►
From YouTube: Technology Advisory Commission Meeting - May 26, 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
How
did
you
choose
meetings
over
zoom,
jack.
B
Teams
over
zoom
microsoft
they
just
they
just
they
that
david
can
talk
to
david.
We
we
saw
some
real
opportunities.
In
fact,
I
was
telling
mary
just
now
before
we
get
on
they
they're
taking
it
to
the
next
level.
They
they
they
call
it.
The
hybrid
paradox
that
people
want
to
come
back
to
work.
A
lot
of
people
don't
want
to
come
back
to
work.
So
how
do
you
integrate
people
processes
and
places
in
an
integrated
fashion?
So
then
the
the
head
of
microsoft
is
really
a
sharp
shop
guy.
B
He
he's
laying
a
vision
for
the
future
of
teleconferences.
I
think
it's
going
to
be
something
we
all
have
to
pay
attention
to
you
know.
So
why
do
we
come
to
them?
I
don't
know
I
mean
you
have
a
zoom
versus
microsoft,
word:
microsoft,
shops
and
jamie.
Do
you
have
any?
Why
do
we
choose
teams
over?
I
don't
know.
D
D
That
we
did
not
like
the
zoom
piece
whatsoever
and
still
don't
like
the
zoom
security
piece
of
it,
where
microsoft
has
taken
a
very
different
tact
on
the
security
of
it,
anywhere
from
sharing
conversations
that
you
have
etc.
So
between
the
two
of
them,
the
future
set
and
security.
A
Well,
perfect,
segway
into
it's
a
top
of
the
hour,
so
security.
Thank
you,
david,
perfect,
segue,
frank
johnson,
welcome.
We
have
two
franks,
so
we're
going
to
be
very
frank
and
so
welcome.
We're
so
glad
to
have
you
calling
the
meeting
to
order
and
before
we
start
with
our
guest,
speaker
and
jack
will
be
jack.
I'd
love
for
you
to
introduce
frank!
Is
there
any
public
comment?
A
Any
public
comment
before
we
move
into
the
next
part
of
our
agenda.
A
Hearing
none
jack,
if
you
would
do
us
the
honors
of
ben
frank,
we're
welcome
and
we're
so
happy
to
have
you
here
go
ahead.
B
Yeah
right
frank
is
a
well-known
ig
executive.
He
described
himself
as
a
former
battle
chester,
the
ransomware
surviving
public
sector
rit
executive,
and
I
appreciate
that,
but
he
is
so
much
more
than
that.
That
frank
and
I
enjoyed
the
experience,
I
think
it
was
2018
for
december
amazon
as
they
were
coming
into
town
want
to
do
a
five-sided
chat,
and
so
they
invited
frank
and
myself
frank
from
baltimore
and
myself
and
I
was
honored
to
be
there
with
frank.
I
mean
his
his
capabilities.
B
Knowledge
is
fast
past
mind
in
terms
of
the
experience
and
work
he's
done
and
frank,
and
I
talk
on
a
variety
of
subjects
in
terms
of
there
must
be
a
couple
hundred
people
there
talking
about
what
the
future
may
hold
and
by
by
just
fortune,
five
six
months
later,
there's
this
ransomware
attack
in
baltimore
and
frank
had
to
weather
that
could
that
have
happened
here
in
arlington
most
certainly
it
could
have
why
it
didn't.
Frankly,
you
luck
from
my
side
of
it.
Could
it
happen
again?
B
You
bet
it
could,
and
I
thought
it
would
be.
I
heard
frank
speak
at
a
national
association
of
county's
discussion
and
I
thought
he
was
so
eloquent
and
what
he
was
able
to
talk
about
and
what
happened.
I
his
lessons
learned
from
that
event.
B
His
guidance
counsel,
I
really
believe
essential
for
every
every
public
servant
to
here
and
every
citizen
they're
here,
because
I
think
it
has
so
much
portent
franco's
technical
degrees
from
johns
hopkins
in
the
university
of
toledo
spent
many
years
in
the
private
sector
before
coming
to
the
city
of
baltimore.
So
with
that
I'll
turn
it
over
to
frank
and
and
frank
if
you
could
take
it
from
there,
I'd
appreciate
it.
Thank
you,
sir.
E
A
I
think
someone
are
saying:
there's
some
lots
of
echo.
So
if
we
can
all
mute
when
we
come
in.
B
C
E
By
the
way,
okay
I'll
go
I'll
go
so
I
do
have
some
prepared
remarks,
but
I
would
just
like
30
seconds
if
you'll
afford
me
just
a
little
bit
of
you
know,
table
setting.
E
First
and
foremost,
what
we're
going
to
talk
about
today
is
about
cyber
security
with
it,
with
a
focus
on
you
know,
lowering
your
vulnerability,
the
things
that
local
government
to
look
for-
and
you
know
part
of
you
know
what
we're
going
to
talk
about
today-
is
you
know
the
people
parts
of
cyber
security.
You
know,
I
will
absolutely
put
forth
that
you
know
most.
Cyber
security
incidents
are
precipitated
by
mistakes
made
in
configuration
by
humans
and,
of
course,
cyber
criminals,
for
the
most
part,
are
also
people.
E
So
there's
a
big
people
component
to
to
cyber
security,
conundrum
that
we're
all
facing,
and
one
of
the
things
that
you
have
going
for
you
that
you
know
out
of
the
gate,
lowers
your
vulnerability
is
leadership.
You
know
we're
going
to
talk
a
little
bit
about
leadership
today
in
their
role
and
not
just
your
I.t
leadership,
but
the
leadership
of
the
county
or
whatever
organization
you
happen
to
be
part
of.
E
E
He
didn't
ask
me
to
ask
all
of
you
for
more
I.t
budget.
You
know,
although
please
give
the
man
more
I.t,
but
I'm
just
kidding.
Yes,
we
didn't,
we
didn't
do
any
of
that
beforehand.
I
will
tell
you
that
you,
out
of
the
gate,
your
vulnerability
is
probably
a
little
bit
lower
than
municipalities
your
size.
Why?
Because
of
jack
belcher
he
is
with.
You
may
not
know
this.
E
Maybe
you
already
know
he
is
one
of
the
most
well
respected
well-liked
and
you
know
best
all-around
public
sector,
I.t
leaders
and
that's
just
not
my
opinion.
That's
well
recognized
amongst
his
peer
group.
You
know
actively
sought
out
for
insight,
guidance
and
counsel
on
a
myriad
of
public
sector,
I.t
leadership,
capabilities
and
you're
all
very,
very,
very
lucky
and
fortunate
to
have
him
hey
gang,
so
I've
got
some
prepared
remarks.
E
You
know
to
talk
about
in
general,
the
incident
in
the
event
and
share
with
you
some
lessons
learned.
I
love
this
to
be
interactive
as
possible.
I
I
believe
that
you
know
mary
jack.
If
I
can't
visually
or
see
somebody
raising
their
hand
or
wanting
to
ask
a
question,
if
somebody
could
please
help
me,
pay
attention
to
digital
hands
being
raised.
I'd
be
forever
grateful.
E
A
couple
of
quick
caveats
gang
you
know
there
there
still
is
an
active
ongoing
investigation,
so
I
am
somewhat
limited,
as
you
could
imagine,
and
going
into
too
much
depth
as
to
exactly
what
happened
and
again.
The
second
caveat
is
obviously
I'm
no
longer
an
employee
of
the
city.
E
I
generally
see
you
know
the
same
highly
vulnerable
environments
across
many
municipalities,
because
most
local
governments
are
in
the
same
situation-
okay,
fair
enough,
and
if
there
is
something
that
somebody
would
like
to
go
deeper
on
a
topic
or
a
subject,
you
know
I'd
be
happy
to
follow
up
at
any
time.
Offline,
jack
and
others
who
are
here
on
the
phone
who
helped
host
and
get
me
here,
have
my
contact
information.
E
Feeling
here
the
head's
nodding:
okay,
hey
gang
first
and
foremost,
I
could
start
off
by
sharing.
You
know
a
story
and
I'm
gonna
cut
it
up
into
three
parts.
You
know
quickly
just
cover
what
what
was
the
background
of
the
environment
at
the
time.
You
know
what
was
the
response
effort.
What
did
that
look
like
and
spend?
You
know
a
little
bit
of
time
on.
You
know
lessons
learned
and
insights
based
on
that
experience
and
again
experience
with
others.
E
E
I've
talked
to
and
work
with,
first
and
foremost,
right
of
a
woefully
outdated
I.t
capability
and
due
to
decades
of
neglect
and
under
investment
by
the
way
that
is
not
unique
to
my
previous
employer,
you
know,
there's
a
lot
of
competing
priorities
within
any
municipality
and
carving
up
the
annual
budget
to
feed
most
of
the
priority
programs,
public
safety,
economic
development,
education,
all
of
those
major
mission-driven
priorities.
E
You
know
and
again
in
most
cases
on
under
resourced,
unless
you're
lucky
enough
to
be
one
of
probably
one
of
the
big
mega
cities
that
maybe
have
enough
resources
resulting
in
a
very,
very
highly
vulnerable
and
fragmented
environment.
E
You
know
when
an
I.t
organization
is
leaderless
and
without
the
will
of
the
leadership
on
top,
you
know,
there's
there's
multiple
I.t
fiefdoms
kind
of
competing
or
doing
their
own
I.t
stuff.
You
know.
Studies
will
show
that
highly
fragmented
environments
are
highly
vulnerable.
So
lesson
one
again,
you
know
thing
commodity,
I.t
services
are
better
served
centrally.
E
You
know
one
throat,
you
know
networking
email
file
and
print
each
one
of
the
operational
agencies
or
divisions
absolutely
should
participate
in
you
know
in
the
I
t
continuum,
their
focus
should
be
on
their
applications
and
their
data.
E
You
know,
but
it
the
more
people
who
are
mucking
around
in
your
networking
and
your
cyber
security
and
providing
core
services.
The
more
highly
the
more
vulnerable
you
would
be.
I
was
hired
in
the
middle
of
2017.
You
know
to
have
the
opportunity
to
help
digitally
transform
the
city.
Today
it
was
a
wonderful
opportunity,
amazing
experience.
Even
with
the
ransomware
event,
I
wouldn't
have
traded
it
for
anything
in
late
winter
of
2019
about
a
year
after
atlanta
was
crippled
with
a
ransomware
attack.
