Michael Dent – Fairfax County Government

He doesn’t have to look far for a reminder of what can happen when a municipality lets down its cybersecurity safeguards.

For just this past spring, Baltimore was held virtual hostage, its computer systems hacked by the ransomware RobinHood. While Maryland’s biggest city may be commended for refusing to pay the hackers $75,000 in untraceable bitcoin, it could still be liable for $18 million in damages stemming from its own shortcomings in safeguarding the most sensitive data. Seems principle without precaution can carry a hefty price.

Just over the Maryland border, Fairfax County, Virginia, hasn’t had to deal with such problems, with credit due Michael Dent, a U.S. Army veteran who’s served as chief information security officer since September 2002.

“Knock on wood, but in over 17 years we have had zero downtime from a cyber breach,” the personable Dent tells Toggle in early autumn. “Our ‘Defense in Depth,’ which encompasses people, process and technology along with awareness, has diminished the possibility of anything attacking us successfully.”

But the implementation of more high-tech safeguards won’t have Dent letting his guard down. There’s no truce pending in the Wild West of cyberspace.

Cybersecurity day by day

Hence the need for Fairfax County to continue its annual Security Awareness Day which Dent began in 2005 with little fanfare and has since become an event to be marked on the calendar. It’s grown to include a raffle and T-shirts, refreshments, booths for vendors, and lectures and workshops led by IT security experts. Be they county bosses or interns, Dent emphasizes the need for all to attend and sees a lasting impact.

“After each of these days, incidents go down and reports of suspicious activities go up,” he says. “It’s most encouraging to see the difference that’s made when you focus on one’s personal habits as opposed to professional habits.”

An evangelist of sorts for data protection, his oft-repeated sermon emphasizes that IT security begins at home. For instance, if county officials or employees take precautions with their own online activities, they’re more likely to bring such good habits to the workplace.

And a big workplace it is, Fairfax County government including around 60 departments as well as extensive interaction with residents, private enterprises, public institutions and other governmental bodies that have entrusted the municipality with myriad data with complex compliance requirements for protection.

IT’s about partnership

Dent lauds the county administrator and commissioners for seeing IT as an investment rather than an expense. Now in his seventh term as chairman of the 23-jurisdiction Council of Governments Chief Information Security Officers group in the Washington, D.C., area, he knows well how remiss the public sector can be about data protection.

“Why any entity—public or private—wouldn’t have multifactor identification in this day and age, I just can’t understand,” Dent says. “Invest now or you’re going to pay later.”

It’s what Dent calls “cyber hygiene” along with Multi Factor ID, secure emails, and patched and highly available systems. It’s what one expects with online banking and ecommerce.

“Why wouldn’t government consider itself as important as a commercial enterprise?” Dent feels compelled to ask.

Lest he tip his hand, Dent prefers not to get too specific about Fairfax County’s safeguards, though he’ll acknowledge the systems are bolstered by measures including next-generation firewalls and security information and event management [SIEM] software that provides insight and a track record of what’s going on in an IT environment. Log data being collected and aggregated throughout the Fairfax County high-tech infrastructure, any suspicious manifestations are likely to stand out.

A strategic partnership that commenced in 2016 with a California-based endpoint security and systems management company just grows stronger with it providing the platforms on a daily basis to identify granular, real-time visibility into personal computers and servers to identify vulnerabilities.

In mid-2018 Fairfax County expanded the capabilities with the acquisition of additional modules that enhances detection of all managed, near-managed and unmanaged assets within the enterprise.  It also yields much information regarding the health and reliability of endpoints and systems.

Due to the complexity and requirements of managing endpoints under PCI compliance guidelines, the county also implemented a module that monitors file integrity, which allows Dent’s security analysts to track any file system changes on machines that process credit card transactions.

As one can imagine, this accumulates a lot of data, which makes it difficult to identify if any changes could be impactful to their compliance hygiene. This solution was implemented to ensure that those critical changes can be tracked and reported on in order to prevent compliance issues.

Dent and his analysts are strong advocates of the platform. Recently, they mentioned that they routinely identify vulnerabilities that may not be fully captured by their patch management system and remediation can occur before the non-patched systems are exploited.

The first line of defense, however, will always be with the practitioners, and soon they’ll again be reminded to protect passwords, safely store data and not to fall for phishing bait.

Defense won’t rest

In the 17-plus years since he began this job, Dent says he’s feeling as motivated as ever, adding, “In this business there will always be the bad guys whom the good guys must defend against.”

He’d like to be seen as a good guy, Dent being a career civil servant and proud veteran. His military service from the mid-1980s to early 1990s included roles with the Presidential Escort Company, E. Company Honor Guard, 3^rd U.S. Infantry Regiment, that partakes in ceremonies and military funerals, and the Presidential Firing Party Platoon that does the 21-gun salutes at Arlington National Cemetery.

His education coming from academia, the Army and on the job, Dent feels he has the equivalent of a master’s in computer science and public administration. These skills were put to full use by the decade-long stretch he served with Virginia’s Department of Corrections after leaving the Army.

The DOC job commencing in 1992, the stakes weren’t nearly as high and hacker was a term mostly used to describe a lousy golfer. For all practical purposes, Dent served as CISO, but the title not widely understood, he had to settle for being called the information system security officer. He’d work the help desk and deploy an early cyber network—and had a bird’s eye view of how his profession was quickly evolving.

That curve has only grown steeper, Dent believes, and it necessitates constant education and intellectual curiosity that he says probably won’t be quenched even after his anticipated retirement in about four years.

“I’ll always dabble in IT, though I look forward to more time for my art and woodwork,” he says. “It sounds corny, but my father was a retired Army veteran and I’ve been a civil servant all my life. I want to give back to my community. Citizens pay good money to government and expect good service.”