no insight into that and many of my comments (like making it easier to get security clearances across the sector with incentives for the private sector to participate) did not.
The article further points out that Dragos’ technology mirrors the language I used. That’s actually true. But the important context that I think is missing is that the language originated from the DOE, was made public, and then I added it into the datasheet of Neighborhood Keeper. Why would I do that? Because, what’s also not stated in the article, is Neighborhood Keeper was developed jointly with the DOE. Years ago the DOE opened up bids publicly and competitively asking firms to create technology that was needed but didn’t exist against the DOE roadmap for cybersecurity for the electricity sector. Dragos won one of the grants and developed Neighborhood Keeper. Of course a joint-DOE technology should use and meet DOE requirements – that’s the entire point of the grant program.
Also I want to thank Jack, the journalist, and his editor. I made it clear throughout our conversations that I never provided requirements to the White House. Though I didn’t love that the story got published anyway – post publication Jack continued to take my phone calls, offered to put me in touch with his editor, and after hours of explaining all that happened on a Friday night they agreed to add a clarification to the article confirming that I did not provide requirements to the White House:
Jack treated me professionally throughout the process and I hold no grudge that he published a story based on complaints from our competitors; that’s not an easy position to be in for a journalist.
So in short:
- Anne bringing me in was for general ICS cybersecurity advice, not technology specific anything
- I edited an industry whitepaper to remove Dragos specific positioning and make it solution agnostic with existing government requirements
- The government ended up reading the whitepaper and the government adopted some of the government’s existing requirements
The ESCC evaluation I did not have insight into but know that the electric industry showed amazing leadership in evaluating over 18 technologies quickly with a rising Russian cyber threat and *some* of them endorsed and used Neighborhood Keeper. Many others used competitor technologies instead. And over a year later the only technology that is up and running actively sharing insights across the electric sector in real time to enhance our critical infrastructure is Neighborhood Keeper. So before the ESCC is critiqued I think it’s fair to say they made a fair choice in an effort to enhance national security voluntarily and at their own cost. And now – they and the government are working to help the other vendors create solution agnostic sharing programs which makes the market place more competitive and advancing the state of the industry.
I’m proud of what happened, I deny that I operated unethically, and I am forever grateful that our electric community is always willing to rise to the occasion to provide safe, affordable, and reliable electric power to our communities even in the face of strategic and well funded state adversaries.
Thank you for hearing my side of the story and I wish you all the best.