E
You
know
the
city
was
in
the
news
now,
for
any
of
you
have
ever
visited
at
a
state-of-the-art
cyber
security
center.
A
lot
of
people
say
well
gee.
Why
are
there's
all
these
big
tv
screens
around
a
cyber
security
operations
center
and
why
are
one
of
them?
One
running
the
weather
and
or
the
news,
and
the
reason
is
that
cyber
criminals
can't
help
themselves.
E
Hackers
demanded
payment
about
76
thousand
dollars,
we're
going
to
come
back
and
talk
about
that
in
a
minute,
put
kind
of
one
of
those
myths
to
bed.
And
after
that,
if
you
were
following
the
story,
you
know
there
was
a
resulting
spike
in
u.s
state
and
local
government.
Cyber
attacks
very
visible
one
in
florida
and
most
people
remember
that
coordinated
attack
of
23
municipalities
in
western
texas
that
followed
in
the
months
after
and
there
in
the
resulting
months.
E
E
What
was
our
response
by
the
way
it
looks
like
some
people
have
joined
since
I
started.
My
name
is
frank
johnson,
because
you
know
ransomware
surviving
recovering
I.t
leader
from
baltimore
city
kind
of
talking
about
the
events
and
lessons
learned
and
the
response
please
feel
free
to
jump
in
and
ask
any
questions
raise
your
hand
at
any
time.
E
What
was
our
response?
You
know
the
network
was
taken
offline
immediately,
authorities
were
contacted,
you
know,
leadership
was
briefed
city
operational
agencies
immediately
and
quickly
and
swiftly
switched
to
manual
mode.
You
know
our
phones
continued
to
operate,
they
weren't
impacted,
but
the
city
switched
to
manual
mode
to
continue
to
provide
services
to
the
citizen.
E
E
They
were
great
partners
in
that
we
quickly
assembled
an
expert
incident
response
team
in
pretty
much
record
time.
You
know
we
started
the
effort
of
quarantining
the
ransomware
gathering,
evidence,
handing
it
over
to
authorities
and
then
began
the
process
of
remediating.
Any
damage
that
had
been
done
and
then
started
down
the
path
to
restoring
digital
services.
E
Services
were
restored
in
roughly
about
three
months.
It
was
about
half
the
time
it
took
atlanta
to
get
services
restored.
It
wasn't
because
we
were
any
better
than
the
city
of
atlanta,
but
it
was
a
year
later
because
this
is
happening
at
such
an
alarming
rate.
You
know
we
had
access
to
much
more
capability
and
expertise,
best
practices
in
order
to
quarantine,
remediate
and
recover
that
might
not
have
been
available
to
them
and
then
again,
this
is
something
else
we'll
touch
on
in
the
lessons
learned.
E
E
Thank
you.
Thank
you,
mary.
I
appreciate
it.
Okay,
gang
first
and
foremost
insights.
Lessons
learned,
you
know.
Cyber
security
is
a
people
issue,
first
and
foremost,
starting
with
leadership
getting
back
to
highly
vulnerable
organizations.
You
know
from
what
I've
seen
and
experienced
myself
if
two
things
matter
to
the
leadership,
then
typically,
your
vulnerability
is
lower.
The
first
thing
is
business
continuity
or
emergency
management
or
coupe
continuity
of
operations
planning.
E
You
know
a
lot
of
local
governments
do
coup
planning
and
they
do
it
very
well,
there's
a
snow
emergency.
We
can't
get
downtown.
How
do
we
continue
to
provide
services?
They
do
that
very
well,
not
every
one
of
these
continuity
operations
plan
factor
in
what
happens
if
I
lose
some
part
or
all
of
my
digital
capability
is
that
represented
in
my
business
continuity
planning.
E
E
E
You
know
from
a
top
down
perspective,
investments
in
cyber
should
be
a
natural
fallout
of
that.
What
happens
in
most
municipalities
today,
if
there's
a
void
there,
if
you're
lucky
enough
to
have
a
cyber
security
team,
they're
left
to
their
own
devices,
having
to
beg,
borrow
and
steal
appeal
for
more,
you
know.
As
a
result,
an
organization
is
likely
more
vulnerable
than
they
should
be,
so
I'm
a
certified
leadership
instructor,
pat
I'm
passionate
about
leadership.
I'm
a
big
believer
in
the
buck
stops
here
there.
E
If
it
matters
to
leadership,
it
matters
to
the
organization,
emergency
planning,
risk
management.
If
those
two
things
are
there
and
matter
to
leadership
that
organization
that
they
serve
is
likely
less
vulnerable
than
those
that
aren't,
unfortunately,
in
most
of
the
local
governments,
I
work
with
with
all
of
the
other
competing
priorities
that
local
government
leaders
are
faced
with.
E
E
E
You
know
key
lesson.
Number
two
are
cyber
audits
part
of
the
audit
department's
priority?
Do
they
do
them
at
all,
because
there
needs
to
be
some
reinforcing
mechanism
just
like
financial
audits
and
operational
audits,
there
needs
to
be
cyber
artists.
Why
to
continue
to
reinforce
the
cyber
policies,
it's
one
of
your
best
defenses
to
make
sure
that
your
cyber
policy
is
absolutely
a
living
document.
E
Next
last
next
up,
you
know
we're
kind
of
past
that
point
with
in
the
cyber
security
industry,
of
that
old
cliche.
It's
not
a
matter
of
if,
but
when
you
know
it's
absolutely
going
to
happen,
there's
no
way
you
can
stop
it.
There's
no
such
thing
as
perfect
security.
There's
no
such
thing
as
zero
vulnerability.
E
So
you
need
to
be
as
prepared
as
possible
for
the
inevitable
so
incident
response
planning
has
got
to
be
a
priority.
Everything
you
know
who's
the
team.
When
do
they
get
called
in
who
gets
briefed?
You
know
what
is
the
communication
plan?
Do
we
have
a
experts
that
can
help
us
manage
the
message
you
know
as
we're
talking
to
constituents
to
leaders.
E
You
know
the
an
incident
response
plan
well
thought
out
ahead
of
time
and
just
like
the
incident
response,
I'm
sorry
the
cyber
policy
I
just
talked
about
is
it's
one
thing
to
have
an
incident
response
plan.
It's
another
thing
to
practice
it
so
the
in
the
other
emergency.
It's
almost
like
muscle
memory.
Everybody
knows
what
to
do.
Coolly
and
calmly.
E
Very
few
organizations
have
an
incident
response
plan
and
those
who
have
them
very
few
of
those
actually
practice
them.
In
other
words,
let's
have
a
drill
and
then
continue
to
improve
it.
So
I
strongly
encourage
you
to
make
instant
response
a
priority,
instant
response
planning
and
incident
response
drilling.
E
E
Oh,
they
only
asked
for
seventy
thousand
dollars.
Isn't
that
cheaper
than
going
through
the
pain
and
agony
of
doing
the
remediation
quarantine,
remediation
and
recovery,
I
can
tell
you
from
personal
experience
and
people
that
understand
this
industry
unequivocably
paying
the
ransom
does
not.
Let
me
say
that
again,
paying.
E
In
case
that
was
a
question
about
you,
I'd
be
happy
to
discuss
and
debate
that.
Last
but
not
least,
you
know
in
the
event
of
an
incident
you're
really
going
to
want
to
know
who
your
partners
are
and
who's
going
to
come
to
your
aid.
E
E
There
are
certain
things
that
you
want
to
outsource
or
hire
in
as
expertise
when
you
need
it.
Hopefully
you'll
never
need
it,
but
having
an
incident
response
team
on
retainer
at
the
ready
in
the
event
of
an
emergency
that,
if
you
have
such
an
arrangement,
you
want
to
get
to
know
them
ahead
of
time
and
it's
a
very,
very,
very
stressful
situation
that
you're
in
you
know
a
lot
of
stress
in
having
relationships.
E
Choreographing
drilling
an
instant
response
or
a
post
incident
getting
to
know
the
people
you're
going
to
be
working
with
in
that
stressful
situation
will
just
help
that
all
of
that
goes
as
smoothly
as
possible
anyway
gang
that
was.
You
know
that
that's
my
story
and
I'm
sticking
to
it.
E
A
E
C
Well,
I'm
a
self-applied
long
long
career
in
the
telecom
industry.
C
I'll
just
read
what
I
wrote:
did
you
have
a
principal
vendor
for
cyber
security
software.
E
Yeah,
so
this
is
interesting
phil.
The
answer
is
yes,
but
probably
in
hindsight-
and
this
is
this
is
typical
of
organizations
that
are
left
to
their
own
devices
just
trying
to
do
the
best
they
can
to
protect
the
perimeter.
Okay,
and
by
the
way
my
heart
goes
out
to
them
right,
hard-working
men
and
women.
Typically,
what
happens?
Is
you
wind
up
with
a
mishmash
of
too
many
things,
and
maybe
you're
not
completely
committed
to
deploying
you
know
a
handful
of
them?
E
So
I've
see
I've
talked
to
a
number
of
cisos
across
the
country
and
there's
a
number
of
them
that
are
going
through.
This
kind
of
less
is
more
hey.
Why
don't
we
like
trim
the
number
of
cyber
tools
that
we
use
and
fully
commit
to
them?
What
happens
better?
Cyber
security
experience
is
another
example
of
addition
by
subtraction.
E
By
the
way
you
heard
the
comments
earlier
when
I
joined
in
you
know,
I
absolutely
agree
with
david's
comments
about
teams
versus
zoom
by
the
way
loves
them,
like
all
tech
companies,
but
in
an
organization
that's
committed
to
the
microsoft
stack
tightly
integrated
in
with
microsoft
office.
There
are
some
inherent
security
capabilities
you
get
by
adopting
teams
over
something
else,
because
you've
already
got
a
sump
cost
investment
in
office.
E
So
so,
instead
of
adding
yet
another
tool,
you
know
double
down
on
the
one
that
you're,
probably
already
paying
for
as
part
of
your
office
license
that
kind
of
thing.
So
no
there
was
there's,
never
one,
just
one
tool
film.
You
know
you
need
a
a
monitoring
capability.
You
need
endpoint
protection
capability.
E
A
G
Yes,
yes,
absolutely
so
hi,
my
name
is
joshua
pera.
I
am
professionally
a
white
house
presidential
innovation.
Fellow
I'm.
