This Q&A is part of a new GovLoop series called “CIO Conversations.” Through 2018 we’ll feature conversational interviews twice a month with current and former federal, state and local chief information officers to get to know the people behind the titles. You’ll learn about the perks and challenges of their job, how they ended up in their current position, what’s top of mind for them, how they’ve rebounded from setbacks and more.
Las Vegas boasts over 640,000 residents and attracts over 42 million visitors annually. Michael Sherwood recently spoke with GovLoop about the challenges of protecting so much data as city CIO.
Sherwood said that advances in artificial intelligence (AI), automation and machine learning help his team protect Las Vegas’ cybersecurity. Sin City’s threat landscape is constantly evolving, however, and their work is never done.
GovLoop learned about how the aforementioned emerging technologies have strengthened Las Vegas’ cybersecurity posture. Sherwood also informed us about his team’s best practices, his cybersecurity concerns and how he would better educate the public on these issues.
This interview has been edited for clarity and length.
GOVLOOP: How would you describe the cybersecurity threats that Las Vegas faces daily?
SHERWOOD: The threat landscape here is always evolving, it’s always changing, and our role is to really be that proactive one step ahead in assuring we have the right tools and the right staffing capabilities and partners to ensure the safety of all our digital assets.
GOVLOOP: What would you say are the biggest threats you encounter?
SHERWOOD: Probably the No. 1 threat that is most concerning to me is phishing. It’s still the most basic, but it’s the one that requires the most education to our users. The phishing attacks have become more sophisticated, and based on their ease, it’s very hard to have every user have enough education and knowledge to be able to spot things that are very sophisticated phishing attacks. It really is the easiest way to create an incident internally.
GOVLOOP: What would you say your city’s cybersecurity priorities are?
SHERWOOD: The priorities are always changing. We’re always looking for new ways and new technologies to help us combat security threats. We have a lot of belief in artificial intelligence, automation and machine learning to go after threats and fortify our systems. We use that as a force multiplier. It’s multiplying our teams internally, letting our staff work on the more proactive items with the AI and machine learning components working on the defense. And we use them in combination. You have that coupled with outside resources and it gives us a wide umbrella. We want to be sure that we’re protecting the city’s digital assets. As the city becomes more digitized and technology dependent, the role of our cybersecurity arm is to ensure those assets are well protected.
GOVLOOP: How would you describe AI, automation and machine learning to a lay person?
SHERWOOD: Artificial intelligence is where we’re guiding or assisting the device, giving it parameters for how we want it to act if it finds or sees something. We’re giving it education and experience, guiding it with information. It’s also able to gather information from other outside sources that we allow it to and build its capabilities for detecting and spotting cyber events. I think of machine learning as an appliance.
It’s going to be looking at patterns of data over time and can learn from when it spotted something that was wrong in the past or was identified by a human handler as being incorrect. Machine learning capability allows the machine to learn from that and continue to build upon its knowledge base and become able to learn and spot things outside of the norm. If it sees something outside the normal operating environment, it can alert a human operator to look at it and see if it is okay.
If you’ve never gone to Apple’s website, no one in your organization has gone there and suddenly someone goes there, it’s out of the norm for the operation. The first time the machine may not do anything and it’s OK. Or it might alert you to caution that it did see something that’s outside the norm. When you say Apple’s an OK place to go, now the machine has learned that, and in the future, it wouldn’t hit on that event.
What we mean by automation is we want to use our human labor in the most effective ways. If we can automate looking at a log every day for errors, and we can have a computer go through the log and just spit out the errors, then that’s what we would want to do. It’s repetitive tasks that require human intervention or human work. You only have so much brain capital within your organization. Where do you want to put your capital?
GOVLOOP: How are these technologies improving Las Vegas’ cybersecurity?