G
The
department
of
veterans
affairs
I
live
in
arlington,
I
think
a
lot
about
technology
and
civil
rights,
but
first
and
foremost
I
am
a
software
developer
with
background
in
open
source
technology,
javascript,
ruby,
python,
the
lamp
stack,
you
name
it
and
you
brought
up
the
the
microsoft
stack,
and
this
is
one
thing
that
continues
to
vex
me
is
given
the
prevalence
of
vulnerabilities
and
and
attacks
that
specifically
target
the
microsoft
platform.
Do
you
think
there's
a
particular
reason.
G
E
Absolute
huge
fan
of
linux,
but
now
we
could
talk,
we
could
unpack
by
the
way
pleasure
to
meet
you.
Thank
you
very
much
for
the
question.
I
love
the
resume
sounds
like
you
can
have
a
fantastic
career
ahead
of
you.
I
actually
know
a
couple
of
employers
that
might
like
to
talk
to
you.
If
you
want
to
send
me
a
resume
if
you're
looking
for
a
new
job
guys,
I
could
unpack
this
a
lot.
Okay,
I'm
a
huge
fan
of
open
source,
I'm
a
big
fan
of
linux.
E
You
know
less
vulnerability
once
the
bad
guys
get
in
and
start
moving
around
inside
of
your
environment.
However,
now,
let's
let's
let
let's
talk
about
the
harsh
reality.
You
know
most
local
government,
it
shops
are
absolutely
strapped.
E
E
E
So
I
I
again
we
can
unpack
that
for
a
very,
very
long
time
yeah.
I
think
that
the
the
practical
reality
of
budgets
and
resources
drive
local
government
customers
to
commercial
off
the
shelf
and
try
to
leverage
as
much
as
they
can
out
of
what
they
can,
what
they
get
in
a
license.
Now.
What
do
I
mean
by
that?
E
E
You
have
to
be
very,
very
smart
about
the
resources
that
you're
afforded
and,
like
I
said,
I'm,
I'm
absolutely
with
the
sentiment
big
fan
of
open
source.
If
I
had
a
large
it
shop
in
an
unlimited
budget,
I'd
be
doing
a
lot
of
role
on
my
own
code,
a
lot
more
on
alternative
operating
systems,
but
again
the
practical
reality
of
the
resources
at
hand
for
most
public
sector.
I
t
shops
kind
of
force
you
in
a
certain
direction,
out
of
necessity.
A
Mike
you
have
a
question
thanks
thanks
josh
thanks,
frank
mike,
you
have
a
question.
You
want
to
introduce
yourself.
B
I
Mike
sure,
hey
there
thanks
for
coming
to
join
us
and
help
us
out,
I'm
a
retired
cio
from
the
federal
government.
I
have
my
own
war
stories
about
cyber,
but
none
that
matches
yours.
So
you
have
my
complete
sympathy.
I
My
question,
which
I
put
in
the
chat
room,
is
during
a
tenure
in
baltimore
seo.
Did
you
have
control
over
connection
of
all
devices
to
your
citywide
data
network,
environment
and
control
over
pre-launching
security
testing
of
application
systems,
and
then
is
it
possible
for
jack
here
in
arlington
to
control
risk
without
such
authorities
and
controls.
E
Okay,
you
know
the
answer
is
no.
The
organization
that
we
inherited
was
federated
and
still
in
some
ways
is
and
by
the
way.
I
I
completely
understand
this.
If
you're,
if
you're
the
head
of
a
department
or
a
division,
you
know
you're
an
executive,
you
have
a
responsibility
to
understand
how
to
run
that
business
or
that
mission,
and
what
comes
part
of
that
is
I'll.
Call
like
the
four
big
horizontal
support
groups,
finance,
hrit
and
legal
okay
and
depending
on
how
your
organization,
sometimes
hr,
is
federated.
E
In
other
words,
all
departments
have
their
nhr.
Sometimes
it's
centralized,
sometimes
finance
all
the
cfos
and
departments
report
to
the
department
of
finance.
Sometimes
it's
federated.
You
know,
in
my
humble
opinion,
based
on
current
thinking
in
the
last
20
years.
The
more
centralized
those
core
services
are,
the
better
the
consistency
of
hr,
finance,
I.t
and
legal
across
those
operating
entities.
E
E
However,
you
know
the
trend
has
been
for
a
long
time
for
commodity
services.
Networking
cyber
mail
file
print
those
things
are
much
better
off
centrally
managed.
The
departments
absolutely
should
be
an
active
participant
in
the
I.t
continuum
focus
higher
up
on
the
stack,
the
application
and
data.
That's
where
they
should
focus.
E
Should
they
be
worrying
about
you
know
password
login
id
authorization?
No,
why
and
again
studies
will
show
that
the
more
centrally
managed
that
capability
is
the
lower
your
vulnerability
is
in
my
again.
It's
not
just
my
opinion.
I
think
that's
that's
well
recognized
so
highly
fragmented,
especially
at
the
commodity
services
level.
Your
organization
is
the
more
vulnerable.
You
are
now
we'll
tell
you
a
story,
because
it's
a
matter
of
public
record
after
we
were
ransomware
attacked.
You
know
the
city,
cyber
security
officer,
the
ciso
reported
to
me.
E
E
E
There's
a
central
office
of
I.t
at
the
state
level.
However,
that
state
centralized
I.t
department
does
not
serve
all
the
departments
in
the
state.
There
are
other
it
shops,
the
state
cisso
reported
to
that
state
cio,
who
was
responsible
for
the
cyber
security
policy
in
the
weeks
following
the
baltimore
city,
ransomware
attack
governor
hogan,
put
out
a
prop
a
campaign.
I
think
that's
the
right
technical
term
wrote
a
memo
to
all
state
employees.
E
E
E
A
Frank,
thank
you.
Our
one
of
our
board
members,
tacus
caratonis,
has
has
joined
us
and
so
I'll.
I
was
going
to
ask
this
question
anyway,
but
now
that
you're
here
talks
even
better,
was
wondering
before
the
attack,
how
much
the
decision
makers
you
talked
about
in
terms
of
the
leadership
of
of
the
city
had
run
through,
and
you
had
a
great
term
in
terms
of
muscle
memory
right
how
much
they
had
run
through
the.
E
So
mary,
this
is,
I
I'm
I'm
surprised
it
took
this
long
to
ask,
because
I
always
get
asked
a
question
when
we
have
these
talks,
you
know
what
would
you
have
done
different?
Well,
your
great
auntie
would
always
tell
you
what
hindsight
is
20
20.
yeah.
Of
course
I
would
have
ran
right
over
to
patient
zero
by
the
way.
For
those
that
don't
know,
patience
here
was
commonly
referred
to
as
the
point
of
entry,
where
the
bad
guys
get
in.
I
would
have
run
right
over
to
patient
zero
and
disconnected
from
the
network.
E
What
do
you
think
I
would
have
done
by
the
way?
I'm
okay
I'll
stop
being
a
smart
aleck
now
and
answer
your
question,
one
of
those
things
that
you,
I
don't
think
you
can
be
prepared
enough
for
an
emergency
or
an
incident
like
this.
So,
yes,
the
city
took
very
seriously
emergency
management
and
response.
There
was
an
office
dedicated
to
it.
You
know
city-wide
initiative
to
update
con
coupe
planning
what
you
guys
call
them
continuity
of
operation
plan
businesses
call
them
corporate
business
continuity
plan.
E
You
know
what
happens
when
I
lose
some
part
of
all
of
my
capability
people
process
or
technology.
You
know,
and
is
that
a
part
of
their
charge?
The
answer
is
absolutely
yes,
you
know,
and
by
the
way
we
got
very,
very
high
marks
the
the
u.s
federal
government's
leading
cyber
security
agency,
sysa,
wonderful
partners,
great
agency.
E
They
need
more
too
and
they're
getting
more
based
on
what
I've
been
reading
and
following
in
the
news
they
came
in
and
wrote
an
after-action
report.
Lessons
learned,
you
know
they
gave
us
incredibly
high
marks
for
our
our
response.
You
know,
but
you
know
things
like
communication
right.
Part
of
your
incident
response
plan
could
have
done
a
better
job
communicating,
even
though
we
did
the
best.
You
know
the
best
effort
at
the
time.
So
yeah
you
know
even
practicing
something
like
you
know.
What
is
the
well-synthesized
question
and
answers?
E
You
know
what
who's
responsible
for
calling
who
I'm
talking
about
the
communication
plan
within
your
incident
response
plan
yeah,
absolutely
there
you
know,
could
have
done
a
little
bit
better
there.
You
know
it's
one
of
those
things
that
I
don't
think
that
you
can
be.
You
can
practice
enough,
but
to
answer
your
specific
question:
did
my
former
employer
take
emergency
planning
emergency
management
seriously?
A
Yeah
I
was,
I
was
more
focusing
on
what
kind
of
conversation
the
senior
leadership
had
separate
from
your
I.t
folks
in
terms
of
how
they
would
respond.
Would
they
pay
the
ransom,
not
pay
the
ransom?
Would
they?
You
know
those
kinds
of
decisions
that
you
know,
as
you
might
guess,
in
tacos
and
I've
had
this
conversation,
I'm
trying
to
get
our
board
to
do
some
of
those
tabletop
exercises,
because,
even
though
you're
may
never
be
prepared
developing
that
muscle
memory
helps
so
that
that
was
what
I
wanted.
Confirmation
on
or
or
not
from
you
considering.
E
A
Thanks
so
much
any
any
other
questions
for
frank.
B
B
Frank
you,
you,
like
us,
rely
on
some
significant
partners.
You
know
amazon
who
invited
us
to
that
fireside
chat,
aws,
microsoft,
cisco,
how
supportive
and
responsive
were
they
when
the
event
took
place
to
getting
their
on-site
support
to
remediate
the
problem.
E
I
you
know
it
was
it's
a
great
question,
so
this
is
part
of
your
response
sponsored
plan,
identifying
the
team
that
will
come
and
then
help
post-incident
or
immediately
thereafter.
You
know,
there's
going
to
be
three
major
categories
of
it.
One
is
your
own
team,
you
know,
they'll,
be
active
participants
in
the
process,
but
they'll
need
help
bucket
number
two
is
your
primary
tech
partners
that
they'll
be
bits
and
pieces
of
them,
and
I'm
going
to
answer
your
question
in
a
second.
The
third
part
is
I'll
call
them
the
firefighters.
E
You
know,
you're
gonna
want
some
yeah
forensics
engineers
that
do
this
for
a
living.
I
I
would
strongly
urge
you
not
to
consider
keeping
these
people
on
staff.
It's
like
you
know,
by
the
way.
There's
a
the
metaphor.
Here
is
firefighting.
You
know
the
fire
department's
down
the
street.
You
wouldn't
hire
your
own
fire
department
to
help
put
out
a
fire
once
every
10
or
20
years,
or
maybe
never
you
probably
wouldn't
want
to
have
a
fully
staffed
set
of
forensics
engineers.
You
want
to
bring
them
in
for
a
couple
of
reasons.
E
One
is
if
you
hire
them
and
put
them
in
the
corner
to
use
when
as
needed,
you
know
their
their
capability
will
atrophy.
You
know
these
people
are
constantly
deployed.
So
when
you
hire
somebody
in
that's
an
instant
forensics
team,
you're
getting
you
know
the
best
and
latest
and
greatest
practices
they're
up
on
everything,
so
those
are
the
three
buckets.
E
All
of
those
things
should
be
choreographed
ahead
of
time
time
to
the
person
from
each
one
of
these
three
categories:
post
incident,
depending
on
the
severity
who's
responsible
for
doing
what
everybody
has
a
role
to
play,
I'm
getting
back
to
the
tech
partners.
This
is
the
one
jack
you
and
I
have
talked
about
this.
I
strongly
recommend
that
you,
you
kind
of
commit
to
some
kind
of
sla
buff
ahead
of
time.
Hey
gang.
E
You
know,
we've
invested
in
you
as
our
lead
tech
partner,
greatly
the
microsoft's,
the
ciscos,
the
amazons,
whatever
in
the
event
of
an
incident
who
exactly
should
show
up
and
when
are
they
going
to
show
up?
And
what
are
you
committed
to
in
order
to
help
us
get
back
online?
That
should
all
be
done
ahead
of
time.
E
Now
again
in
my
personal
experience,
jack,
my
milo,
but
your
mileage,
berries,
they're,
all
they
all
care
they're
all
compassionate.
However
they're
all
somewhat
risk.
Averse
too,
you
know
they
walk
in
that
fine
line.
Oh
my
gosh,
one
of
my
customers
was
just
ransomware
attacked.
Oh
my,
you
know
you
know,
and
then
lawyers
get
involved
because
corporate
policy
and
image
they
don't
want
to
be
associated
with
it.
C
E
You
know
I
boy
this
is
I
need
therapy.
You
know
that
by
the
way
when
mike
and
I
have
a
glass
of
wine
phil,
we'll
invite
you-
you
know
I
I
it's.
I've
often
argued
anybody
that
wants
to
be
a
a
cso
cyber
information
security
officer
right,
the
highest
rankings,
if
you're
in
cyber
security-
and
you
want
to
be
an
executive
and
continue
to
grow
in
your
career,
that
pinnacle
is
something
we
all
call
a
cso
ciso.
E
I
absolutely
believe,
based
on
my
experience
and
what
I've,
what
I've
come
across
in
my
conversations,
that
a
phd
in
psychology
is
probably
more
valuable
than
the
phd
in
cyber.
If
you
want
to
be
a
cso
because
you're
dealing
with
people,
you
know,
and
expectations
and
you're
trying
to
convince
people
to
stop
doing
one
thing
in
another-
is
dealing
with
people
now
getting
back
to
your
question.
You
know
this
this
kind
of
been
a
sea
change
10
years
ago.
E
E
In
time
where
it
was
popular
to
victimize,
the
victim
wait
a
minute.
Have
we
forgotten
about
the
fact
that
somebody
willingly
and
knowingly
broke
the
law
and
broke
into
our
environment?
If
somebody
breaks
into
your
neighbor's
house,
do
you
blame
your
neighbor,
of
course
not,
but
for
some
reason
that
was
pretty
darn
popular
in
the
cyber
security
industry.
E
You
know
it's
like
oh
okay,
right
that
that
kind
of
attitude
towards
individuals
who
are
left
to
their
own
devices
to
protect
the
perimeter
woefully
outgunned
by
the
global
cyber
trade
right
is
starting
to
change
and
what
gets
lost
in
this
is
the
fact
that
there
are
criminals,
breaking
the
law
and
what
you
know.
What
is
the
what
and
by
the
way-
and
most
of
it
unfortunately
seems
to
happen
on
from
the
other
side
of
the
globe.
It's
a
perfect
scenario,
nation-state
enemies
of
the
united
states
of
america
attacking
us
in
cyberspace.
E
We
all
know
this
and
guess
what
they
don't
have
to
get
up
in
the
middle
of
the
night,
because
it's
daytime
over
there,
where
we're
all
asleep.
You
know
we
get
out
of
bed,
have
a
coffee
and
start
cyber
attacking
us.
So
I
that's
an
excellent
question
and
the
fact
that
this
all
precipitates
with
someone
knowingly
and
willfully
breaking
the
law
seems
to
be
forgotten
in
all
this,
which
just
breaks
my
heart.
E
You
know
their
organization's
environment
breaks,
my
heart
and
and
and-
and
it
is
in
this
feels
like
is
on
its
way
out
of
our
industry
and
and
for
good
for
good
reason,
but
not
enough.
Cyber
criminals
are
being
brought
to
justice,
and
I
I
got
a
lot
of
friends
in
the
fbi.
It's
you
know
their
job
in
the
international
courts
and
stuff.
I
know
it's
a
focus
for
them,
but
I'm
sure
that
a
few
of
these
people
going
to
jail
would
help
curtail
this.
But
that's.
E
A
J
Thanks
mary
hi
john
burke,
hi
program
program
manager
in
the
in
the
federal
space
doing
enterprise
systems.
I
think
one
of
the
difficult
things
for
decision
makers
is
that
they're,
usually
not
technical
right
and
people
who
are
managing
budgets
are
generally
not
technical.
J
What
should
be
the
expectation
of
of
leadership
to
be
able
to
understand
what
their
risk
is,
so
that
they
can
resource
it
effectively,
because
there's
always
that
tension
between
you
know
gold
plating
versus
under
resourcing
and
and
how
should?
How
should
leaders
expect
how
to
be
presented?
That
information.
E
You
know
that's
again:
we
could
unpack
that
for
a
while,
too
I'll
go
back
to
the
comments
I
made
earlier
john
excellent
question.
You
know
I'm
a
firm
believer
in
that
this
all
starts
and
stops
with
leadership.
Take
the
cyber
criminals
off
for
a
second
who
is
mostly
responsible
for
lowering
an
organization's
vulnerability,
it's
leadership,
and
if
leadership
cares
about
things
like
you
know,
the
business
continuity
planning
we
talked
about
earlier
and
understanding
their
risk.
E
Then
I'll
argue
that
that
organization's
vulnerability
is
inherently
lower
than
somebody
who
doesn't
care
about
those
things.
So
then
the
question
becomes,
how
can
you
know
the
people
who
report
to
leadership
make
them
care?
That's
it's
tough!
It's
tough
duty!
How
do
you
present
arguments
for
why
risk
should
be
a
priority
and
then
therefore,
cyber
and
invest
investments
in
cyber
should
line
up
with
those
things?
E
If
there's
a
void
here,
the
leadership
to
just
some
reason
doesn't
isn't
interested
or
it's
not
a
priority,
managing
understanding
profiling
risk,
that's
tough
duty
and
and
why
a
lot
of
municipalities
are
more
vulnerable
than
they
should,
because
there
is
a
void
there,
and
I
understand
why
you
know:
there's
a
lot
of
competing
priorities
in
local
government
by
the
way,
if
I
didn't
say
so
at
the
beginning,
you
know
thank
you
all
for
what
you
do
working
in
public
service
to
try
and
help
you
know
give
back.
E
I
absolutely
applaud
you
for
what
you
do
and
thank
you
for
your
service.
It's
you
know
it's
woefully
underappreciated
and
unrecognized,
and
at
least
on
behalf
of
this
taxpayer.
Thank
you
very
much
for
all
that.
You
do
that's
that
that
is
the
million-dollar
question.
John
yeah,
and
again,
are
you
kidding
me
that
the
person
who's
responsible
for
setting
the
cyber
security
policy
is
usually
two
or
three
levels
removed
from
leadership?
E
A
A
E
K
Oh,
thank
you.
Thank
you.
We,
by
the
way
we
had
this
conversation
already
yesterday,
jack,
probably
remember
that
we
began
to
approach
the
issue
of
resourcing
resourcing
the
you
know.
K
Believe
that
we
are
all
collectively
thinking
of
what
the
appropriate
structure
of
this,
I
I
see
that
this
is
about
policy
processes
and
resources,
probably
in
this,
in
this
order
right,
so
we
are
basically
in
the
policy
and
processes
part,
and
I
don't
believe
that
neither
me
nor
my
colleagues
have
any
problem
to
talk
about
resources.
E
K
The
problem
of
giving
more
budget
is
that
we
have
to
take
it
somewhere
else,
and
you
just
mention
that
right.
So
that
is
not
an
excuse.
It's
just
a
a
description
of
the
framework,
so.
E
At
the
beginning,
before
you
logged
on,
I
know
my
heart
goes
out
to
people
that
are
responsible
directly
for
the
competing
priorities
at
the
municipality
level.
I
understand
that
the
budget
giving
up
the
budget
is
excruciating
one
more
dollar
for
cyber
is
one
less
dollar
for
a
hot
lunch
for
an
underserved
youth
that
that
might
be
his
or
her
early
meal
of
the
day.
Excruciating
budget
decisions
to
make
at
the
local
government
level-
and
my
heart
goes
out
to
everybody
that
has
to
be
involved
in
that
it's
very,
very
difficult.
K
E
K
E
E
You
know
if
you
get
to
a
point
in
time
where
you'd
like
to
get
in
a
conference
room
and
have
a
white
board
and
really
talk
about
the
specifics
of
what
should
be
and
what
should
be
out
how
you
do
this
and
how
to
do
that.
Jack
knows
I
mean
I
I'll
make
myself
available.
I
don't
charge
for
this.
I
don't
make.
I
don't
profit
from
any
of
it.
A
Thank
you
frank
and
we
and
takas
you
may
have
a
question
claudia.
Do
you
want
to
introduce
yourself?
You
have
a
really
good
question
in
the
chat.
So
if
you
would
like
to
introduce
yourself.