SHERWOOD: They’re game-changing. We’re able to redistribute our labor internally. We’re able to have staff focus more on offensive measures, be more proactive, provide more education to our customer base, all while the machines handle a lot of the day to day operations. It’s a huge benefit to have machine learning and automation assist in defending your network.
GOVLOOP: What can you say about Darktrace, how it works, and how it’s evolved since you first implemented it?
SHERWOOD: Darktrace is an extremely valuable tool within our cybersecurity toolbox. We’ve had it implemented in Las Vegas for almost two-and-a-half years now. It’s extremely beneficial to staff. It gives us a lot of insights on our network. The product’s evolved immensely over the past several years. There’s a new add-on component, which is called Antigena, which allows us to go ahead and allow the system to act on its own, without any human intervention at all.
An example would be not wanting your staff to have Dropbox because you don’t want them sending any information out through a file sharing type system. Antigena’s able to detect those type of anomalies in your network, and if it sees them, without even asking a human operator to do something or alert, it can go ahead and shut down that connection automatically. The ability for a machine to not only detect something, but take the appropriate remedy or action immediately, is huge.
Even if you have a human system which alerted somebody, if the operator’s not at their desk, it could take minutes or hours for them to be able to login and take the appropriate action. By using these core technologies now, you’re effectively multiplying your internal team, and you can quickly respond to the ever-changing threat landscape.
GOVLOOP: What benefits do you think Darktrace has had since you implemented it?
SHERWOOD: The machine works 24 hours a day, seven days a week, 365 days a year. The capability that it provides our internal teams is critical to the operation. We would not be able to hire enough staff to provide the same security level that we’re able to do with a combination of outside resources, internal resources and machine learning appliances such as Darktrace. Humanly and budget-wise, it would be impossible, and capability-wise, we would not be able to hire enough individuals to replace what the machines and our outside providers provide.
GOVLOOP: What advice would you give other governments thinking about using an AI program?
SHERWOOD: They must explore it. You need to always continually update and pivot. Being consistent or constant for today’s evolving threats doesn’t work anymore. I would also say stop being on the defense but start being on offense. Start deploying technologies. Don’t wait for an incident to happen. I think change is hard for technology executives in the first place. Would you rather suffer with a little disruption or have a major breach because you didn’t have the technology that could have helped you mitigate that problem? I would rather be on the offense and use the best tools at my disposal to protect the digital assets that I’m entrusted to protect.
GOVLOOP: Where do you see this technology heading in terms of AI and cybersecurity?
SHERWOOD: AI is constantly evolving. It’s constantly getting better. It’s learning faster. The tools are becoming more progressive. I don’t think there’s an IT executive out there that says they have enough security or they’re comfortable with where they’re at. These technologies and tools are helping allocate my resources more effectively. If I can take the mundane tasks that need to be done but can be done by a machine with intelligence, why would I not explore those methods? Then I can take those labor savings and move that into other areas which help the organization be more efficient and provide more services.
I’m not afraid to use machine learning and AI-type appliances to help me reach that goal. I think mathematically, I don’t think you can rely on hiring your way out of cybersecurity. You can’t hire enough people to defend your network with humans alone. You need supplements. I wish the industry and our peers would take more of a united stand in educating the user community. I think that we need to do more to help all the people under our care understand what cybersecurity is and the importance of it in our organizations. I think it’s not just at the executive level but at all levels within the organization. Your best defense is generally always having an agency or organization that is truly educated and understands the core need and role that cybersecurity plays within their operation.
GOVLOOP: Why is cybersecurity education important?
SHERWOOD: Cybersecurity is the lifeblood of your business. If your computer networks go down, you’re unable to operate for most businesses. So why would you not invest time? Let’s learn from each other and the community and learn how these things occur and prevent them from reoccurring. One of my program goals for 2019 is to focus on cybersecurity education. It’s not just my office. I want to educate the entire city.
Really interesting interview, Mark. I thoroughly enjoyed reading through Michael’s responses, especially the bit about education as a primary goal for the near future.