L
Hi
and
I'm
I
guess
at
this
point-
the
head
of
technology
for
the
department
of
environmental
services
and
one
of
the
things
I
totally
agree
with
you
that
you
know
part
of
sort
of
the
monday
should
be
coming
from
leadership
and
they
should
be
leading
all
these
efforts.
But
I
also
believe
that
we
all
responsible
right
for
insurance.
L
So
what
kind
of
things
you
have
implemented
or
recommended
in
baltimore
or
any
suggestions
you
have
for
staff?
You
know
sort
of
things
that
we
can
do
at
the
management
level
to
say
you
know,
help
us
mitigate
risk,
reduce
risk
by
doing
abc.
You
know,
I
don't
know
if
it's
training,
if
some
of
those
tabletop
exercises
that
you
recommend
for
leadership,
should
be
also
included
at
our
level.
E
Yeah,
so
awareness
is
huge.
In
fact,
a
lot
of
progressive
I.t
departments
actually
say
dirty
word:
have
a
marketing
department?
Okay,
let's
call
it
communications
in
an
awareness
department.
You
know
you
have
a
responsibility
to
get
the
word
out,
press
the
flesh.
You
know
I'm
a
big
fan
of
soft
skills.
So
if
you're
a
cyber
security
professional,
you
know
I
can
teach
you
how
to
code.
But
are
you
a
good
communicator?
Are
you
a
good
collaborator?
Are
you
good
at
sharing
teaching
coaching
all
of
those
thoughts
they
matter
in
this
space?
E
So
training
and
awareness
is
huge.
You
know
again,
so,
yes,
you
can
do
you
can
absolutely
do
those
things
and
should
do
those
things.
In
my
humble
opinion,
people
show
up
at
classes.
If
they'll
you
get
a
little
bit
of
nudge
from
leadership
yeah.
If
it
matters
to
leadership,
people
will
pay
attention
to
the
awareness
campaign.
It
just
gets
better,
but
yet
awareness
is
absolutely
paramount.
E
90
plus
percent
of
all
cyber
security
incidents
are
precipitated
or
aided
by
human
error.
Click
clicking
the
wrong
thing,
bringing
the
wrong
thing
into
work
charging
my
you
know
charging
my
smartphone
plugging
into
a
critical
system
through
the
usb
port.
You
know
when
you
shouldn't,
have
I
mean
just
little
things
like
that
happen,
all
the
time,
awareness
and
then
to
reinforce.
We
talked
about
this
earlier.
E
It's
one
thing
to
have
a
cyber
security
policy.
It's
another
thing
to
put
teeth
into
it.
Do
you
guys
have
an
audit
department?
I
don't
know
how
many
I
got
when
I
was
when
I
was
in
in
in
my
last
job.
I
got
audited
on
everything
audited,
financial
audits,
operational
audits.
I
got
on
everything
except
for
cyber
security.
E
You
want
to
put
some
teeth
in
your
cyber
security
policy.
Each
one
of
the
operating
agencies
should
be
cyber
audited
from
time
to
time.
Along
with
all
the
other
audits,
your
audit
department
does
and
then
they
get
a
report
so
now
they've
got
something
to
shoot
for
and
then
it
should
be
reinforced
by
management.
Hey
you
guys
just
got
an
okay
grade
on
your
last
cyber
audit.
You
must
fix
these
things.
You
know
that
and
then
you
know
you
start
to
do
a
little
bit
of
that
thing.
E
It
because
you,
you
could
incremental
improvement
over
time,
something
to
build
on
and
then
hopefully
it
takes
on
a
life
of
its
own.
This
is
an
interesting
claudia
again
getting
back
to
they
keep
talking
about
psychology,
but
this
point
of
view:
should
cyber
security
be
centralized
or
decentralized?
E
You
know
what
my
answer
is.
Yes,
yes,
cyber
security
is
everyone's
responsibility,
but
does
everybody
need
to
be
writing
the
organization's
cyber
security
policy?
Well,
that's
probably
the
responsibility
of
one
people
or
a
few
people,
but
everybody's
responsible
for
living
it.
So
that
is
a
great
question.
There's
an
awful
lot
you
can
do.
Leadership
has
got
to
take
on
some
level
of
responsibility
for
making
this
better.
They
just
have
to
and
to
john's
question
earlier,
pushing
that
rope
up
pill.
Maybe
tacos
from
his
perspective
can
help
inform.
C
A
All
right,
I
think,
talk
us
unless
you
have
a
do.
You
have
a
question
before
frank
he's.
We
we
have
kept
him
longer
than
we
promised
him.
This
is
great.
E
K
This
is
very
insightful,
and
we
will
keep
talking
about
that.
I
do
think
that
we
have
to
make
entire
organization
enterprise
is
moving
into
a
different
tech
level
into
different
conception
of
how
we
operate
the
pandemic
is,
you
know,
main
rightly,
to
blame
for
this,
but
we
are
going
into
that.
K
There
are
significant
investments
that
are
in
the
cip
for
that,
and
I
we
had
already
first
conversation
yesterday
about
what
roles
cyber
security
should
play
there
so
in
in
terms
of
what
we
should
invest
now,
let's
start
and
see
how
many
dollars
we
should
make
available
for
for
securing
these
investments
as
good
as
we
can
so,
the
the
the
discussion
about
having
a
secure,
safe
culture
that
includes
cyber
audits
and
the
marketing
and
the
relative
decentralization
of
awareness-
and
you
know
this
kind
of
a
defense
system
of
thousand
points
like
you
know,
others
say,
or
you
know,
the
federal
government
is
right
now,
if
I'm
not
wrong
running
a
strategy
of
assume
that
you
are
hacked
right
all
the
time
so
that
that
remains
to
be
translated
in
into
arlington
county
policy
lines.
K
I
know
that
we
have
a
very
good
leadership
in
our
department.
I
I
just
expect
that
jack
and
his
team
will
will
be
bringing
us
the
the
proposals
to
get
our
mind
structured.
What
I
am
definitely
for,
and
I
think
it
would
open
our
collective
minds-
is
to
some
sort
of
tabletop
exercises
or
so
kind
of
a
simulation.
K
I
don't
know
what
this
takes
and
how
productive
it
is.
So
do
you
think
that
a
simulated
case
like
you
know,
I'm
coming
from
the
I'm
an
economist,
so
I
come
from
the
financial
work
in
the
financial
work.
We
we,
after
after
many
big
and
disastrous
accidents
and
financial
crisis,
we've
learned
to
stress
test
and
to
scenario
test
so
banks,
for
example,
or
or
financial
institutions
or
or
or
in
the
stock
exchange
market.
So
is
that
something
that
you
would
think
is
it's
helpful.
E
Absolutely
we
talked
about
this
a
little
bit
talks,
maybe
before
you
joined,
but
in
the
incident
response
planning
the
role
playing
the
drilling
the
table,
topping
so
that
you
know
in
the
event
of
an
incident,
how
you
respond
coolly
calmly,
collectively,
together,
you
know
becomes
more
muscle
memory
because
you
practiced
it
absolutely
is
a
huge
part
of
it
too
many
times
I
mean,
I
know
I'm
repeating
myself
for
others,
but
too
many
times
I've
seen
organizations
write,
here's
my
instant
response
plan
and
then
put
it
on
the
shelf
yeah.
It's
it's
it's
meaningless.
E
E
E
C
Politicians
are
not
naturally
inquisitive
about
this
kind
of
subject,
and
I'm
just
wondering
if
you've
had
opportunity
to
to
kind
of
work
on
their
on
their
background.
E
The
answer
is
yes,
it
was
a
topic
conversation
from
the
day
I
started.
There
were
a
number
of
very
tech,
savvy
elected
officials
in
the
local
government
within
baltimore
city,
the
mayor
who
hired
me
her,
who
was
very
tech,
savvy
and
aware
of
what
it
could
do
for
possibly
impacting
the
lives
of
the
people.
A
number
of
people
in
city
council,
very,
very
tech,
savvy
and
very
cyber
aware,
and
what
was
digital
transformation
and
online
safety
and
security
was
absolutely
an
ongoing
dialogue
and,
I'm
sure,
still
is
to
this
day.
A
Okay,
well
frank,
a
lot
of
thank
you
so
much
I
mean
this
was
and
jack.
Thank
you
for
suggesting
frankie
what
you,
how
you
prefaced,
certainly
frank
delivered.
So
we
we
appreciate
all
the
conversation,
the
dialogue
and
we
certainly
appreciate
you
offering
to
come
in
and
whiteboard
frank.
I
think
that
would
be
a.
I
think
that
would
be
a
very
fruitful,
fruitful
meeting.
So
thanks
so
much
for
your
willingness
to
share
what
you've
learned
and
be
very
frank
and
candid
with
us.
A
I
think
that
really
really
helps
so
we
appreciate
so
much
for
taking
this
time
and
feel
free
to
stay.
We're
give
it
given
the
time
I'm
going
to
take
the
I'm
going
to
move,
move
our
agenda
a
little
bit.
E
E
Thank
you
all
what
you
do
in
serving
the
public,
and
I
meant
what
I
said
earlier
jack-
is
that
you're
blessed
to
have
one
of
the
best
of
the
best
jack
I
mean,
and
by
the
way
he
didn't
pay
me
to
say
that
at
all
he
really
truly
is
one
of
the
most
well
respected
public
sector,
I.t
leaders
in
the
country
and
you're
lucky
to
have
him
I'll
I'll
I'll,
see
you
all
again.
Thank
you
very
much
and
have
a
wonderful
evening.
B
M
A
So
the
because,
because
that
went,
I
think
it
was.
It
was
good
that
we
had
all
that
dialogue,
but
obviously
we're
we
may
be
a
little
bit
a
little
bit
late.
I
hope
that
doesn't
mess
up
too
much
of
your
schedules
wanted.
While
we
have
talkers
here,
I
want
to
move
to
and
we'll
come
back
to
the
minutes
and
the
july
and
august,
but
I
wanted
to
move
actually
to
the
digital
plan.
A
Discussion
is,
hopefully,
you
all
have
had
an
opportunity
to
read
the
digital
report
that
came
from
the
task
force,
and
you
also
have
the
the
presentation
from
mike
about
the
principles,
and
I
think
the
thing
that
we've
talked
about
the
most
in
one-on-one
conversations
and
here
in
this
one
in
terms
of
what
is
what's
the
best
way
to
move
forward
with
arlington
in
terms
of
a
digital
future.
And
what
does
that
mean
so
open
it
up
to
the
to
the
floor
for
some
discussion
and
and
see
where
we
are.
J
So
I'll
jump
in
mary,
I
read
the
report
that
was
produced
by
the
county
managers
task
force.
Although
three
of
the
authors
of
the
report
were
county
staff,
so
you
know,
and
the
task
force
wasn't
really
open
to
the
public
or
publicized
on
the
on
the
web
anywhere.
So
it's
feels.
J
Of
a
county
staff
report
than
I
would
say
a
product
of
public
engagement,
I
think
there's
a
lot
of
overlap.
Frankly
between
some
of
the
things
that
we
put
forward
and
some
of
the
things
that
were
in
that,
but
I
think
there's
some
there's
some
problems
within
there's
some
conflicts
with
it.
I
think,
fundamentally,
there's
the
focus
on
elite
talent
is
really
narrow
and
kind
of.
J
I
think
not
the
problem
that
we
need
to
tackle
from
our
economic
development
standpoint.
I
think
the
problem
that
we
need
to
tackle
is
our
affordability.
You
know
right
now
with
covid
elite
talent
can
work
anywhere
and
live
anywhere,
so
we
want
to
attack,
attract
elite
talent.
They
don't
need
to
work
here
to
be
employed
by
amazon
anymore
right,
and
so
you
know,
I
think
I
think
that
focus
is
too
narrow.
J
I
think
there's
a
couple
other
big
misses
and
then
I
think
you
know
the
big
thing
is
that
we
recommended
creating
a
12th
element
of
the
comprehensive
plan,
and
this
report
specifically
says
not
to
do
that.
J
It
advocates
updating
all
other
11
comprehensive
plan
elements
to
address
digital
equity
only
and
then
doesn't
say
how
we're
going
to
set
policy
for
the
other
areas
of
concern
and
somehow,
with
with
no
real
articulation
of
how
this
makes
any
sense,
and
it
doesn't
make
sense
to
me
it
says
that
that
will
be
somehow
more
efficient
than
creating
a
new
comprehensive
plan
element.
I
I
looked
at
all
the
other
elements
of
the
comprehensive
plan.
J
I
looked
at
the
the
areas
in
our
charter
areas
of
policy
advice,
and
I
went
back
and
looked
at
the
product
that
mike
had
put
forward
that
we
endorsed,
I
think,
there's
a
substantial
amount
of
areas
of
public
policy
that
just
don't
fit
into
any
of
the
other
comprehensive
plan
elements,
and
primarily,
I
think
my
recollection
is
that's
why
we
endorsed
a
12th
element
and
we
we
had
knocked
that
idea
around
back
and
forth.
Do
we
just
incorporate
it
into
the
other
slices
or
do?
Does
it
kind
of
engage
it?
J
So
you
know
I
I've
got
a
draft
letter
that
I
shared
with
mary
kind
of
summarizing
that
and
I
think,
given
that
the
county
manager
has
produced
this
work
product.
That's
in
conflict
with
our
previous
guidance,
it
the
board,
probably
owes
we
owe
the
board
hearing
from
us
again,
based
on
this
new
artifact
and-
and
my
feeling
is
that
we
should.
J
We
should
endorse
moving
forward
frankly,
because
the
the
ability
to
address
any
of
the
shortcomings
in
either
of
the
proposals,
I
think,
can
only
be
done
through
a
robust
public
engagement
process
at
the
level
of
like
level.
Four
collaborate
based
on
the
county
engagement
plan,
because
we.
J
What
digital
planning
means
for
us
in
arlington
what
our
principles
are,
what
our
values
are,
and
I
think
that
this
group,
as
illustrative
as
we
are,
is,
is
insufficient
to
to
provide
that
guidance
fulfillingly
to
the
board.
So
that's
that's
kind
of
a
summary
of
where
I'm
at
based
on
reading
that
document.
A
Thanks
john
and
we
may
and
jackie
you're
next
john,
we,
if
you
want
to
pull
up
that
doc.
We
may
have
a
time
to
to
look
at
to
look
at
that.
I
think
it'd
be
helpful
for
everybody
to
to
see
and
and
and
take
a
look
jackie.
H
In
the
I,
I
second
john's
sentiment
and
I
want
to
sort
of
add
a
a
different
context
for
the
similar
observation,
and
I
would
say
that
the
context
of
the
discussion
that
we've
just
had
with
frank
and
of
the
things
that
are
most
important
for
cyber
security,
having
a
more
centralized
understanding
of
policy
and
process
and
a
a
more
direct
ability
for
leadership
to
affect
these
in
a
coordinated
way
were
the
you
know,
some
of
the
most
important
things
that
he
talked
about,
and
I
think
that
this
decentralized
approach
that
we
have,
which
is
really
fiefdoms
of
different
parts
and
the
the
acquisition
of
software
for
different
purposes
through
each
of
these,
and
also
the
expenditure
of
funding
and
decisions
about
priorities
through
each
individual
department.
H
Yes,
there
needs
to
be
some,
but
not
having
an
overall
plan
that
they're
all
supposed
to
contribute
to
for
things
like
cyber
security,
I
think,
does
make
us
vulnerable.
I
think
it
also
makes
us
vulnerable
in
terms
of
the
quality
of
our
overall
policy,
not
just
vulnerable
in
terms
of
penetration,
but
it
it
doesn't,
have
a
cohesive
policy
with
cohesive
goals.
It's
it
sort
of
separates
it
into
department
level
and
makes
it
a
department
level
plan,
and
so
we
need
to
have
something.
H
That
is
a
theme
that,
as
the
comprehensive
plan
is
supposed
to
be
goes
through,
the
is
independent
and
breaks
out
how
that
theme
goes
through
all
of
the
others,
not
the
other
way
around,
not
how
all
these
independent
things
might
come
together,
because
it
doesn't
do
that
at
all.
And
of
course,
that's
I
admit,
that's
been
a
complaint.
I
I
I
hope
repeat
that
here
but
I'll
say
I
was
disappointed
by
the
absence
of
this
report
until
I
had
the
opportunity
to
be
disappointed
by
the
substance
of
this
report,
and
so
since
we
have
jack
and
david
here,
I
would
like
to
just
ask
very
cleanly
the
question:
do
you
do
you
two
think
we
need
a
strategic
plan
and
if
we
don't,
why
don't
we,
for
I
t
that
is
now
my
services
in
broadband.
Let.
A
I
I
guess
the
right
term
of
art
would
be
master
plan
and
we've
used
the
term
before
broadband
and
digital
services
master
plan.
But
I
I
read
the
report
that
makes
a
statement
against
it.
I
was
actually
very
surprised
to
hear
statements
made
against
that
at
the
budget
hearing
on
march
16
and
affirmed
by
those
present,
because
at
that
point
we
never
res.
We
hadn't
even
received
the
report,
broadband
task
force,
and
so
my
question
is
straight
up:
jack
dave.
B
Well,
frank,
if
I
can
mike
I'm
sorry
if
I
can
respond
to
you
somewhat.
First
of
all,
I
think
just
to
correct
when
mary
and
I
started
this
responded
to
the
manager's
call
to
create
a
task
force.
We
purposely
stepped
aside
and
let
the
group
be
formed
and
let
them
come
up
with
it.
B
They
had
an
agenda,
they
had
a
mission
and
their
job
was
to
come
up
with
their
proposal,
both
mary
and
I
share
the
belief
that
there
needs
to
be
a
an
overall
plan
to
how
we
look
at
we
tackle
that
if
the
change
in
how
the
county
is
is
moving
in
terms
of
innovation,
the
exponential
growth
of
technology
and
such
the
group
that
was
put
together
just
to
correct
something
was
said
earlier.
B
There
was
only
one
county
staff
assigned
to
this:
that's
david
hurley,
who
was
assigned
to
there's
not
three
staff,
the
majority
who
was
non-county
staff.
I
want
to
make
it
clear
that
david's
job
was
to
act
as
a
coordinator
for
that
that
effort.
Personally,
I,
as
I
said,
both
mary
and
I
share
the
same
belief
that
there
needs
to
be
that
discussion
of
what
that
means.
What
does
what
does
the
future
look
like,
and
what
are
we
trying
to
achieve?
B
As
you
might
remember,
we
embarked
upon
a
whole
series
of
efforts
called
defining
our
digital
destiny
and
we
talked
a
variety
of
subjects
and
what
they
did
is
try
to
outline
what
not
looking
forward
to
next
year,
but
looking
20
years
down
the
line,
what's
going
to
happen
to
the
county,
how
do
we
do
we
put
an
emphasis
on
parking
lots
or
we
put
an
emphasis
on
on
electric
charging
stations
what's
going
to
happen
with
education,
what's
going
to
happen
with
the
workforce,
so
both
mary
and
I
are
aligned
to
that,
but
the
work
that
came
out
is
really
the
work
of
that
group
and
david
can
talk
to
the
composition
of
the
group,
but
there
were
four
individuals
who
got
together
and
came
up
with
that
and
presented
it.
B
B
Mary,
I
believe
it
was
tuesday
tuesday
and
mark
was
really
in
touch
and
excited
about
the
report
because
it
started
the
discussion
and
I
think
that's
where
we
are.
I
think
we
were
beginning
of
a
long
discussion
in
the
works
that
you
put
together
mike
and
talked
about
in
terms
of
cyber
security
and
how
to
be
applied
in
privacy.
B
All
has
merit,
but
it
plays
in
the
definition
of
what
that
is-
and
I
think
something
john
said
is
true-
I'm
not
sure
I'm
going
to
pay
grade
to
be
sitting
on
that
group
to
make
that
decision.
B
It's
akin
to
the
group
that
we
had
to
define
the
future
of
arlington
with
regards
to
the
subway,
the
metro,
the
folks
that
came
together,
the
tom
richards
of
the
world
who
who
took
charge,
jumped
forward
and
said:
okay,
we're
going
to
espouse
and
we're
going
to
say
the
uncomfortable,
but
we're
going
to
say
we
believe
is
necessary.
So
that's
where
I
am
on
this
is
do
I
do.
I
think
we
need
a
digital
as
a
12
000,
a
plan.
B
If
that
accomplishes
that
overall
vision
of
where
we're
going,
then
probably
I
would
say,
yeah
if
it
doesn't,
then
what
is
the
vehicle
to
get
there,
and
certainly
one
of
the
challenges
we
have
and
again,
I'm
speaking
out
a
term
but
as
a
person
an
individual,
it
does
take
leadership
and
we're
a
decentralized
government.
You
know-
and
frankly,
you
know:
where
does
that
leadership
sit?
Is
it
in
the
board?
Is
it
a
particular
board
member?
Is
it
a
manager?
B
I
don't
think
so.
I
think
it's
it's
probably
in
a
community
stakeholder
group
that
says
this
is
what
we
believe
to
be
important
finals
and
going
forward.
So
not
direct
answer
to
your
question,
but
that's
where
I
am
on
this
whole
discussion,
so
I
think
they
did
a
good
job.
I
applaud
their
efforts.
I
think
we
should
consider
it
and
say:
okay,
how
does
it
fit?
You
know
in
terms
of
what
mike
you've
proposed,
what
others
have
been
but
sitting
down
and
having
that
form
a
framework
for
discussion.
A
Thanks
jack
any
other
and
john,
you
have
your
letter
ready
if
you
to
share
right,
if,
if
you
are
able,
if
you're,
given
the
rights
to
share
right.
J
Yep,
let
me
pull
it
up
and
jack.
I
don't
know
what
the
constitution
of
the
group
was.
That
was
only
formed
because
again
it
wasn't
made
public,
but
the
authors
listed
on
the
report.
There
are
five
of
them
and
three
of
them
are
employed
by
apologies.
I
had
a
network,
but
three
of
them
are
employed
by
arlington
county
government
based
on
their
linkedin
profiles.
So.
D
J
H
H
A
Okay
and
then
you
can
move
from
a
pro
yeah
yeah.
A
A
And
mike,
I
know
you
had
some
pieces
too.
I
one
of
the
things
that
and
obviously
I'll
as
some
of
you
are
digesting
this
I've
had
the
opportunity
to
look
at
it.
I
would.
I
would
really
like
to
see
us
giving
next
steps
in
terms
of
the
arlington
way
you
know
engaging
the
public
as
as
well.
I
think
I
think
that
would
be,
and
I
see
where
you
say,
public
engagement
process
in
that
number.
Two
john.
A
So
maybe
we
just
reference
reference
that
which
you
said
in
terms
of
the
I
think
you
said
four
right
level.
Four.
Is
that
what
you
were
saying.
J
Yeah
collaborate
as
yeah
in
the
county's
public
engagement
plan.
I
think
the
guidance
for
which
level
to
select
you
know
one
of
the
pieces
of
for
level.
Four
is
if
it
was
gonna
impact,
a
comprehensive
plan
element.
So
obviously
that's
this
would
qualify
for
that.
A
A
C
C
Our
strong
recommendation
that
making
the
12
sector
of
the
big
comprehensive
plan
wheel
is,
in
our
view,
far
and
away
the
best
way
to
do
this,
and
indeed
volunteer
that
itech
could
facilitate
the
process.
It
would
guarantee
an
open
process
with
every
voices.
Every
voice
heard
that
has
an
interest
in
the
subject
as
it
is
it's
kind
of
buried
in
the
middle
and
the
end
is
a
little,
in
my
view,
kind
of
squishy
on
squishy
on
what
we
want.
The
board
to.
J
Do
that's
fair,
I
you
know
thanks.
J
A
No,
it
really
helped
john
for
you
to
get
this
down
and
mike,
I
know
you,
you
were
you
wordsmith,
some
things
as
well
and
so
there's
feel
free
to
to
comment.
I.
A
I
I
I
I
was
in
fact
instrumental
in
getting
many
of
the
original
task
force
members
to
participate,
and
then
we've
sort
of
atrophied
and
and
we've
got
a
report-
that's
been
I'll,
say,
delivered
awkwardly
and
terribly
late,
and
now
we're
looking
at
the
substance
of
that
report
and
we're
saying
it
in
some
very
important
ways
from
our
perspective
misses
the
mark,
and
this
is
a
mark
that
we've
already
defined,
and
so
I
would
say
if
we
were
going
to
get
sort
of
action,
oriented
and
recommendations
to
the
board,
I
would
have
five.
I
I
Would
officials
in
the
county
of
the
breadth
and
scope
of
the
consequences
of
digitization
and
and
to
solicit
public
input
on
you
know
challenging
and
emerging
policy
questions?
The
second
would
be
to
articulate
the
information
technology
decision,
rights
and
accountability
framework
in
clear
policies
for
the
entire
county.
That's
we
sometimes
talk
about
that
as
this
going
to
be
a
strategic
plan
or
who
controls
cyber
security,
but
that's
basically
the
part,
that's
most
controllable
within
the
county
by
its
own
policies.
I
Who
gets
to
make
the
calls
on
these
things,
and
at
present
there
doesn't
seem
to
be
a
well
understood,
set
of
processes
that
can
be
audited
and
shown
to
work.
The
next
one
will
be
broadened
the
scope
of
municipal
digital
planning,
beyond
economic
development,
to
quality
of
life
for
all
residents
to
visit.
I
So
I
was
disappointed
to
see
the
the
arlington
digital
principles
report.
Notwithstanding
our
charter
and
some
of
the
things
we
put
forth
define
privacy
as
narrowly
those
instances
where
the
county
itself
collects
data
directly
from
citizens
when,
in
fact,
I
think
the
real
issues
are,
what
does
the
county
want
to
be
happening
on,
for
example,
collection
of
surveillance,
data
of
law-abiding
citizens
using
public
spaces?
I
I
Looking
for
arlington
and
to
mishandle
people's
first
identifiable
information,
it's
more
like
there's
going
to
be
so
much
information
and
and
what's
identifiable
and
what's
identified
and
what's
re-identified
and
what's
bought
and
sold,
is
going
to
be
very
difficult
for
anyone
to
get
their
arms
around,
but
there
was
at
least
an
opportunity
in
publicly
owned
spaces
for
the
county
to
define
what's
permissible
and
what
is
not
and
and
frankly,
the
little
bit
I
can
learn
about
the
arlington,
clarendon
safety
and
innovation
and
who
could
possibly
be
against
safety
or
innovation
is
sensing
instruments
on
public
property
for
social
goods
that
I
haven't
been
able
to
get
my
mind
around.
I
So
I
just
listed
five
actionable
things.
I've
I
have
put
them
in
writing.
I
can
send
them
if
we're
going
to
deputize
john
to
wordsmith
it
and
up
the
action
a
little
bit.
Those
are
the
ones
that
I
would
nominate,
but
I
think
we
are
kind
of
at
a
breakthrough
point
here.
It's
it's
not
clear
that
our
advice
is
landing
with
any
constructive
consequence
anywhere
in
the
county.
A
H
A
All
right,
anyone
else,
any
other
comments
and
john.
Do
you
mind
that
you
you
just
got
nominated
to
to
help
integrate
the
draft.
C
C
H
I'm
not
sure
sorry
to
jump
in,
but
I'm
not
sure
that
things
are
opposite
to
each
other.
The
way
you
described
it,
I
think
you
can
have
a
12th
element
and
the
policy
and
process
in
that
12th
element
can
easily
identify
what
the
distributive
responsibility
is.
So
I'm
assuming
that
it
would
that
it
could
and
would
actually
be
both
a
single
element
that
shows
what
the
process
is
and
the
leadership
both
at
the
overall
level
and
at
the
distributive
level
that
that's
actually
needs
to
be
part
of
that.
N
I
think
I
see
this
very
differently
than
most
of
you.
I
mean
I
was
impressed
by
the
cyber
security
discussion
that
we
had,
that
we're
not
ready
and
before
we
you
know
we
don't
have
to
be
number
one
in
everything,
and
so
I
I
think
that
some
of
what
we're
trying
to
do
is
too
big.
N
Why
not
wait
and
see
what
other
communities
are
doing
while
we
work
on
making
sure
that
nobody,
I
had
someone,
I
know
whose
name
I
won't
say
one
of
the
major
medical
parts
of
dc.
N
A
Martha,
how
do
you
feel
about
adding
a
12th
element,
then?
Are
you
what
would
it
say?
Okay,
so
so
for
you,
that's
not
what
what
you
believe
is
the
most.
Let
me
make
sure
I'm
getting
this.
What
you
believe
is
the
most
critical
part
is
just
making
sure
that
the
infrastructure
is
protected.
So
the
cyber
security
is
your
number
one.
N
N
O
M
Right
now,
yeah
muted
and
I
don't
know
how
it
muted
again,
but
maybe
you
maybe
you
put
me
on
no,
I
just
want
to
just
say
that
I
do
agree
that
we
should
support
a
12th
planning
element
for
digital
and
how
you
know
how
what
that
involves
is
obviously
going
to
be
setting
forth
the
pro
the
process,
and
I
think
the
public
engagement
that
we
want
to
foster,
I
think,
will
help.
You
know
tell
us
where
we
need
to
go.
A
Thanks,
frank:
okay,
all
right
phil,
I'm
just
calling
on
you
only
because
you
were
the
one
who
raised
the
question:
do
you
feel
like
you've
got
a
better
sense
of
where
people
are
at
this
moment?
On
the
I.
A
A
Well,
my
sense
is
that
jackie
is
for
it
you're
for
it
frank's
for
it
mike's
for
and
john's
for
it,
and
I
think
martha's
saying
look
my
my
number
one
concern
is
cyber
and,
and
so
I
think,
that's
I
think,
that's
where
I
think
that's
where
we
are.
That's
my
sense.
What
do
you?
What's
your?
What's
your
sense.
C
I
agree
and
I'm
hoping
that
that
shines
through
the
revised
letter,
that
is
in
the
works
right
now.
I
So,
and
for
both
of
you
I'll
say,
I
think
the
way
it's
been
framed
is
that
if
you
look
at
what
we
previously
sent
forward
in
consensus
back
in
whenever
it
was
somewhere
between
september
november,
then
as
john
is
doing
in
his
letter,
he
says
we,
we
expressed
a
consensus
back
then,
and
if
you
compare
that
consensus
to
this
report
here
are
the
differences.
So
it's
good
to
refer
from
that
kind
of
concept,
so
we
we
waited
a
long
time
for
task
force,
input
and
not
receiving
it.
A
No
exactly
I
mean,
obviously
one
of
the
reasons
I
wanted
to
see.
It
was
because
I
wanted
to
make
sure
before
we
came
before
we
nudged
the
board
again
takus
that
that
that
there
wasn't
anything
that
would
change
change.
I
would
I
would.
C
Also
direction,
I'm
sorry,
I
should
have
had
my
hand
up.
I
would
also
speaking
very
candidly
like
to
see
us
get
a
little
more
respect
in
this
process,
and
I
think
we
can
do
that
by
exploiting
a
unique
capability
that
we
have
because
of
our
experience
and
our
commitment
and
our
long-standing
view
of
this,
to
facilitate
a
very
broad
public
discourse
that
results
in
implementing
this
12th
element
and
doing
all
the
other
things
too.
That
jackie
is
talking
about
as
well
as
jack
and
put
ourselves
out
there.
C
I
think
we
could
be
the
the
indispensable
facilitator
in
this
whole
process.
A
Well,
I
think,
to
your
point
phil
that
we
really
think
this
is
important
right
I
mean
this
is
this
is
a
critical
framework
that
we
think
the
county
really
needs
to
wrestle
with,
and
not
that
we
have
the
answer,
but
we
really
think
that
the
looking
at
this
in
terms
of
a
cons,
a
really
focused
just
as
jack
said,
just
like
the
metro.
What
do
we
want
to
be
in
terms
of
digitally
is
critical
for
the
future
of
arlington
and
john.
I
think
your
hand
up
was
up
first
and
then
talk
us.
J
Yeah,
I
just
want
to
make
the
point
that
I
don't
think
engaging
in
a
development
of
a
comprehensive
plan.
Element
is
mutually
exclusive
from
tackling
the
absolutely
urgent
and
critical
cyber
security
issues
martha.
J
I
don't
think
those
things
are
mutually
exclusive
and
I
think
everyone
here
would
be
fully
throated
endorsing
the
right
investments
and
that
cyber
security
is
job
zero.
The
challenges
that
we've
had
is
that
we
have
not
had
an
opportunity
to
have
an
off
the
record
briefing
about.
What's
going
on,
so
we're
throwing
darts
at
in
with
a
blindfold
on
at
a
moving
target.
J
To
advise
the
county
board
on
what
to
move
forward
on,
and
there
is
a
specific
exclusion
in
the
virginia
open,
open
meetings,
public
meetings,
law
for
this
type
of
conversation
that
a
board
such
as
ours
can
meet
outside
of
the
public
eye.
To
have
those
conversations
we
just
can't
take
any
formal
actions
during
that
closed
session,
as
as
the
board,
we
can
do
it
for
safety.
We
can
do
it
for
procurement.
J
We
can
do
it
for
a
number
of
exclusions
that
are
in
the
public
public
records,
and
so
I
would
be
very
much
interested
in
having
that
session
off
the
record
outside
of
the
public
eye
so
that
we
could
provide
effective
policy
advice
on
the
on
the
cyber
security
issue,
but
until
we
do
that,
I'm
trusting
that
jack
is
doing
that
for
the
board
and-
and
so
you
know
our
mandate
to
advise
on
policy.
J
I
think
we,
the
thing
that
we
lack
is,
we
lack
any
sort
of
policy
whatsoever.
We
lack
any
sort
of
policy
framework
whatsoever,
every
single
issue,
time
and
time
again,
broadband.
You
know
whether
we're
investing
in
in
the
the
gates
of
boston,
whether
we're
you
know
having
a
broad.
We
have
no
policy
framework
for
any
of
those
conversations
whatsoever.
J
When
it
comes
to
the
budget
time,
we
have
no
way
to
track
or
trace
any
of
the
budgetary
investments
that
are
in
the
county
managers,
budget
of
the
capital
improvement
plan
to
any
framework
or
set
of
policy
priorities
that
have
been
endorsed
at
all.
And
so
I
think
it
really
leaves
us
with
no
footing
on
which
to
provide
sound
advice
and
counsel
to
the
to
the
board.
K
I
I'm
absorbing
with
great
interest
the
conversation
first.
First
of
all,
so
I'm
not
it's
not
my
place
and
it's
also
not
correct
to
intervene.
Just
wanted
to
highlight
a
couple
of
things
that
are
of
interest
to
me
and
maybe
printers
to
my
colleagues
as
well.
Cyber
security
and
all
the
challenges
that
come
with
that
are
definitely
a
kind
of
a
trigger
for
this
conversation.
K
I
perfectly
understand
that
you
can
actually
take
the
cyber
security
challenge
and
compartmentalize
and
work
only
on
this,
without
necessarily
changing
everything
anything
you
know
in
all
other
dimensions
of
digital
of
digital
island
which
exists,
but
it's
not
very
well
organized
right.
Now,
I'm
not
organized
around
policy
principles
but
think
of
what
I've
been
seeing
through
the
pandemic
now
and
you
know
having
also
a
better
exposure
to
their
to
their
enterprise.
The
organization
are
other
things
I
really
agree
with
mike
on
the
issue
of
data
privacy
safety.
K
You
know
the
assurance
that
we
provide
the
citizens
about
what
happens
to
their
data
and
the
data
that
we
collect
first
to
provo
for
most
wellington
county,
which
is
a
amazing
number
of
you
know,
items
and
it's
growing.
We
have
we
begin
to
implement
software.
We
have
algorithms
that
work
on
there.
We
don't
really
necessarily
have
quality
criteria
for
governance
by
algorithm.
K
We,
you
know
we
we
approach
these
things
like
we
have
a
task.
We
find
the
appropriate
solution,
but
it
doesn't
necessarily
rhyme
with
some
some
sort
of
of
of
of
criteria.
We
begin
to
have
requests
from
our,
for
example,
from
our
fire
department.
Our
police
department,
to
you
know,
implement
sensors
and
other
things
we
have
requests
from
our
you
know,
permit
system
to
implement.
You
know
deeper
and
more
comprehensive
and
more
automatized
in
governance.
K
So
all
this
begins
to
be
a
lot,
and
I
do
think
that
for
now
we
just
see
everything
every
every
task
or
every
request
as
an
extension
of
an
existing
governance
line
that
is
covered
by
the
11
elements
of
the
comprehensive
plan.
K
Now
I
would
say,
though,
that
at
some
point
it
is
worth
intellectual
exercise
to
think
whether
they
transcend
that
and
they
and
there
needs
to
be
a
set
of
criteria
of,
for
example,
do
no
harm,
or
you
know,
we
have
to
make
sure
that
the
data
of
the
citizen
have
always
be
always
accessible
for
the
citizen
if,
if
requested,
or
that,
we
have
to
have
a
digital,
a
data
privacy,
commissioner,
or
that
we
have
this
kind
of
this
kind
of
institutions
that
others
other
martha's
comment.
K
Other
communities
are
already
thinking
and
beginning
to
implement.
So
I'm
not.
I
think
that
this
is
a
good,
a
good
point
of
departure.
I,
as
a
board
member.
I
really
have
to
admit
that
I
need
this
advice
if
you
know,
if
you're
an
advisory
commission,
this
is
the
kind
of
advice
I
I
would
appreciate
to
have
how
this
all
begins
to
work
together
and
how
we
can
make
coherent.
K
Decisions,
I've
been
I've
been
challenged
to
make
a
decision
on
the
implementation
of
sensors
on
public
street
lights,
and
I
had
to
balance
between.
You
know
my
beliefs
x
and
the
assurances
that
this
is
not
so
bad
and
just
a
pilot,
and
we
have
a
separated
server
and
what
have
you
and
we
will
figure
it
out.
So
I
didn't
have
really
a
set
of
criteria
to
point
back
and
say
you
know.
We
decided
at
some
point
that
this
is
the.
K
This
is
what
we
want
to
accomplish
in
the
public
realm.
This
is
the
kind
of
data
we
want
to
to
collect.
This
is
how
this
this
is
the
functions
of
government.
We
want
to
to
serve
another
big
area.
Is
this
our
relation,
the
relationship
between
government
and
businesses
or
the
economic
system?
This
includes,
for
example,
the
use
of
our
fiber
network
of
the
you
know,
connector
linked
on
etc.
K
So,
yes,
I
see
a
lot
of
mass,
a
critical
mass
of
decision
points
that
would
be
probably
far
better
governed,
framed
in
a
in
a
comprehensive
power
plant
element
just
like
we
do
with
housing
as
we
do
with
natural
resources
and.
K
K
A
Yes,
that
we've
had
absolutely
those
are
the
things
the
procurement
piece
as
well,
that
we've
talked
about.
Thank
you
I
I
have
to.
I
know
it's
getting
to
be
late
late
hour,
the
what
I'm
understanding
john
you
have
grace
graciously
agreed
to
be
the
to
to
wordsmith
and
take
feedback
from
people
and
then,
at
our
june
meeting,
we'll
look
and
see
whether
that
meets
the.
A
What
what
the
sense
of
of
the
commission
is,
and
then
we
will,
if,
if
indeed
that
does
meet
the
consensus,
we
will
forward
that
to
the
board
takas.
J
I'll
make
a
motion
that
we,
in
light
of
the
digi
arlington
digital
principles,
2020
document
that
mary
provided
us
to
us
at
the
last
meeting,
we
update
our
recommendations
to
the
board
for
municipal
digital
planning
and
provide
a
sense
to
the
board
about
how
that
document
fits
or
does
not
fit
with
our
prior
recommendations
and
how
to
move
forward.
D
M
A
Okay
motion
passes
all
right.
Thanks
again,
you
know
we
don't
normally
go
long,
so
I
appreciate,
I
think,
we'll
we'll
put
the
other
agenda
items.
We
will
frank
hold
on
to
the
legislative
piece
we
need
to
we'll
we'll
address,
address
that
and
I
will
entertain
a
motion
to
a
motion
to
adjourn.
A
You
say:
okay,
double
team,
there,
all
right,
john
ii,
all
right
all
right,
all
those
in
in
favor.
M
A
Right
that
was,
that
was
a
more
joyous
eye.
I
think,
nay,
any
anybody
against
opposed
to
to
sitting
here
or
abstaining
all
right
all
right.
Thank
you
all.
We
really
appreciate
you.
I
mean
we're
so
fortunate
to
have
this
talent
dedicated
to
volunteer
to
do
this
and
takas.
We
really
thank
you
for
staying
the
whole
time,
and
this
really
shows
that
that
the
advisory
mission
really
plays
a
critical
role
in
your
decision
making.
So
thank
you
very
much.
Well,.
K
Absolutely
I'm
sorry
that
they
cannot
always
because
it
is
just
time
and
I
had
to
to
be
half
an
hour
late
today,
schedule.
Thank
you.